Sensitivity labels in the Microsoft Purview Data Map FAQ

This article lists frequently asked questions about sensitivity labeling in the Microsoft Purview Data Map, with their answers and links to more information as needed.

Important

Labeling in the Microsoft Purview Data Map is currently in PREVIEW. The Supplemental Terms of Use for Microsoft Azure Previews include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Licensing and setup

What are the licensing requirements to use sensitivity labels on files and database columns in the Microsoft Purview Data Map?

To use sensitivity labels in the Microsoft Purview Data Map, you'll need at least one Microsoft 365 license/account within the same Azure Active Directory (Azure AD) tenant as your Microsoft Purview account.

The following Microsoft 365 licenses are required to automatically apply sensitivity labels to your assets in Microsoft 365 and the Microsoft Purview Data Map:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5 Compliance
  • Microsoft 365 E5/A5/G5 Information Protection, and Governance
  • Office 365 E5, Enterprise Mobility + Security E5/A5/G5, and AIP Plan 2

For more information, see Microsoft 365 service descriptions.

If my organization has multiple Microsoft Purview Data Map accounts within an Azure AD tenant, do I need to manually extend labels to each account separately?

No. When you extend sensitivity labels to the Microsoft Purview Data Map, those labels are extended to all the accounts in your tenant.

My organization already uses sensitivity labels for Office documents and emails. What is the impact of extending these labels to the Microsoft Purview Data Map? Will it affect my existing setup for Microsoft Purview Information Protection?

Extending the labels to the data map doesn't affect your existing setup for Microsoft Purview Information Protection or modify your assets in any way, including files and databases.

  • When you extend sensitivity labels to the Microsoft Purview Data Map, your Microsoft Purview Information Protection setup will continue to work in the same way as before.
  • Extending the sensitivity labels to the data map allows Microsoft Purview to apply those labels to your Azure and multi-cloud assets in the Microsoft Purview Data Map. The data map is a metadata store and can be deleted by you at any time, and you can browse it using the Microsoft Purview data catalog.
  • Sensitivity labels are applied only to the asset metadata in the Microsoft Purview Data Map and aren't applied to the actual files and database columns. These sensitivity labels don't modify your files and databases in any way.

Classifications vs sensitivity labels

What is the difference between classifications and sensitivity labels?

The following table lists the differences between classifications and sensitivity labels:

Comparison Classifications Sensitivity labels
Definition Classifications are regular expressions or patterns that can help identify data types that exist inside an asset. Sensitivity labels are tags that allow organizations to categorize data based on business impact, while abstracting the type of data from the user.
Examples Social Security Number, Drive license number, Bank account number, etc. Highly confidential, Confidential, General, Public, etc.
Scope The scope of classifications applied to an asset is limited to the Microsoft Purview Data Map where the classifications were applied. If the data moves to an asset managed by another Microsoft Purview Data Map, classifications applied in the original location aren't visible in the new location. Sensitivity labels applied on an asset travel with the data no matter where the data goes. For example, this means that sensitivity labels applied to a file in Microsoft Purview Information Protection are automatically visible and remain applied to the file, even if it moves to Azure, SharePoint, or Teams.
Scan Process Scanning an asset in the Microsoft Purview Data Map looks for both system-defined and user-defined (custom) classifications in your data. If found, classifications are added in the Microsoft Purview map for the scanned asset. If you have sensitivity labels extended to the Microsoft Purview Data Map and autolabeling rules defined, scanning an asset in the Microsoft Purview Data Map applies the labels to assets in the catalog based on the classifications found in the scan.
Authoring environment Custom classifications and classification rules can be created in the Microsoft Purview Governance Portal. You can also create custom classifications in Microsoft Purview Information Protection. However, we don't yet support importing them to the Microsoft Purview Data Map. Manage sensitivity labels using the Microsoft Purview compliance portal.
Assignment Limits Assets can have no classifications, or one or more classifications assigned. Each asset can have only one sensitivity label.
Asset application workflow You can use the Microsoft Purview data catalog to manually add or modify classifications that are assigned to an asset. In the Microsoft Purview Data Map, sensitivity labels are automatically assigned to assets based on classifications found. Applying labels manually in the Microsoft Purview Data Map isn't currently supported.
More Information Learn more about classifications. Learn more about sensitivity labels.

Are classifications and Sensitive Information Types (SITs) the same thing?

While classifications and SITs are fundamentally the same things, classifications are a Microsoft Purview Data Map concept and SITs are a Microsoft Purview Information Protection concept. Both classifications and SITs are used by their respective services to identify the type of data found in an asset.

I've created a custom Sensitive Information Type (SIT) in Microsoft Purview Information Protection and used it in my autolabeling rules for schematized data assets. Can I use this custom SIT in the Microsoft Purview Data Map?

No, custom sensitive information types are not supported in the Microsoft Purview Data Map at this time. The Microsoft Purview Data Map currently only supports Microsoft Purview Information Protection built-in sensitive information types.

Labeling capabilities in the Microsoft Purview Data Map

Only compliance administrators, global administrators of the tenant, or a custom role that has access to the Set-PolicyConfig cmdlet can enable labels for the Microsoft Purview Data Map. To verify whether an administrator has extended labeling to the Microsoft Purview Data Map, connect to Exchange Online PowerShell and run the Get-PolicyConfig cmdlet. For example:

Get-PolicyConfig | format-list Purview*

When labeling has been extended to the Microsoft Purview Data Map, you'll see True for the PurviewLabelConsent parameter and a timestamp indicating when consent was activated and an ObjectId of who activated consent.

PurviewLabelConsent        : True
PurviewLabelConsentCaller  : d8675309-1111-2222-3333-1234567890ab
PurviewLabelConsentTime    : 9/28/2021 6:04:45 PM
PurviewLabelConsentDetails : {"Consent":true,"Caller":"d8675309-1111-2222-3333-1234567890ab","Time":"9/28/2021 6:04:45 PM"}

When labeling has not been extended, you'll see False for PurviewLabelConsent like the example below:

PurviewLabelConsent        : False
PurviewLabelConsentCaller  : 
PurviewLabelConsentTime    : 
PurviewLabelConsentDetails :

This is different than auditing the action of adding the Microsoft Purview Data Map to the scope of a sensitivity label. That activity can be found in the unified audit logs. For example,

Search-UnifiedAuditLog -Operations "Set-Label" -StartDate 10/05/2021 -EndDate 10/16/2021

For more information, see Search the audit log in the Microsoft Purview compliance portal.

Which data sources can I apply sensitivity labels to in the Microsoft Purview Data Map?

You can apply sensitivity labels to all the data sources listed under Supported data sources for sensitivity labels in the Microsoft Purview Data Map.

Can I manually label an asset, or manually modify or remove a label in the Microsoft Purview Data Map?

The Microsoft Purview Data Map supports automatic labeling only. Labels are automatically applied to assets in the data map based on the classifications found on the assets and the autolabeling rules for the labels.

The Microsoft Purview Data Map doesn't currently support manually applying a label, modifying, or removing a label from an asset.

Can automatic labeling apply to assets that may include credential content?

The Microsoft Purview Data Map currently doesn't support scanning for credentials. When the Data Map supports scanning for credentials, you should be able to apply labels based on credentials found.

Can I apply encryption and/or content marking to files in the Microsoft Purview Data Map, as I can for Office documents and emails?

No, although the sensitivity label might be configured for these protection actions, we don't currently support encryption and content marking for files in the Microsoft Purview Data Map.

Which file types can I apply sensitivity labels to in the Microsoft Purview Data Map?

Does the Microsoft Purview Data Map support data loss prevention?

No, the Microsoft Purview Data Map doesn't currently provide data loss prevention (DLP) capabilities. Data Loss Prevention is currently supported only for Microsoft 365 apps and services.

Access and roles

Where can I manage my sensitivity labels?

Sensitivity labels are managed only in the Microsoft Purview compliance portal. For more information, see How to create sensitivity labels in Microsoft Purview Information Protection.

Support for managing sensitivity labels within the Microsoft Purview governance portal isn't currently available.

Who can manage sensitivity labels in the Microsoft Purview compliance portal?

The following built-in admin roles include permissions to manage sensitivity labels in the compliance portal:

  • Global Administrator
  • Compliance Administrator

For more information, see Permissions required to create and manage sensitivity labels. After you have compliance and global administrators configured, those administrators can give access to individual users.

Who can search and browse assets with sensitivity labels in the Microsoft Purview Data Catalog?

All users with at least data reader access to the Microsoft Purview Data Map have permissions to search and browse assets with sensitivity labels in the data catalog.

Who can view the sensitivity label insights report in Microsoft Purview Data Estate Insights?

All users with at least data reader access to the Microsoft Purview Data Map have permissions to view sensitivity label insights reports in Microsoft Purview Data Estate Insights.

Technical details

Do the Microsoft Purview Data Map and Microsoft Purview Information Protection use the same classification engine?

Yes, both Microsoft Purview Data Map and Microsoft Purview Information Protection use the same classification engine.

Does the Microsoft Purview Data Map scan an entire asset when applying automatic labels to the database columns?

The Microsoft Purview scanner samples files as follows:

  • For structured file types, the Microsoft Purview Data Map samples 128 rows in each column or 1 MB, whichever is lower.
  • For document file formats, the Microsoft Purview Data Map samples 20 MB of each file.
  • If a document file is larger than 20 MB, the document isn't subject to a deep scan or classification. In such cases, the Microsoft Purview Data Map captures only basic meta-data like file names and fully qualified names.

If there are multiple sensitivity labels that meet the classification criteria, which label is applied?

Sensitivity labels have a priority 'order' and the Microsoft Purview Data Map uses this order to assign labels. If there are multiple labels meeting the classification criteria, the Microsoft Purview Data Map selects the label with the highest order.

For more information, see Label priority order matters.

SQL data discovery and classification

Why does Microsoft support two classification experiences for SQL databases – 'Microsoft Purview' and 'SQL data discovery and classification'?

Microsoft Purview provides a classification and labeling experience for all your Azure assets including SQL databases. Microsoft Purview is intended for organizations that want to manage their entire data estate in a single place with the power of classification, labeling, alerting, and more. Microsoft Purview uses sensitivity labels, which have a global scope and travel with your data no matter where it moves to or what it transforms into.

In contrast, SQL data discovery and classification is built into SQL. SQL data discovery and classification existed before Microsoft Purview as a way to provide basic capabilities for discovering, classifying, labeling, and reporting the sensitive data in your SQL databases. SQL data discovery and classification use local labels that don't have a global scope and don't support sensitivity labels.

I applied labels in SQL data discovery and classification. Why are these labels not showing up on my asset in Microsoft Purview?

SQL classification uses local labels, while Microsoft Purview uses sensitivity labels. Labels applied in the SQL classification experience won't show up in Microsoft Purview. For more information, see Labeling for SQL databases.