Hi, I'm using Purview to assign classifications and "sensitivity labels" (via the 365 Compliance Center integration) to data stored in an Azure SQL DB. At my company we wish to encrypt all columns that have a certain label. I plan to encrypt data using the Always Encrypted functionality. However, as far as I can tell, there is no way to let Azure know to automatically encrypt all columns which have a specific sensitivity label. Or is there?

If there isn't then this means I have to manually select which columns to encrypt in each table in each schema in each database. My organization has a more than 20 databases with hundreds of schemas and countless tables, so it will take a lot of time to manually select all columns to encrypt (not to mention time we'll have to spend manually making changes in response to changes in sensitivity labeling). Would be great if a column's sensitivity label could automatically determine whether encryption for that column is on or off. Almost seems strange that it wouldn't?

Is this possible? Am I perhaps approaching this the wrong way? Am I supposed to use a different approach to column encryption than the "Always Encrypted" method?

Any help or thoughts would be much appreciated. Thanks :)