- Information Protection
- Sensitivity Labels
- Encryption
- Manual vs. Auto - Labeling
- How it integrates
- Get started with…
- Data Loss Prevention (more coming soon)
- Data Lifecycle Management
- Retention vs. Deletion
- Retention Policies
- Retention Label
- Manual vs. Auto-Labeling
- How it integrates
- Get started with…
- Records Management (more coming soon)
Please note that this description is a compact version of Microsoft Purview and is subject to change. Also the descriptions and understandings are from past projects I have worked on.
Information Protection
Sensitivity Labels
- Sensitivity Labels are the tag that classifies a document according to your settings. It can apply content markings like a header or watermark to your documents or encrypt your document.
- Sensitivity Labels can also be used to protect Microsoft 365 groups. This will apply settings on guest user access, control sharing or even require MFA for accessing a site or team connected to that group.
Encryption
All your data in your Tenant is encrypted using the Microsoft-managed-keys (MMK). So you don’t have to worry about installing, updating or sending the public key to outsiders. This is the first layer of encryption. The second layer is specifically scoped to documents, emails or meetings. Usually all encryption is done using your Tenant Key.
- Predefined
- Let users decide
People, groups and their permission level that are allowed to open documents or emails encrypted with a sensitivity label are defined within the settings of the label. Users will not be able to change this when they use this label. This makes sense to use when you have a label for a specific group or department in your company.
People and groups that are allowed to open documents or emails are defined by the user. When the user applies this label to a document, the user will get prompted to specify people, groups and their permission level. They can also choose to not specify any person. In this case only the person who applied the encryption will have access to the document.
Some companies will require more manual controls than that. Thats why there are other possibilities, that will both require E5 licensing for your users:
- Double Key Encryption
- Customer Key
All content encrypted by sensitivity labels will be both encrypted by the Tenant key as well as your own key. Usually your key will be stored in some kind of Azure infrastructure to ensure availability. You are then responsible for updating and managing keys.
This is not in itself connected to any type of sensitivity label. Customer Key will completely encrypt most of your tenants services (Teams, Exchange, SharePoint and OneDrive) with your own key. This has multiple caveats (coauthoring), make sure to understand them all before going this way.
Find out more here: https://learn.microsoft.com/en-us/purview/office-365-service-encryption
Manual vs. Auto - Labeling
- Manual labeling
- Library labeling (requires E5 licensing)
- Automatic labeling (requires E5 licensing)
- Sensitive Info Types: Things like passport or bank account numbers, ids, passwords, IP addresses…
- Trainable Classifier: A document might look like a bank statement or employee documents. You can train Purview with your own documents.
- Document properties, file extension and more - ONLY for at-rest auto labeling.
- While editing: Contents or properties of a document are checked while saving to match certain criteria
- While at-rest: Contents or properties of a document are checked while being stored in SharePoint or Teams, without someone accessing it.
Applying classification happens either inside the document, while editing, or from the metadata pane in Teams or SharePoint. A default label also counts as manual labeling. This means, if a policy is set up for your user, all documents, aynwhere, that you create or edit (and do not have a label applied yet) will be applied that default label.
This auto labeling works on SharePoint library level and will label all new documents with a default label.
If you use a provisioning solution, you will be able to preconfigure this label.
You can use different triggers for a document to be automatically labelled:
There are two ways of labeling automatically.
How it integrates
Get started with…
Classification projects need good adoption and change management. Implementing policies with less user impact makes a good start. Classification for Microsoft 365 groups can add a simple benefit to your Teams concept. Protecting internal documents in Teams from oversharing or accidentally adding guest to internal or confidential Teams groups can make a huge difference here.
From there start implementing manual labeling for documents, then optionally E-Mail. After, you can start taking a look at automated labeling and further AI features.
Data Loss Prevention (more coming soon)
Data Lifecycle Management
Retention vs. Deletion
This is a key concept of data lifecycle management. Retention and deletion directly correlate and follow a strict priority.
- Retention keeps copies of data, even copies of versions of documents, to adhere to regulatory requirements. Retained documents can be deleted and then be found through tools like e-Discovery, when needed. After retention, you can delete data or send to review.
- Deletion deletes data after a specified time period. That period can be age of the data or after a retention period is over.
Many times you will hear the word retention used for both Deletion and Retention. It does depend on your configuration, but a retention label that does not retain but only deletes data, will still be called retention label.
Retention Policies
These policies are understood as a baseline lifecycle. They can be applied on mailboxes, Teams, SharePoint or Viva Engage and other areas. Retention Policies are at the least priority and will be overridden by retention labels.
My recommendation is to only use Retention Policies for E-Mail, Teams messages and Viva Engage as they are not shown in any properties on documents. Therefore, the actual retention period of a document is unknown. Documents are better managed by Retention Labels.
Retention Label
A retention label is meant to specify the lifecycle of a document or E-Mail directly. It will override any retention or deletion applied by retention policy. As with sensitivity there is a column in SharePoint that will show the current retention label applied.
Manual vs. Auto-Labeling
- Manual labeling
- Library labeling
- Automatic labeling (requires E5 licensing)
- Sensitive Info Types: Things like passport or bank account numbers, ids, passwords, IP addresses…
- Trainable Classifier: A document might look like a bank statement or employee documents. You can train Purview with your own documents.
- Document properties, file extension and more
Applying retention always happens from the metadata pane in Teams or SharePoint.
This auto labeling works on SharePoint library level and will label all new (and existing) documents with a default label.
If you use a provisioning solution, you will be able to preconfigure this label.
You can use different triggers for a document to be automatically labelled:
Auto-labeling will be applied continuously based on contents or properties of a document at rest. This process is heavy on the infrastructure, so it might take some while to apply to a large number of documents.
How it integrates
Get started with…
My recommendation is to start with Retention policies (deletion based on age) for Teams and Engage messages. This will ensure a clean Microsoft Teams environment because old chats will disappear completely if the last message is deleted. Since Microsoft Teams messages should never contain final decisions or important data, you can achieve two more important goals:
- Guide people from private to channel chats. Simply make the retention of private and group chats shorter than channel messages.
- Guide people to document final decisions in other file types like Word, Loop or OneNote. This will help you also with backup and restore since documents are easier to restore or move than chat messages.