How to automatically apply sensitivity labels to your data in the Microsoft Purview Data Map (Preview)

Important

Labeling in the Microsoft Purview Data Map is currently in PREVIEW. The Supplemental Terms of Use for Microsoft Azure Previews include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Create new or apply existing sensitivity labels in the data map

If you don't already have sensitivity labels, you'll need to create them and make them available for the Microsoft Purview Data Map. Existing sensitivity labels from Microsoft Purview Information Protection can also be modified to make them available to the data map.

Step 1: Licensing requirements

Sensitivity labels are created and managed in the Microsoft Purview Information Protection. To create sensitivity labels for use through Microsoft Purview, you must have an active Microsoft 365 license that offers the benefit of automatically applying sensitivity labels.

For the full list of licenses, see the Sensitivity labels in Microsoft Purview FAQ. If you don't already have the required license, you can sign up for a trial of Microsoft 365 E5.

The following steps extend your existing sensitivity labels and enable them to be available for use in the data map, where you can apply sensitivity labels to files and database columns.

  1. Depending on the portal you're using, navigate to one of the following locations:

    • Sign in to the Microsoft Purview portal > Information Protection card > Sensitivity labels.

      If the Information Protection solution card isn't displayed, select View all solutions and then select Information Protection from the Data Security section.

    • Sign in to the Microsoft Purview compliance portal > Solutions > Information protection > Labels

      Tip

      If you've recently provisioned your subscription for Information Protection, it may take a few hours for the Information Protection page to display.

  2. In the Extend labeling to assets in the Microsoft Purview Data Map area, select the Turn on button, and then select Yes in the confirmation dialog that appears.

Tip

If you don't see the button, and you're not sure if consent has been granted to extend labeling to assets in the Microsoft Purview Data Map, see this FAQ item on how to determine the status.

After you've extended labeling to assets in the Microsoft Purview Data Map, all published sensitivity labels are available for use in the data map.

Step 3: Create or modify existing label to automatically label content

To create new sensitivity labels or modify existing labels:

  1. Depending on the portal you're using, navigate to one of the following locations:

  2. Select Create a label.

    Create sensitivity labels in the Microsoft Purview compliance center

  3. Name the label. Then, under Define the scope for this label:

    • In all cases, select Schematized data assets.
    • To label files, also select Items. This option isn't required to label schematized data assets only.

    Automatically label in the Microsoft Purview compliance center

  4. Follow the rest of the prompts to configure the label settings.

    Specifically, define autolabeling rules for files and schematized data assets:

    For more information about configuration options, see What sensitivity labels can do in the Microsoft 365 documentation.

  5. Repeat the steps listed above to create more labels.

    To create a sublabel, select the parent label > ... > More actions > Add sub label.

  6. To modify existing labels, browse to Information Protection > Labels, and select your label.

    Then select Edit label to open the Edit sensitivity label configuration again, with all of the settings you'd defined when you created the label.

    Edit an existing sensitivity label

  7. When you're done creating all of your labels, make sure to view your label order, and reorder them as needed.

    To change the order of a label, select ... > More actions > Move up or Move down.

    For more information, see the documentation for label priority (order matters).

Autolabeling for files

Define autolabeling rules for file assets from sources like Azure Blob Storage, Azure Files, Azure Data Lake Storage, and Amazon S3, when you create or edit your label.

On the Auto-labeling for Office apps page, enable Auto-labeling for Office apps, and then define the conditions where you want your label to be automatically applied to your data.

For example:

Define auto-labeling rules for files in the Microsoft Purview compliance center

For more information, see the documentation to apply a sensitivity label to data automatically.

Autolabeling for schematized data assets

Define autolabeling rules for schematized data assets like Azure SQL, Azure Synapse Analytics, Azure Cosmos DB, etc., when you create or edit your label.

At the Schematized data assets option:

  1. Select the Auto-labeling for schematized data assets slider.

  2. Select Check sensitive info types to choose the sensitive info types you want to apply to your label.

For example:

Define auto-labeling rules for schematized data assets in the Microsoft Purview compliance center

Step 4: Publish labels

If the Sensitivity label has been published previously, then no further action is needed.

If this is a new sensitivity label that hasn't been published before, then the label must be published for the changes to take effect. Follow these steps to publish the label.

Once you create a label, you need to scan your data in the Microsoft Purview Data Map to automatically apply the labels you created, based on the autolabeling rules you defined.

Scan your data to apply sensitivity labels automatically

Scan your data in the data map to automatically apply the labels you've created, based on the autolabeling rules you've defined. Allow up to 24 hours for sensitivity label changes to reflect in the data map.

For more information on how to set up scans on various assets in the Microsoft Purview Data Map, see:

Source Reference
Files within Storage Register and Scan Azure Blob Storage
Register and scan Azure Files Register and scan Azure Data Lake Storage Gen1
Register and scan Azure Data Lake Storage Gen2
Register and scan Amazon S3
database columns Register and scan an Azure SQL Database
Register and scan an Azure SQL Managed Instance
Register and scan Dedicated SQL pools
Register and scan Azure Synapse Analytics workspaces
Register and scan Azure Cosmos DB for NoSQL database
Register and scan an Azure MySQL database
Register and scan an Azure database for PostgreSQL

View labels on assets in the catalog

Once you've defined autolabeling rules for your labels in the Microsoft Purview Information Protection and scanned your data in the data map, labels are automatically applied to your assets in the data map.

To view the labels applied to your assets in the Microsoft Purview catalog:

In the Microsoft Purview catalog, use the Label filtering options to show assets with specific labels only. For example:

Search for assets by label

To view details of an asset including classifications found and label applied, select the asset in the results.

For example:

View a sensitivity label on a file in your Azure Blob Storage

View Insight reports for the classifications and sensitivity labels

Find insights on your classified and labeled data in the Microsoft Purview Data Map use the Classification and Sensitivity labeling reports.