Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

Microsoft Purview Information Protection

How sensitivity labels, data loss prevention, and information protection policies keep sensitive data protected as it moves and is shared.

4 min read
Microsoft 365HIPAA

Every control covered elsewhere in this cluster — identity, Conditional Access, Defender — governs access to systems and data. Microsoft Purview's information protection capabilities govern the data itself, following it as it moves between documents, emails, and applications, which matters because access control alone doesn't stop a legitimately-accessed file from being shared somewhere it shouldn't be.

Sensitivity labels

A sensitivity label is metadata applied to a document or email — Public, Internal, Confidential, Highly Confidential, or whatever taxonomy an organization defines — that can carry enforcement actions: encryption, watermarking, access restrictions, or a warning banner. Once applied, the label travels with the content even after it leaves the originating application, which is what makes labels more durable than access control lists alone.

What a sensitivity label can enforce
Enforcement ActionEffect
EncryptionContent readable only by authorized users/groups, even if the file is copied elsewhere
Access restrictionsLimits who can open, edit, or forward, independent of where the file is stored
Visual markingsHeaders, footers, or watermarks indicating sensitivity to anyone viewing the content
Content marking + DLP triggerCombines with data loss prevention policy to block or warn on risky sharing

Auto-labeling reduces reliance on user judgment

Manually applying labels depends on every user correctly judging sensitivity every time — a reliability gap for genuinely sensitive content. Auto-labeling policies can apply a label automatically based on detected content patterns (a Social Security number format, a HIPAA-relevant term list), reducing that dependency for your highest-risk data categories specifically.

Discover

Sensitive content identified via pattern matching

Classify

Sensitivity label applied — manually or automatically

Protect

Encryption, access restriction, or watermark enforced

Monitor

DLP policy evaluates every subsequent sharing attempt

Govern

Retention/deletion policy applied based on classification

Protection travels with the content itself, not just its original storage location — see Microsoft Purview Information Protection.

Data loss prevention (DLP)

DLP policies detect sensitive content — based on pattern matching, sensitivity labels, or both — and take action when it's about to be shared inappropriately: blocking an external email containing unencrypted payment card numbers, warning a user before they share a labeled "Highly Confidential" file externally, or simply logging the event for review without blocking it.

  1. Start DLP policies in test/audit mode, exactly like Conditional Access and ASR rules — observe what would trigger before actually blocking anything, since overly broad pattern matching produces false positives that disrupt legitimate work.
  2. Scope initial policies to your highest-risk data categories (payment data, health information, credentials) rather than attempting comprehensive coverage immediately.
  3. Pair DLP with user education, since a DLP warning at the moment of a risky action is a genuine teaching opportunity, not just an enforcement mechanism.

How this connects to compliance frameworks

Data protection controls are directly relevant to several frameworks covered elsewhere in this Knowledge Center — HIPAA's Security Rule expects technical safeguards for electronic protected health information in transit and at rest, and DLP/sensitivity labels are a direct, auditable implementation of that expectation. See HIPAA Password Guidance for the broader HIPAA technical safeguards context this fits into.

Labels and DLP support compliance; they don't constitute it on their own

Sensitivity labels and DLP policies are strong technical controls, but — consistent with the same caveat given for Secure Score — they are one component of a compliance posture, not a complete compliance program by themselves. Confirm specific framework requirements with a qualified advisor.

Common mistakes

  • Deploying DLP policies directly in blocking mode without an audit period, disrupting legitimate business workflows that happen to match overly broad detection patterns.
  • Relying entirely on manual labeling for genuinely sensitive data categories, where auto-labeling would provide more reliable coverage.
  • Treating labels as purely visual/informational without configuring the actual enforcement actions (encryption, access restriction) that provide real protection.
  • Not training users on what a DLP warning means, causing it to be dismissed as a nuisance rather than understood as a real risk signal.

FAQ

Do sensitivity labels work across all Microsoft 365 applications? Broadly yes — Word, Excel, PowerPoint, Outlook, and Teams all support sensitivity labeling in current Microsoft 365 plans, though specific enforcement capabilities can vary by application and license tier.

Does encryption applied via a sensitivity label survive if the file is downloaded and moved to a personal device? Yes — this is the core value of label-based encryption over folder- or location-based access control: the protection travels with the file itself, not with where it's stored.

What license tier includes Purview Information Protection and DLP? These capabilities are gated across different Microsoft 365 and Purview-specific licensing tiers, with more advanced auto-labeling and DLP capability typically requiring higher tiers — confirm current tier requirements directly with Microsoft, since packaging has changed over time.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT