Automatically label your data in Azure Purview

This article describes how to create Microsoft Information Protection (MIP) sensitivity labels, and automatically apply them to your Azure assets in Azure Purview.

What are sensitivity labels?

To get work done, people in your organization collaborate with others both inside and outside the organization. Data doesn't always stay in your cloud, and often roams everywhere, across devices, apps, and services.

When your data roams, you want it to do so in a secure, protected way that meets your organization's business and compliance policies.

Applying sensitivity labels enables you to state how sensitive certain data is in your organization. For example, a specific project name might be highly confidential within your organization, while that same term is not confidential to other organizations.

Sensitivity labels in Azure Purview

In Purview, classifications are similar to subject tags, and are used to mark and identify data of a specific type that's found within your data estate during scanning.

Purview uses the same classifications, also known as sensitive information types, as Microsoft 365. MIP sensitivity labels are created in the Microsoft 365 Security and Compliance Center (SCC). This enables you to extend your existing sensitivity labels across your Azure Purview assets.

Classifications are matched directly, such as a social security number, which has a classification of Social Security Number.

In contrast, sensitivity labels are applied when one or more classifications and conditions are found together. In this context, conditions refer to all the parameters that you can define for unstructured data, such as proximity to another classification, and % confidence.

Sensitivity labels in Azure Purview can be used to automatically apply labels to files and database columns.

For more information, see:

What are auto-labeling rules?

Your data is constantly growing and changing. Tracking the data that is currently unlabeled, and taking action to manually apply labels is not only cumbersome, but is also an unnecessary headache.

Auto-labeling rules are conditions that you specify, stating when a particular label should be applied. When these conditions are met, the label is automatically assigned to the data, retaining consistent sensitivity labels on your data, at scale.

When you create your labels, make sure to define auto-labeling rules for both files and database columns to apply your labels automatically with each data scan.

After scanning your data in Purview, you can view the labels automatically applied in the Purview Catalog and Insight reports.

Supported data types for sensitivity labels in Azure Purview

Sensitivity labels are supported in Azure Purview for the following data types:

Data type Sources
Automatic labeling for files - Azure Blob Storage
- Azure Data Lake Storage Gen 1 and Gen 2
Automatic labeling for database columns - SQL server
- Azure SQL database
- Azure SQL Database Managed Instance
- Azure Synapse
- Azure Cosmos DB

For more information, see Labeling for SQL database columns below.

Labeling for SQL database columns

In addition to Purview labeling for database columns, Microsoft also supports labeling for SQL database columns using the SQL data classification in SQL Server Management Studio (SSMS). While Purview uses the global MIP sensitivity labels, SSMS only uses labels defined locally.

Labeling in Purview and labeling in SSMS are separate processes that do not currently interact with each other. Therefore, labels applied in SSMS are not shown in Purview, and vice versa. We recommend Azure Purview for labeling SQL databases, as it uses global MIP labels that can be applied across multiple platforms.

For more information, see the SQL data discovery and classification documentation.

How to create sensitivity labels in Microsoft 365

If you don't already have sensitivity labels, you'll need to create them and make them available for Azure Purview. Existing sensitivity labels can also be modified to make them available for Azure Purview.

For more information, see:

Licensing requirements

MIP sensitivity labels are created and managed in the Microsoft 365 Security and Compliance Center. To create sensitivity labels for use in Azure Purview, you must have an active Microsoft 365 E5 license.

If you do not already have the required license, you can sign up for a trial of Microsoft 365 E5.

Extending sensitivity labels to Azure Purview

By default, MIP sensitivity labels are only available for assets in Microsoft 365, where you can apply them to files and emails.

To apply MIP sensitivity labels to Azure assets in Azure Purview, you must explicitly consent to extending the labels, and select the specific labels that you want to be available in Purview.

By extending MIP’s sensitivity labels with Azure Purview, organizations can now discover, classify, and get insight into sensitivity across a broader range of data sources, minimizing compliance risk.

Note

Since Microsoft 365 and Azure Purview are separate services, there is a possibility that they will be deployed in different regions. Label names and custom sensitive information type names are considered to be customer data, and are kept within the same GEO location by default to protect the sensitivity of your data and to avoid GDPR laws.

For this reason, labels and custom sensitive information types are not shared to Azure Purview by default, and require your consent to use them in Azure Purview.

To extend sensitivity labels to Purview:

In Microsoft 365, navigate to the Information Protection page. In the Extend labeling to assets in Azure Purview, select the Turn on button, and then select Yes in the confirmation dialog that appears.

For example:

Select **Turn on** to extend sensitivity labels to Purview

Once you extend labeling to assets in Azure Purview, you can select the labels that you want to make available in Purview. For more information, see Creating new sensitivity labels or modifying existing labels.

Creating new sensitivity labels or modifying existing labels

  1. Open the Microsoft 365 Security and Compliance Center.

  2. Under Solutions, select Information protection, then select Create a label.

    Create sensitivity labels in the Microsoft 365 Security and Compliance Center

  3. Name the label. Then, under Define the scope for this label, select Files and emails and Azure Purview assets.

    Create your label in the Microsoft 365 Security and Compliance Center

  4. Follow the rest of the prompts in the wizard for your label settings.

    Specifically, define auto-labeling rules for files and database columns:

    For more information about wizard options, see What sensitivity labels can do in the Microsoft 365 documentation.

  5. Repeat the steps listed above to create more labels.

    To create a sublabel, select the parent label > ... > More actions > Add sub label.

  6. To modify existing labels, browse to Information Protection > Labels, and select your label.

    Then select Edit label to open the Edit sensitivity label wizard again, with all of the settings you'd defined when you created the label.

    Edit an existing sensitivity label

  7. When you're done creating all of your labels, make sure to view your label order, and reorder them as needed.

    To change the order of a label, select ... > More actions > Move up or Move down.

    For more information, see Label priority (order matters) in the Microsoft 365 documentation.

Important

Do not delete a label unless you understand the impact for your users.

For more information, see Removing and deleting labels in the Microsoft 365 documentation.

Continue by scanning your data to apply labels automatically, and then:

Define auto-labeling rules for files

Define auto-labeling rules for files in the wizard when you create or edit your label.

On the Auto-labeling for Office apps page, enable Auto-labeling for Office apps, and then define the conditions where you want your label to be automatically applied to your data.

For example:

Define auto-labeling rules for files in the Microsoft 365 Security and Compliance Center

For more information, see Apply a sensitivity label to data automatically in the Microsoft 365 documentation.

Define auto-labeling rules for database columns

Define auto-labeling rules for database columns in the wizard when you create or edit your label.

Under the Azure Purview assets (preview) option:

  1. Select the Auto-labeling for database columns slider.

  2. Select Check sensitive info types to choose the sensitive info types you want to apply to your label.

For example:

Define auto-labeling rules for SQL columns  in the Microsoft 365 Security and Compliance Center

Scan your data to apply labels automatically

Scan your data in Azure Purview to automatically apply the labels you've created, based on the auto-labeling rules you've defined.

For more information on how to set up scans on various assets in Azure Purview, see:

Source Reference
Azure Blob Storage Register and Scan Azure Blob Storage
Azure Data Lake Storage Register and scan Azure Data Lake Storage Gen1
Register and scan Azure Data Lake Storage Gen2
Azure SQL Databases Register and scan an Azure SQL Database
Register and scan an Azure SQL Database Managed Instance

View labels on assets

Once you've defined auto-labeling rules for your labels in Microsoft 365 and scanned your data in Azure Purview, labels are automatically applied to your assets.

To view the labels applied to your assets in the Azure Purview Catalog:

In the Azure Purview Catalog, use the Label filtering options to show files with specific labels only. For example:

Search for assets by label

For example:

View a sensitivity label on a file in your Azure Blob Storage

View Insight reports for the classifications and sensitivity labels

Find insights on your classified and labeled data in Azure Purview using the Classification and Sensitivity labeling reports.