Your information protection strategy is driven by your business needs. Many organizations must comply with regulations, laws, and business practices. Additionally, organizations need to protect proprietary information, such as data for specific projects.
Microsoft Purview Information Protection (formerly Microsoft Information Protection) provides a framework, process, and capabilities you can use to protect sensitive data across clouds, apps, and devices.
To see examples of Microsoft Purview Information Protection in action, from the end-user experience to the admin configuration, watch the following video:
Nasvet
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Microsoft Purview Information Protection framework
Use Microsoft Purview Information Protection to help you discover, classify, protect, and govern sensitive information wherever it lives or travels.
If you're new to Microsoft Purview, consider using Data Security Posture Management (DSPM) for AI to supplement the information on this page and jumpstart securing your data with Microsoft Purview Information Protection.
Even if you're not using AI apps in your organization, DSPM for AI uses the same framework of controls with some ready-made reports, default sensitivity labels, and the automatic creation of policies to protect your sensitive data.
Licensing
Microsoft Purview Information Protection capabilities are included with Microsoft Purview. The licensing requirements can vary even within capabilities, depending on configuration options. To identify licensing requirements and options, see the Microsoft 365 guidance for security & compliance.
Know your data
Knowing where your sensitive data resides is often the biggest challenge for many organizations. Microsoft Purview Information Protection data classification helps you to discover and accurately classify ever-increasing amounts of data that your organization creates. Graphical representations help you gain insights into this data so you can set up and monitor policies to protect and govern it.
Step
Description
More information
1
Describe the categories of sensitive information you want to protect.
You already have an idea of what types of information are most valuable to your org and what types aren't. Work with stakeholders to describe these categories that are your starting point.
Sensitive data in items can be found by using many different methods that include default DLP policies, manual labeling by users, and automated pattern recognition using sensitive information types or machine learning.
Use the information from knowing where your sensitive data resides to help you more efficiently protect it. However, there's no need to wait—you can start to protect your data immediately with a combination of manual, default, and automatic labeling. Then, use content explorer and activity explorer from the previous section to confirm what items are labeled and how your labels are being used.
Step
Description
More information
1
Define your sensitivity labels and policies that will protect your organization's data.
In addition to identifying the sensitivity of content, these labels can apply protection actions such as content markings (headers, footers, watermarks), encryption, and other access controls.
Example sensitivity labels: Personal Public General - Anyone (unrestricted) - All Employees (unrestricted) Confidential - Anyone (unrestricted) - All Employees - Trusted People Highly Confidential - All Employees - Specific People
Example sensitivity label policy: 1. Publish all labels to all users in the tenant 2. Default label of General \ All Employees (unrestricted) for items 3. Users must provide a justification to remove a label or lower its classification
Label and protect data for Microsoft 365 apps and services.
Sensitivity labels are supported for Microsoft 365 Word, Excel, PowerPoint, Outlook, Teams meetings, and also containers that include SharePoint and OneDrive sites, and Microsoft 365 groups. Use a combination of labeling methods such as manual labeling, automatic labeling, a default label, and mandatory labeling.
Example configuration for service-side auto-labeling: Apply to all locations (Exchange, SharePoint, OneDrive) 1. Apply Confidential \ Anyone (unrestricted) if 1-9 credit card numbers 2. Apply Confidential \ All Employees if 10+ credit card numbers 3. Apply Confidential \ Anyone (unrestricted) if 1-9 US personal data and full names 4. Apply Confidential \ All Employees if 10+ US personal data and full names
Discover, label, and protect sensitive items that reside in data stores in the cloud (Box, GSuite, SharePoint, and OneDrive) by using Microsoft Defender for Cloud Apps with your sensitivity labels.
Example configuration for a file policy: Looks for credit card numbers in files stored in a Box account, and then applies a sensitivity label to identify the highly confidential info and encrypt it.
Discover, label, and protect sensitive items that reside in data stores on premises by deploying the information protection scanner with your sensitivity labels.
Auto-apply sensitivity labels in Microsoft Purview Data Map to discover and label items for Azure Blob Storage, Azure files, and Azure Data Lake Storage Gen2.
Microsoft Purview includes additional capabilities to help protect data. Not every customer needs these capabilities, and some might be superseded by more recent releases.
Deploy Microsoft Purview Data Loss Prevention (DLP) policies to govern and prevent the inappropriate sharing, transfer, or use of sensitive data across apps and services. These policies help users make the right decisions and take the right actions when they're using sensitive data.
Step
Description
More information
1
Learn about DLP.
Organizations have sensitive information under their control, such as financial data, proprietary data, credit card numbers, health records, and social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).
Every organization will plan for and implement data loss prevention (DLP) differently, because every organization's business needs, goals, resources, and situation are unique to them. However, there are elements that are common to all successful DLP implementations.
Creating a data loss prevention (DLP) policy is quick and easy, but getting a policy to yield the intended results can be time consuming if you have to do a lot of tuning. Taking the time to design a policy before you implement it gets you to the desired results faster, and with fewer unintended issues, than tuning by trial and error alone.
Example configuration for a DLP policy: Prevents emails being sent if they contain credit card numbers or the email has a specific sensitivity label that identities highly confidential info.
After you deploy a DLP policy, you'll see how well it meets the intended purpose. Use that information to adjust your policy settings for better performance.
The credit card number examples are often helpful for initial testing and end user education. Even if your organization doesn't typically need to protect credit card numbers, the concept of these being sensitive items that need protection is easily understood by users. Many websites provide credit card numbers that are suitable for testing purposes only. You can also search for sites that provide credit card number generators so that you can paste the numbers into documents and emails.
When you're ready to move your automatic labeling and DLP policies into production, change to classifiers and configurations that are suitable for the type of data used by your organization. For example, you might need to use trainable classifiers for intellectual property and specific types of documents, or exact data match (EDM) sensitive information types for privacy data that's related to customers or employees.
Or, you might want to start by discovering and protecting IT-related information that is frequently the target of security attacks. Then, supplement this by checking for and preventing the sharing of passwords with DLP policies for email and Teams chat:
Use the trainable classifiers IT and IT Infra and Network Security Documents
Use the built-in sensitive info type General Password and create a custom sensitive info type for "password is" for the different languages used by your users
Deploying an information protection solution isn't a linear deployment but iterative, and often circular. The more you know your data, the more accurately you can label it, and prevent data leakage. The results of those applied labels and policies flow into the data classification dashboard and tools, which in turn makes more sensitive data visible for you to protect. Or, if you're already protecting that sensitive data, consider whether it requires additional protective actions.
You can start to manually label data as soon as you've defined sensitivity labels. The same classifiers that you use for DLP can be used to automatically find and label more data. You can even use sensitivity labels as a classifier, for example, block sharing items that are labeled highly confidential.
Most customers already have some solutions in place to protect their data. Your deployment strategy might be to build on what you already have, or focus on gaps that offer the most business value or addresses high risk areas.
You might prefer to deploy information protection by using a phased deployment that implements progressively restrictive controls. This approach gradually introduces new protection measures for users as you gain familiarity and confidence with the technology. For example:
From default labels and no encryption, to recommending labels that apply encryption when sensitive data is found, and then automatically applying labels when sensitive data is found.
DLP policies that progress from auditing oversharing actions, to more restrictive blocking with warning to educate users, and then blocking all sharing.
Details of such a phased deployment might look something like the following plan, where sensitivity labels and DLP policies become more integrated with each other to provide greater data protection than if they were used independently:
General\All Employees: Default label for email. No encryption. If applied on emails, block users from over-sharing.
Confidential\All Employees: Default label for documents. No encryption. If applied on emails, block users from over-sharing.
Highly Confidential\All Employees: No encryption. If applied on emails, block users from over-sharing.
DLP policy A:
If 1-2 instances of credit cards are found, block external sharing except if the item is labeled as Personal or Confidential\Anyone (unrestricted). Use logging and reporting for analysis.
DLP policy B:
If 3-9 instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives except if the item is labeled as Confidential\Anyone (unrestricted). Use logging and reporting for analysis.
DLP policy C:
If 10+ instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives with no exceptions. Use logging and reporting for analysis.
Sensitivity label configurations:
General\All Employees: Default label for email. No encryption. If applied on emails, block users from over-sharing.
Confidential\All Employees: Default label for documents. Encryption with Full Control to all employees. If applied on emails, block users from over-sharing.
Confidential\Trusted People: Encryption that lets users assign permissions with Encrypt-Only for Outlook and prompts users in Word, PowerPoint, and Excel. If applied on emails, display DLP tooltip to warn users that unauthorized users won't be able to read the email.
Highly Confidential\All Employees: Encryption with Full Control to all employees. If applied on emails, block users from over-sharing. Recommend the label if 3-9 instances of credit cards are found with high confidence, or 10+ instances of credit cards are found with low confidence.
DLP policy A:
If 1-2 instances of credit cards are found, block external sharing except if the item is labeled as Personal or Confidential\Anyone (unrestricted). Send an alert on repeat actions in a short period of time.
DLP policy B:
If 3-9 instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives except if the item is labeled as Confidential\Anyone (unrestricted). Send alert on repeat actions over time.
DLP policy C:
If 10+ instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives with no exceptions. Report on each individual action.
Sensitivity label configurations:
General\All Employees: Default label for email. No encryption. If applied on emails, block users from over-sharing.
Confidential\All Employees: Default sublabel for the parent label, Confidential. Encryption with all usage rights except Export and Full Control to all employees. Encryption with Full Control usage rights to managers. Recommend the label if 1-9 instances of credit cards are found with low confidence.
Confidential\Trusted People: Encryption that lets users assign permissions with Encrypt-Only for Outlook and prompts users in Word, PowerPoint, and Excel. If applied on emails, display DLP tooltip to warn users that unauthorized users won't be able to read the email.
Highly Confidential\All Employees: Encryption with all usage rights except Export and Full Control to all employees. Encryption with Full Control usage rights to managers. Recommend the label if 1-9 instances of credit cards are found with low confidence. If applied on emails, block users from over-sharing. Automatically apply the label if 3-9 instances of credit cards are found with high confidence, or 10+ instances of credit cards are found with low confidence.
Highly Confidential\Specific People: Encryption that lets users assign permissions with Do Not Forward for Outlook and prompts users in Word, PowerPoint, and Excel. Exception for all DLP blocking rules.
DLP policy A:
If 1-2 instances of credit cards are found, block external sharing except if the item is labeled as Personal, Confidential\Trusted People, or Highly Confidential\Specific People. Send an alert on repeat actions in a short period of time.
DLP policy B:
If 3-9 instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives except if the item is labeled as Confidential\Anyone (unrestricted) or Highly Confidential\Specific People. Send alert on repeat actions over time.
DLP policy C:
If 10+ instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives with no exceptions. Report on each individual action.
DLP policy D:
If sensitivity labels of either General\All Employees, Confidential\All Employees, or Highly Confidential\All Employees block external sharing with policy tip and no exceptions.
Configuration details for this example phased deployment:
Microsoft Purview Data Loss Prevention (DLP) helps safeguard sensitive information by monitoring and preventing accidental data leaks across your organization's digital platforms. In this module, you'll learn how to plan, deploy, and adjust DLP policies to protect sensitive data in your organization, ensuring security without disrupting daily work.
Learn how to protect your sensitive information using Microsoft Purview Data Loss Prevention policies and tools and take a tour through the DLP lifecycle.
Step-by-step guide on authoring and publishing protection policies for sensitivity labels in Microsoft Purview so only certain users can access sensitive information.
The data Microsoft Purview compliance classification dashboard provides visibility into how much sensitive data has been found and classified in your organization.