gymnasium

Author: ultroni1

  • What is auto-labeling and why is it important?

    Auto-labeling policies automatically apply sensitivity labels to emails, documents, and other content across Microsoft 365. This process helps organizations protect sensitive data consistently without relying on users to manually classify every piece of content.

    There are two ways to automatically apply sensitivity labels in Microsoft 365:

    • Client-side labeling: Office apps recommend or automatically apply labels while users are working in Word, Excel, PowerPoint, or Outlook.
    • Service-side labeling: Labels are applied automatically to stored content in SharePoint, OneDrive, and Exchange, even if users don’t interact with the content.

    Let’s take a closer look at how both methods work and how to configure them in your environment.

    Auto-labeling in Office apps using client-side labeling

    Client-side auto-labeling allows Office apps to apply or recommend sensitivity labels based on the content users create or edit. This approach helps guide users to label content correctly while still allowing flexibility when appropriate.

  • Implement auto-labeling policies

    As the global consulting firm continues strengthening its data protection strategy, the next step is implementing auto-labeling policies. Automating sensitivity labeling helps manage sensitive information across SharePoint Online, OneDrive, and Exchange Online. It ensures consistent data protection across the firm’s digital platforms while reducing the need for manual labeling.

  • Create and configure sensitivity labels and label policies

    As the global consulting firm works to improve its data management practices, the next step is creating and publishing sensitivity labels. Sensitivity labels are critical for protecting sensitive information, meeting compliance requirements, and supporting secure collaboration across the organization.

    How sensitivity labels work

    Before you create and apply sensitivity labels with Microsoft Purview Information Protection, it’s important to understand the overall workflow:

    Diagram showing workflow for sensitivity labels.
    • Administrators create and publish sensitivity labels to users and groups through label policies.
    • End users apply sensitivity labels to classify emails, documents, and other content.
    • Applications and services enforce protections based on the labels applie

  • Tools to monitor sensitivity label usage

    Each tool provides a different lens for evaluating the use and effect of sensitivity labels:

    • Data and Content explorer: Real-time snapshot of content with sensitivity, retention, or classification tags.
    • Activity explorer: Timeline of label interactions and content usage based on audit data.
    • Reports dashboard: High-level trends, SIT distribution, and top label usage across the organization.

    View labeled content with Data explorer

    Data explorer offers a detailed snapshot of labeled and classified items across SharePoint, OneDrive, Exchange, and Teams. It helps administrators assess how sensitivity labels are applied and whether content is protected as intended. Note that new or updated items may take several days to appear.

    Use Data explorer to:

    • Identify the most frequently applied sensitivity labels
    • Review labeled content by location or classification type
    • Export data for auditing or analysis

  • Track and evaluate sensitivity label usage in Microsoft Purview

    As the global consulting firm continues to advance its data security strategy with Microsoft Purview Information Protection, attention turns to monitoring the effectiveness of implemented sensitivity labels. The firm uses a combination of tools within the Microsoft Purview portal to track how labels are applied and how users interact with protected content. These tools include Content ExplorerActivity Explorer, and the Information Protection reports dashboard.

  • Configure encryption with sensitivity labels

    As the global consulting firm continues strengthening its data protection efforts, they now focus on using encryption settings within sensitivity labels. This allows them to:

    • Control who can access sensitive content, even when it’s shared or stored outside the organization.
    • Define editing rights and expiration dates for highly confidential documents.
    • Protect Teams meetings, emails, and files without relying on manual encryption steps.

    Administrators can either assign permissions during label configuration or let users define access when applying labels, depending on the use case.

    How encryption works with sensitivity labels

    Sensitivity labels use the Azure Rights Management service (Azure RMS) to enforce encryption. This ensures that content stays protected through encryption, identity verification, and policy enforcement.

    Labels that apply to Teams meetings use a separate encryption method tailored to protect real-time audio and video streams.

    Prerequisites

    Before enabling encryption with sensitivity labels, ensure:

    • Azure Information Protection is activated in your tenant.
    • Network configurations and Microsoft Entra ID support encrypted content access.
    • Exchange is configured for Azure Information Protection to enable email and calendar invite encryption.

  • Application of sensitivity labels

    To apply sensitivity labels, users must sign in with their Microsoft 365 work or school account. These labels, part of Microsoft Purview, are designed to help organizations manage the sensitivity of their data consistently across the digital environment.

    Consider an Excel document named Financial Summary containing sensitive fiscal data intended for internal review. Applying the Confidential sensitivity label encrypts the document and sets access permissions for specific employees, protecting sensitive financial information even outside the organization’s immediate digital boundaries.

    Sensitivity label on the Excel ribbon and status bar.

    Understand sensitivity labels

    What sensitivity labels are

    Sensitivity labels are like customizable stamps for your organization’s content. They are:

    • Customizable: Tailored to your organization’s needs, categorizing content into levels like PersonalPublicGeneralConfidential, and Highly Confidential.
    • Clear text: Stored in clear text, making them readable by non-Microsoft apps for more protective actions.
    • Persistent: Remain with content wherever it’s saved or stored, enforcing your organization’s policies.

  • Sensitivity label overview

    Microsoft Purview Information Protection uses sensitivity labels to help organizations categorize and protect data while enabling productivity and collaboration. As content expands beyond firewalls and across different devices, apps, and services, these labels ensure data is handled safely and in accordance with regulations. As we navigate the challenges of data management in a global consulting firm, we explore the practical use of sensitivity labels within Microsoft Purview Information Protection to secure data across Microsoft 365.

    Sensitivity label uses

    You can use sensitivity labels for:

    • Encryption and content markings: Apply labels like Confidential to encrypt documents and emails and add watermarks, headers, and footers. Encryption restricts actions for authorized users.
    • Cross-platform content protection: Protect content across Office apps on various platforms, including desktop and web on Windows, macOS, iOS, and Android.
    • Non-Microsoft app protection: Secure content in apps like SalesForce, Box, or DropBox with Microsoft Defender for Cloud Apps.
    • Container protection: Manage privacy and access settings for Teams, Microsoft 365 Groups, and SharePoint sites.
    • Meeting and chat Security: Secure Teams meetings and chats with encryption and specific access controls.
    • Data intelligence: Integrate labels with Power BI and Microsoft Purview Data Map to safeguard data across services.
    • Non-Microsoft app extension: Integrate sensitivity labels with external apps using the Microsoft Purview Information Protection SDK for consistent data protection.
    • Visual marking: Label data without enforcing protection, allowing for future application of security measures.
    • Microsoft Copilot integration: Use sensitivity labels within Microsoft Copilot to ensure data protection during interactions.

  • Example: Protecting financial data in generative AI tools

    Contoso, a financial software company, uses external generative AI tools in both R&D and marketing workflows. These tools support productivity, but they also raise risks, including:

    • Sharing of sensitive financial data
    • Exposure of proprietary algorithms
    • Disclosure of confidential product information

  • Case study: Implement Adaptive Protection for AI data security

    As organizations adopt generative AI tools, traditional security policies might not provide enough flexibility to manage evolving risks. Microsoft Purview Adaptive Protection helps address this challenge by adjusting data loss prevention (DLP) policy enforcement based on user risk signals. These signals can come from browsing behavior or how users handle data in AI environments. This dynamic approach helps protect sensitive information without blocking productivity across the organization.

    The next example shows how a financial technology company uses Adaptive Protection to safeguard sensitive data while enabling responsible use of AI tools.

    Learning objectives

    In this example, you’ll learn how to:

    • Use Adaptive Protection to manage data security risks related to AI tool usage.
    • Link insider risk policies and DLP policies through dynamic user risk levels.
    • Configure protections that block or restrict risky actions based on those levels.