Microsoft Purview- Paint By Numbers Series (Part 2)- Information Protection
Published Aug 19 2021 10:17 AM 2,714 Views



Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community



This document is not meant to replace any official documentation, including those found at  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.


Target Audience

The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.


Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through:

  • Create a label
  • Publish a label
  • Add a label
  • Test sending a label


It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy.  For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series. 



This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Sensitive Information Types
  • Exact Data Matches
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Advanced eDiscovery


It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).


If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog.  That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.

Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Te...

Overview of Document

  1. Use Case
  2. Definitions
  3. Notes
  4. Pre-requisites
  5. Create a Label
  6. Publish your Label
  7. Add your Label Policy to a document
  8. Test sending the label document to a non-approved user
  9. Appendix and Links


Use Case

If you send data outside of the company, you want to be sure only the assigned Recipient can open and see the data.



  • Sensitivity Label – a metadata tag
  • Publish Label – making the metadata tag available to your tenant



  • I will be I testing with a Word file named “1-MB-Test-SSN-1-MIP”.  This stands for 1MB file with SSN information for Microsoft Information Protection (label) testing.
  • Azure Purview is not relevant to this document, so you can ignore all mentions to it in the UI wizards.



  • Create a Sensitive Information Type (SIT) in Part 1 of this blog series.
  • Populate a OneDrive file with the related SIT information.



Create a Label

  1. Go to Information Protection -> Labels and click Create a label.





  1. Give the Label a Name, Display Name, Description for users, and an optional Description for admins.  I am going to use “Confidential-SSNs” for all of these fields.  When you have what you want, click Next.




  1. For the label scope, accept the defaults and click Next.





  1. You do not have to enable encryption or mare the content of the files.  I will enable both.  Click Next when you are ready.




  1. For encryption, accept the defaults for encryption and access as seen below.




  1. When it comes to permissions, add the test users you want to use.  I am using my accounts of admin and Pradeep.  When you are satisfied, click Next.





  1. Enable Content marking and add a watermark, header and/or footer.  For content marking, I will only be doing a watermark.  I will make my watermark as large as possible to make it simple to see the watermark.  Below is an example of what you can enter.   Enter what makes the most sense for your testing and click Save.  Then click Next.




  1. I will not be performing Auto-labeling in this document.  This is to avoid any excess performance overhead and allow for a precise testing.  Click Next.
  2. We are not going to protect any groups or sites in this document, so you can click Next.
  3. For Azure Purview assets (preview), accept the default of disabled, and click Next.
  4. Review your label and click Create Label.  Then click Done.







Publish your Label

  1. Go to Information Protection -> Label Policies and click Publish label.





  1. Choose your new label.  Mine is “Confidential-SSNs”.  Click Next.




  1. For users and Groups, I will accept the default of “All” and click Next.





  1. I will enable the top to options around requiring a user to have justification to change a classification and requiring them to apply a label to their documents.  When you are satisified, click Next.





  1. I will not be applying this label by default to documents.  Again, I want to be very specific in my testing and avoid “test creep”.  I will accept the default of “None” and click Next.






  1. Again, I will not be applying this label by default to emails.  I will accept the default of “None” but require them to apply the label to emails.  Click Next.





  1. For Power BI labeling, accept the default and click Next.
  2. I will use the same name and description of “Confidential-SSNs” that I applied to my label.  This will simplify any troubleshooting between the label and policy.  Click Next when you are ready.
  3. Finally, review your published label, and click Submit.  Then click Done.





  1. With your label created and published, you can


Add a Label Policy

  1. Go to a file in your test account’s OneDrive.  I will be using a Word file named “1-MB-Test-SSN-1-MIP”.
  2. You will be prompted to add a label once your label is published to your tenant.   You will not be able to modify your document until you add a label.






  1. Click Select Label on the right and select you the label you want and click OK.  I will be choosing the Confidential-SSNs label created earlier.





  1. If the prompt mentioned above does not appear, you can add a label in by going to the Word Tool bar, on the right, click on Sensitivity.





  1. Select your label you create earlier. Remember, if you are not seeing your label, you might have to wait longer to have it appear.
  2. Once you have added your label you are not ready to move to the testing of Information Protection in the next section.


Testing Information Protection Policy

Now we will email this label filed to a non-approved user.


  1. Open your O365 email client.
  2. Create an email and attach a the file to which you have applied your Information Protection label. want.  I am emailing an external ‘gmail’ address who is not approved to view my test file.  When you are ready, click Send.
  3. Go to your recipient test email.  I am using an external ‘gmail’ address for my testing.  In the email click on Read the message.





  1. You will be asked to sign in with your credentials or with a One-time passcode.  I will be using the passcode option.





  1. Once you’ve clicked the Sign in with a One-time passcode, you will be sent an email with the code.





  1. Enter your code and you should see the following message stating You don’t have permission to view this message.




  1. You have now completed your initial testing of your Information Protection.  You are now ready move to the next part of this blog.


Appendix and Links













Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such.  Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.

Version history
Last update:
‎Nov 03 2022 09:54 AM
Updated by: