Share via

Authoring and publishing protection policies (preview)

Protection access control policies (protection policies) enable organizations to automatically protect sensitive data across data sources. Microsoft Purview already scans data assets and identifies sensitive data elements, and this new feature allows you to automatically restrict access to that data using sensitivity labels from Microsoft Purview Information Protection.

Protection policies ensure that Enterprise Admins must authorize data access for a sensitivity type. After enabling these policies, access control is automatically imposed whenever sensitive information is detected with Microsoft Purview Information Protection.

Actions supported

  • Restrict access on labeled data assets so that only users and groups you select can access them.
  • Action configured on Sensitivity Labels in the Microsoft Purview Information Protection solution.

Data sources supported


*Azure Storage sources are currently in a gated preview. To enroll, follow this link.


This article covers general steps for all protection policies. The available data source articles cover specifics like available region and limitations for those data sources.



It's recommended you use a test tenant to test preview features.

Users and permissions

There are several types of users you need, and you need to set up the corresponding roles and permissions for these users:

  1. Microsoft Purview Information Protection Admin - Broad rights to manage Information Protection solution: reviewing / creating / updating / deleting protection policies, sensitivity labels and label/auto-labeling policies, all classifier types. They should also have full access to data explorer, activity explorer, Microsoft Purview Information Protection insights, and reports.
    • User needs the roles from within the built-in role group “Information Protection”, along with new roles for data map reader, insights reader, scan reader, source reader. Full permissions would be:
      • Information Protection reader
      • Data Map Reader
      • Insights Reader
      • Source Reader
      • Scan Reader
      • Information Protection admin
      • Information Protection analyst
      • Information protection investigator
      • Data classification list viewer
      • Data classification content viewer
      • Microsoft Purview evaluation administrator
    • Option 1 - Recommended:
      1. Within the Microsoft Purview role groups panel, search for Information Protection.
      2. Select the Information Protection role group, select Copy.
      3. Name it: "Preview - Information Protection", and select Create copy.
      4. Select Preview - Information Protection and select Edit.
      5. On the Roles page, + Choose roles and search for “reader”.
      6. Select these four roles: Data map reader, insights reader, scan reader, source reader.
      7. Add the Microsoft Purview Information Protection admin test user account to this new copied group and complete the wizard.
    • Option 2- uses built-in groups (will provide more permissions than needed)
      1. Place a new Microsoft Purview Information Protection admin test user account within the built-in groups for Information Protection, Data Estate Insights Readers, Data Source Administrators.
  2. Data Owner/Admin - This user will enable your source for data policy enforcement in Microsoft Purview.

Prepare your environment and source to apply policies


This article covers general steps for all protection policies. The articles linked in available data source cover specifics and limitations for those data sources. We recommend you follow the source-specific articles for complete information on protection policies for a specific source.

  1. Enable advanced resource sets in Microsoft Purview:

    1. Have a user who is a data curator or a data reader at the root collection, sign in to the Microsoft Purview portal and open the Settings menu.

    2. Under the Account page, find Advanced Resource Sets and set the toggle to On.

      Screenshot of the account page in the settings, with the Advanced resource sets toggle set to on.

  2. Create or extend sensitivity labels from Microsoft Purview Information Protection to data map assets.


    Be sure to also publish your labels after creating them.

  3. Register your sources

  4. Enable data policy enforcement:

    1. Go to the new Microsoft Purview portal.

    2. Select the Data Map tab in the left menu.

    3. Select the Data sources tab in the left menu.

    4. Select the source where you want to enable data policy enforcement.

    5. Set the Data policy enforcement toggle to On, as shown in the image below.

      Set data policy enforcement toggle to **On** within data source details.

  5. Scan your data sources.


    Wait at least 24 hours after scanning.

Create protection policy

Now that you've checked the prerequisites and prepared your Microsoft Purview instance and source for protection policies, and waiting at least 24 hours after your most recent scan, follow these steps to create your protection policies:

  1. Depending on the portal you're using, navigate to one of the following locations:

  2. Select Protection policies.

    Screenshot of the Information Protection menu, with the Policies dropdown open and Protection policies highlighted.

  3. Select New protection policy.

    Screenshot of the Protection policies page, with the + New protection policy button highlighted.

  4. Provide a name and description and select Next.

  5. Select + Add sensitivity label to add sensitivity label(s) to detect for the policy, and select all the labels you want the policy to apply to.

  6. Select Add then select Next.

  7. Select the sources you want to apply the policy to, and select the Edit button to manage the scope for each you select.

    Screenshot of the new protection policy menu, showing the edit buttons for each source as they've been selected.

  8. Depending on your source, select the + Include button at the top to add up to 10 resources your scope list. The policy will be applied to all the resources you select.


    Currently a maximum of 10 resources is supported, and they must be selected under Edit for them to be enabled.

  9. Select Add and then select Done when your list of sources is complete.

  10. Select the users who will NOT be denied access based on the label. Everyone in your org will be denied read access to labeled items except for the users and groups you add here.

  11. Select Next.

  12. Choose whether turn on the policy right away or not, and select Next.

  13. Select Submit.

  14. Select Done.

  15. You should now see your new policy in the list of protection policies. Select it to confirm that all the details are correct.

Manage protection policy

To edit or delete an existing protection policy, follow these steps.

  1. Open the Microsoft Purview portal.

  2. Open the Information Protection solution.

  3. Select the Policies drop down, and select Protection policies.

    Screenshot of the Information Protection menu, with Protection policies highlighted.

  4. Select the policy you want to manage.

  5. To change any of the details, select the Edit policy button.

  6. To delete the policy, select the Delete policy button.

    Screenshot of a policy detail page, with the edit and delete buttons highlighted.