Deploy an information protection solution with Microsoft Purview
Your information protection strategy is driven by your business needs. Many organizations must comply with regulations, laws, and business practices. Additionally, organizations need to protect proprietary information, such as data for specific projects.
Microsoft Purview Information Protection (formerly Microsoft Information Protection) provides a framework, process, and capabilities you can use to protect sensitive data across clouds, apps, and devices.
To see examples of Microsoft Purview Information Protection in action, from the end-user experience to the admin configuration, watch the following video:
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Microsoft Purview Information Protection framework
Use Microsoft Purview Information Protection to help you discover, classify, protect, and govern sensitive information wherever it lives or travels.
For data governance, see Deploy a data governance solution with Microsoft Purview.
Microsoft Purview Information Protection capabilities are included with Microsoft Purview. The licensing requirements can vary even within capabilities, depending on configuration options. To identify licensing requirements and options, see the Microsoft 365 guidance for security & compliance.
Know your data
Knowing where your sensitive data resides is often the biggest challenge for many organizations. Microsoft Purview Information Protection data classification helps you to discover and accurately classify ever-increasing amounts of data that your organization creates. Graphical representations help you gain insights into this data so you can set up and monitor policies to protect and govern it.
|1||Describe the categories of sensitive information you want to protect.
You already have an idea of what types of information are most valuable to your org and what types aren't. Work with stakeholders to describe these categories that are your starting point.
|Learn about sensitive information types|
|2||Discover and classify sensitive data.
Sensitive data in items can be found by using many different methods that include default DLP policies, manual labeling by users, and automated pattern recognition using sensitive information types or machine learning.
|Learn about data classification|
|3||View your sensitive items.
Use content explorer and activity explorer for a deeper analysis of sensitive items and the actions that users are taking on these items.
|Get started with content explorer|
Protect your data
Use the information from knowing where your sensitive data resides to help you more efficiently protect it. However, there's no need to wait—you can start to protect your data immediately with a combination of manual, default, and automatic labeling. Then, use content explorer and activity explorer from the previous section to confirm what items are labeled and how your labels are being used.
|1||Define your sensitivity labels and policies that will protect your organization's data.
In addition to identifying the sensitivity of content, these labels can apply protection actions such as content markings (headers, footers, watermarks), encryption, and other access controls.
Example sensitivity labels:
- Anyone (unrestricted)
- All Employees (unrestricted)
- Anyone (unrestricted)
- All Employees
- Trusted People
- All Employees
- Specific People
Example sensitivity label policy:
1. Publish all labels to all users in the tenant
2. Default label of General \ All Employees (unrestricted) for items
3. Users must provide a justification to remove a label or lower its classification
|Get started with sensitivity labels
Create and configure sensitivity labels and their policies
Restrict access to content by using sensitivity labels to apply encryption
|2||Label and protect data for Microsoft 365 apps and services.
Sensitivity labels are supported for Microsoft 365 Word, Excel, PowerPoint, Outlook, Teams meetings, and also containers that include SharePoint and OneDrive sites, and Microsoft 365 groups. Use a combination of labeling methods such as manual labeling, automatic labeling, a default label, and mandatory labeling.
Example configuration for client-side auto-labeling:
1. Recommend Confidential \ Anyone (unrestricted) if 1-9 credit card numbers
2. Recommend Confidential \ All Employees if 10+ credit card numbers
-- typical end user experience, and the user selects the button to show sensitive content (Word only)
Example configuration for service-side auto-labeling:
Apply to all locations (Exchange, SharePoint, OneDrive)
1. Apply Confidential \ Anyone (unrestricted) if 1-9 credit card numbers
2. Apply Confidential \ All Employees if 10+ credit card numbers
3. Apply Confidential \ Anyone (unrestricted) if 1-9 US personal data and full names
4. Apply Confidential \ All Employees if 10+ US personal data and full names
|Manage sensitivity labels in Office apps
Enable sensitivity labels for Office files in SharePoint and OneDrive
Enable co-authoring for files encrypted with sensitivity labels
Configure a default sensitivity label for a SharePoint document library
Apply a sensitivity label to content automatically
Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites
Use sensitivity labels to protect calendar items, Teams meetings, and chat
Use sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive
Apply a sensitivity label to a model in Microsoft Syntex
Sensitivity labels in Power BI
|3||Discover, label, and protect sensitive items that reside in data stores in the cloud (Box, GSuite, SharePoint, and OneDrive) by using Microsoft Defender for Cloud Apps with your sensitivity labels.
Example configuration for a file policy: Looks for credit card numbers in files stored in a Box account, and then applies a sensitivity label to identify the highly confidential info and encrypt it.
|Discover, classify, label, and protect regulated and sensitive data stored in the cloud|
|4||Discover, label, and protect sensitive items that reside in data stores on premises by deploying the information protection scanner with your sensitivity labels.||Configuring and installing the information protection scanner|
|5||Extend your sensitivity labels to Azure by using Microsoft Purview Data Map, to discover and label items for Azure Blob Storage, Azure files, Azure Data Lake Storage Gen1, and Azure Data Lake Storage Gen12.||Labeling in Microsoft Purview Data Map|
If you're a developer who wants to extend sensitivity labels to line-of-business apps or third-party SaaS apps, see Microsoft Information Protection (MIP) SDK setup and configuration.
The examples for automatic and recommended labeling if credit card numbers are found are often helpful for initial testing and end user education.
Even if credit card numbers are not typical for the data your organization needs to protect, the concept of these being sensitive data that needs to be protected is easily understood by users. Many websites provide credit card numbers that are suitable for testing purposes only. You can also search for sites that provide credit card number generators so that you can paste the numbers into documents and emails.
Additional protection capabilities
Microsoft Purview includes additional capabilities to help protect data. Not every customer needs these capabilities, and some might be superseded by more recent releases.
Refer to the Protect your data with Microsoft Purview page for the full list of protection capabilities.
Prevent data loss
Deploy Microsoft Purview Data Loss Prevention (DLP) policies to govern and prevent the inappropriate sharing, transfer, or use of sensitive data across apps and services. These policies help users make the right decisions and take the right actions when they're using sensitive data.
|1||Learn about DLP.
Organizations have sensitive information under their control, such as financial data, proprietary data, credit card numbers, health records, and social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).
|Learn about data loss prevention|
|2||Plan your DLP implementation.
Every organization will plan for and implement data loss prevention (DLP) differently, because every organization's business needs, goals, resources, and situation are unique to them. However, there are elements that are common to all successful DLP implementations.
|Plan for data loss prevention|
|3||Design and create a DLP policy.
Creating a data loss prevention (DLP) policy is quick and easy, but getting a policy to yield the intended results can be time consuming if you have to do a lot of tuning. Taking the time to design a policy before you implement it will get you to the desired results faster, and with fewer unintended issues, than tuning by trial and error alone.
Example configuration for a DLP policy: Prevents emails being sent if they contain credit card numbers or the email has a specific sensitivity label that identities highly confidential info.
|Design a DLP policy|
|4||Tune your DLP policies.
After you deploy a DLP policy, you'll see how well it meets the intended purpose. Use that information to adjust your policy settings for better performance.
|Create and deploy data loss prevention policies|
Interactive guides: Microsoft Purview Information Protection
Learning modules for consultants and admins:
- Introduction to information protection and data lifecycle management in Microsoft Purview
- Classify data for protection and governance
- Protect information in Microsoft Purview
- Prevent data loss in Microsoft Purview
To help train your users to apply and use the sensitivity labels that you configure for them, see End-user documentation for sensitivity labels.
When you deploy data loss prevention policies for Teams, you might find the following end-user guidance useful as an introduction to this technology. It includes some potential messages that users might see: Teams messages about data loss prevention (DLP) and communication compliance policies.