With data protection being more critical than it has ever been before, Microsoft 365 administrators need to consider how to protect their organization’s data and ensure that only those that are authorized can consume it. Microsoft Purview (which is the umbrella term for compliance in Microsoft 365) provides Information Protection features to respond to these requirements. Information Protection enables the use of sensitivity labels and policies to allow users to apply permissions and content marking to the data with which they are working. This includes documents and emails, teams, groups and sites, and much more. When you protect content with a sensitivity label, encryption is applied, ensuring that the content may only be accessed by those who have permission.

This chapter will introduce the features and capabilities of sensitivity labels in Microsoft Purview. You will learn how to plan your organization’s sensitivity label solution...

To effectively plan for the deployment of sensitivity labels in your organization and decide which Microsoft 365 subscriptions you are going to require for your users, you first need to understand how Microsoft Purview Information Protection is licensed. The following list identifies the relevant subscription options for performing specific tasks in Microsoft Purview Information Protection:

• Manual sensitivity labeling: The following licenses will provide the required user rights:
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E3/A3/G3
  • Microsoft 365 F1/F3
  • Microsoft Business Premium (Information Protection for Office 365 – Standard should be enabled if only an E5 license has been assigned)
  • Enterprise Mobility + Security E3/E5
  • Office 365 E5/A5/E3/A3
  • Azure Information Protection Plan 1
  • Azure Information Protection Plan 2
• Automatic sensitivity labeling (client and service side): The following licenses will provide the required...

SITs are pattern-based classifiers that can detect information such as credit card numbers to identify sensitive items under your organization’s control. Microsoft Purview provides you with the following methods to identify these items so that they can be classified manually by users, or by using automated pattern recognition and machine learning processes.

An SIT is defined by a pattern that can be identified by the following characteristics:

• Regular expressions or functions
• Dictionary keyword
• Checksums
• Confidence levels
• Proximity

There are many built-in SITs available as part of Microsoft Purview. These can be viewed in the Microsoft Purview compliance portal at https://compliance.microsoft.com under the Data classification section, as shown in the following screenshot:

Figure 11.1: Built-in SITs

However, there may also be occasions wherein organizations need to add one or more custom...

The core functionality of Microsoft Information Protection is based on sensitivity labels and policies. Microsoft 365 administrators can define sensitivity labels in the Microsoft Purview compliance portal. These labels can be configured with protection settings and visual markings (such as watermarks). Furthermore, depending on your subscriptions, they may also include conditions (using the SITs described in the previous section) so that a label can be automatically applied.

Once labels have been created, policies may then be defined in order to determine which users will be able to see and use the labels within their Microsoft Office applications.

Now, let’s take a look at how sensitivity labeling works, starting with setting up labels from the Microsoft Purview Compliance portal.

Setting up labels

To create a label in Microsoft Purview, complete the following steps:

1. Navigate to Information protection, as shown...

Activity explorer is a feature available in the Data classification section of the Microsoft Purview compliance portal that allows administrators to monitor what is being done with their labeled content. Thirty days’ worth of content is stored in Activity explorer:

Figure 11.60: Activity explorer

Activity explorer is part of the premium features of Microsoft Purview. The configuration steps are minimal and only relate to the available licensing you have in your tenant. Each Microsoft 365 account that accesses and uses data classification features such as Activity explorer needs to have one of the following licenses assigned:

• Microsoft 365 (E5)
• Office 365 (E5)
• Advanced Compliance (E5) add-on
• Advanced Threat Intelligence (E5) add-on
• Microsoft 365 E5/A5 Info Protection & Governance
• Microsoft 365 E5/A5 Compliance

Further, to use Activity explorer, you must be assigned one...

In Figure 11.25 of this chapter, we configured a sensitivity label to be applied to Groups & sites. This means that when published, you can apply sensitivity labels to a team in Microsoft Teams, a SharePoint Online site or OneDrive, or a Microsoft 365 group in Outlook on the web.

The experience will show available sensitivity labels in each of these services. In Microsoft Teams, when a new team is created, users with labels applied in this way can choose the sensitivity setting of the team. When doing so, the available privacy options for creating the team will be displayed as shown in the following screenshot:

Figure 11.62: Setting a sensitivity label for a team

When the team is created, the sensitivity label appears in the top-right corner:

Figure 11.63: Team with sensitivity label applied

The same sensitivity label will automatically be set...

This chapter introduced you to the principles of managing sensitive information in Microsoft 365. We learned how to understand built-in SITs and create custom ones as well. We then created a sensitivity label with settings to apply to items, groups, and sites, and assigned it to users with a label policy. We also saw how to create an auto-labeling policy. Next, we learned how to use Activity explorer to track the labeling activity within your organization. Finally, you learned how you can apply sensitivity labels to Teams, SharePoint sites, OneDrive, and Microsoft 365 groups.

In the next chapter, you will explore DLP and how it can be used to safeguard your users from accidentally sharing sensitive content. This is done using rules and conditions that help users make the correct decisions when working with sensitive information.

1. Which of the following is not a method of creating a custom sensitive information type?
   1. Regular expression
   2. Keyword list
   3. Keyword group
   4. Keyword dictionary
2. True or false? You can apply a sensitivity label to a team within Microsoft Teams.
   1. True
   2. False
3. Which section in the Microsoft Purview compliance portal would you go to to configure sensitivity labels and policies?
   1. Insider risk management
   2. Information protection
   3. Data lifecycle management
   4. Data classification
4. Which of the following is not a visual marking setting available for a sensitivity label?
   1. Watermark
   2. Highlight
   3. Header
   4. Footer
5. True or false? Labels are processed in order of highest value to lowest.
   1. True
   2. False
6. What would you configure if you wanted to record in Activity explorer the reason why a label was changed to a lower level?
   1. Configure a custom help link
   2. Configure a sensitive information type
   3. Require a justification
   4. Require a label
7. Which of the following actions can a label perform (choose two)?
   1. Delete content
   2. Rename...

Please refer to the following links for more information:

• Learn about sensitive information types: https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-learn-about?view=o365-worldwide
• Create custom sensitive information types in the compliance portal: https://learn.microsoft.com/en-us/microsoft-365/compliance/create-a-custom-sensitive-information-type?view=o365-worldwide
• Sensitive information type REGEX validators and additional check: https://learn.microsoft.com/en-us/microsoft-365/compliance/sit-regex-validators-additional-checks?view=o365-worldwide
• Create and configure sensitivity labels and their policies: https://learn.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels?WT.mc_id=EM-MVP-4039827&view=o365-worldwide
• Get started with sensitivity labels: https://learn.microsoft.com/en-us/microsoft-365/compliance/get-started-with-sensitivity-labels?WT.mc_id=M365-MVP-4039827&view=o365...