Automatically Classify & Protect Documents & Data | Microsoft Purview Information Protection
Published Mar 29 2023 09:29 AM 2,488 Views

Discover, classify, and protect sensitive information automatically, wherever it lives or travels with Microsoft Purview Information Protection. Built-in protections follow documents on mobile, in the browser, or as you coauthor them, with no add-ins required. Policy tips keep end users compliant without compromising productivity. 


Purview Main Pic.png

Tony Themelis, Principal Program Manager for Microsoft Information Protection, shows how to automate and enforce classifications through administrative controls, create labels, and put policies in place with Microsoft Purview Information Protection.


Protect sensitive content with watermarks as you present in Microsoft Teams. 

1- Watermark.png

See it here with Microsoft Purview Information Protection.


Create your own trainable classifiers.

2- Trainable Classifier.png

Identify categories of content, train your classifier for accuracy, and use it to protect your sensitive data. Check it out.


Use label policies.

3- Auto label.png

Publish sensitive information labels to Office apps, Sharepoint sites, and Office 365 groups. Get started here.


Watch our video here.



00:00 — Introduction 

01:10 — Built-in data classification 

02:23 — Universal classification engine 

03:23 — Admin controls 

05:07 — Trainable classifiers 

06:38 — How to configure labels 

07:56 — Label policies 

08:45 — Auto-labeling 

09:55 — Wrap up 


Link References: 

For more information, check out 

Watch our Microsoft Purview series at


Unfamiliar with Microsoft Mechanics? 

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. 


Keep getting this insider knowledge, join us on social: 

Video Transcript:

-Did you know that Microsoft Purview Information Protection can automatically classify and label sensitive documents in real-time as you work on them? Here I’ve pasted in sensitive information, and that triggers a policy tip. This is because there are policies in place to detect sensitive content. The label has been picked for me so I don’t need to do this manually. And when I click on show sensitive content, I see the matching data it found in my document. And I can apply the sensitivity label. Then as I save the document, you’ll see the corresponding protections with a watermark have been applied. The sensitivity label is placed front and center on the top of the document. And because the experience is built into the service, protections follow the sensitive content wherever it travels, including on mobile platforms or in the browser, even as you co-author, where protections can be elevated if more sensitive content is added. No add-ins are required. Even if I choose to save the document as a PDF file, the labels and protections are automatically transferred to it as you can see here in Adobe Acrobat. 


-As you saw, instead of manually labeling content before you save or share it, which is easy to forget to do, you are guided to make sure that labels are assigned to sensitive information in the flow of your work to activate the appropriate level of protection to the content you’re working on. In fact, data classification is built-in across Microsoft 365 app experiences, making it easy to protect your data while working in Excel or building presentations using PowerPoint. And these labels persist as you share content. For example, even if you attach a confidential file to an Outlook email with a lower sensitivity label, the email message will automatically inherit the attachment’s label. 


-Watermarks can also be applied to camera feeds and shared content in Microsoft Teams based on the classification you assign to your meeting. And at the container level, for SharePoint sites and Microsoft Teams with sensitivity labels applied, you’re able to universally classify and protect content stored in those locations. With data classification in place, you’re able to keep productive and have access to the information you need while keeping your sensitive data protected. And its Microsoft Purview Information Protection that makes all of this possible. Once enabled, it can automatically discover, classify, and apply the right protections to sensitive information. And those classifications and protections persist wherever the content lives or travels. 


-Importantly, Microsoft Purview Information Protection provides a universal classification engine where the same content labels are respected across Microsoft’s portfolio of data governance and security solutions, from Data Loss Prevention, eDiscovery, Insider Risk Management, our threat detection response solutions with Microsoft Defender and Microsoft Sentinel, to databases, tables, or other structured and semi-structured data containing your sensitive information types in the Microsoft Cloud via Microsoft Purview Data Map. And as you saw before, labels are even respected by non-Microsoft apps like Adobe Acrobat. 


-Everything I’ve shown you can be automated and enforced through administrative controls. In fact, as an information protection admin, you are in control of what classification labels users see, which labels get automatically applied, and their corresponding protections. This all starts with knowing your data so that you understand what sensitive information exists, where it lives, and how much of your data has been classified with labels. The data classification overview in the Microsoft Purview compliance portal provides the strongest starting point. Under the covers, the classification service uses built-in sensitive information types along with trainable classifiers to surface sensitive content without you having to do any upfront work. More on that in a moment. Here you’ll find a 360-degree view of all your sensitive information. You can see the most common sensitive information types, as well as how users may be using sensitivity labels, with the top ranked labels in use across your data estate. 


-The Activity Explorer gives you an itemized list of activities performed against your sensitive content. And you can dig deeper on where your sensitive information and label content reside using the Content Explorer. This lets you search for or drill into specific locations and find where the most policy matches are. In fact, you can easily navigate all the way down to a specific folder to find a list of files along with their labels, then even drill in further to see a list of all the matches, and from there, even preview the file itself right in context. And then the Contextual Summary tab will even highlight the matching items within the content. 


-Next, let’s take a closer look at the classification service itself, which as I mentioned makes sensitive information discovery possible. First, there are trainable classifiers. These identify specific categories of content like budgets, HR records, medical forms, source code, and more. You have full control to use these built-in trainable classifiers without modification and train them for more accuracy or you can create your own trainable classifiers specific to match your business, industry, or regulations using our built-in wizard with your own seed content. 


-Next, sensitive info types help identify sensitive text within the files, emails, and chat conversations themselves. Things like bank account numbers, credentials, medical terms, addresses, ID numbers, person names, and more. There are more than 300 built-in sensitive information types that meet the needs of most industries, regions, and regulations. And of course, you can also create your own. If you need an exact data match or EDM, you can also leverage classifiers that use exact values to detect matches instead of generic patterns to find information that is cross-referenced from lists of information with up to one million records, for things like your product code names, employee lists, client data, and more. 


-With your sensitive information defined, you can specify when labels get applied along with the corresponding protections. In fact, you can configure labels to get automatically or manually applied with their associated policies. In the Microsoft Purview Compliance Portal under Information Protection, under Labels, I already have a few sensitivity labels built to help classify email messages, documents, sites, and more. To create a label, you start with a name and set of descriptions. And from there, you can choose where the label applies. You can see files, emails, meetings, even schematized data assets which apply if you’re using data catalog environments like Microsoft Purview Data Map. 


-Next, you can specify corresponding protections for labeled items, like encryption or the markings you saw before with the watermarks, headers, and footers. Based on your selections, you can choose the details for each protection type. For example, encryption details, what text appears in your watermark, and the conditions that need to be met to automatically apply labels. Beyond the file level, you are prompted to define protections for groups and sites. And finally, here’s where you would define where labels are applied if you’re using Microsoft Purview Data Map. And once you’ve created a few labels, you can define their order or sequence from lowest to highest privileged. 


-Next, Label Policies allow you to publish labels to Office apps, SharePoint sites, and Office 365 groups. And once they’re published, within the apps themselves, you can also manually apply the labels to protect your content. Label Policies let you define how you scope labels to either role-based admin units, which are a container or collection, that can include multiple groups, users, or devices, or you can individually select these as users and groups. In the Policy Settings, you have other granular options. You can require a business justification or enforce the application of labels before saving files, creating meetings, sending emails, or building Power BI content. Once you name and submit your Label Policies, you are done. They’re now active. 


-Finally, Auto-Labeling extends label controls at the service level to automatically apply sensitivity labels to email messages or OneDrive and SharePoint files that contain sensitive information. You can see that I’ve got a few policies already created to auto-label files with credit card information. I’ll create a new policy. And here you can choose an industry regulation to see the policy templates you can use to classify that information or create a custom policy to start from scratch. And once you give it a name, you can choose the workloads this policy will cover, for Exchange, SharePoint, and OneDrive, as well as the policy rules that define what content the label is applied to. Then you select the corresponding label we saw earlier that we want to apply. And importantly, if you want to gauge how impactful this policy will be prior to enabling it, you can run it in simulation mode before turning it on. And so with these policies in place, labels will now be automatically applied where specified. The rules that you set for manual labeling will also be enforced and you’re all set. 


-So that was a quick overview of Microsoft Purview Information Protection to help you automatically discover, classify, and ultimately protect your sensitive information wherever it lives or travels. To learn more, check out Of course, with content classification in place, you can proactively apply additional data governance protections that are predicated off assigned content labels with Microsoft Purview solutions like data loss prevention or adaptive protection that evolves based on the risk profile of your users, which you can learn more about in our series at Thanks for watching.

Version history
Last update:
‎Mar 29 2023 09:29 AM
Updated by: