Deploy an information protection solution with Microsoft Purview

Licensing for Microsoft 365 Security & Compliance

Your information protection strategy is driven by your business needs. Many organizations must comply with regulations, laws, and business practices. Additionally, organizations need to protect proprietary information, such as data for specific projects.

Microsoft Purview Information Protection (formerly Microsoft Information Protection) provides a framework, process, and capabilities you can use to protect sensitive data across clouds, apps, and devices.

To see examples of Microsoft Purview Information Protection in action, from the end-user experience to the admin configuration, watch the following video:

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Microsoft Purview Information Protection framework

Use Microsoft Purview Information Protection to help you discover, classify, protect, and govern sensitive information wherever it lives or travels.

Microsoft Purview Information Protection solution overview

For data governance, see Deploy a data governance solution with Microsoft Purview.

Licensing

Microsoft Purview Information Protection capabilities are included with Microsoft Purview. The licensing requirements can vary even within capabilities, depending on configuration options. To identify licensing requirements and options, see the Microsoft 365 guidance for security & compliance.

Know your data

Know your data for Microsoft Purview Information Protection solution overview

Knowing where your sensitive data resides is often the biggest challenge for many organizations. Microsoft Purview Information Protection data classification helps you to discover and accurately classify ever-increasing amounts of data that your organization creates. Graphical representations help you gain insights into this data so you can set up and monitor policies to protect and govern it.

Step Description More information
1 Describe the categories of sensitive information you want to protect.

You already have an idea of what types of information are most valuable to your org and what types aren't. Work with stakeholders to describe these categories that are your starting point.
Learn about sensitive information types

Learn about trainable classifiers

2 Discover and classify sensitive data.

Sensitive data in items can be found by using many different methods that include default DLP policies, manual labeling by users, and automated pattern recognition using sensitive information types or machine learning.
Learn about data classification

Video: Data classification in the Microsoft Purview compliance portal

3 View your sensitive items.

Use content explorer and activity explorer for a deeper analysis of sensitive items and the actions that users are taking on these items.
Get started with content explorer

Get started with activity explorer

Protect your data

Protect your data for Microsoft Purview Information Protection solution overview

Use the information from knowing where your sensitive data resides to help you more efficiently protect it. However, there's no need to wait—you can start to protect your data immediately with a combination of manual, default, and automatic labeling. Then, use content explorer and activity explorer from the previous section to confirm what items are labeled and how your labels are being used.

Step Description More information
1 Define your sensitivity labels and policies that will protect your organization's data.

In addition to identifying the sensitivity of content, these labels can apply protection actions such as content markings (headers, footers, watermarks), encryption, and other access controls.

Example sensitivity labels:
Personal
Public
General
- Anyone (unrestricted)
- All Employees (unrestricted)
Confidential
- Anyone (unrestricted)
- All Employees
- Trusted People
Highly Confidential
- All Employees
- Specific People

Example sensitivity label policy:
1. Publish all labels to all users in the tenant
2. Default label of General \ All Employees (unrestricted) for items
3. Users must provide a justification to remove a label or lower its classification
Get started with sensitivity labels

Create and configure sensitivity labels and their policies

Restrict access to content by using sensitivity labels to apply encryption
2 Label and protect data for Microsoft 365 apps and services.

Sensitivity labels are supported for Microsoft 365 Word, Excel, PowerPoint, Outlook, Teams meetings, and also containers that include SharePoint and OneDrive sites, and Microsoft 365 groups. Use a combination of labeling methods such as manual labeling, automatic labeling, a default label, and mandatory labeling.

Example configuration for client-side auto-labeling:
1. Recommend Confidential \ Anyone (unrestricted) if 1-9 credit card numbers
2. Recommend Confidential \ All Employees if 10+ credit card numbers
-- typical end user experience, and the user selects the button to show sensitive content (Word only)

Example configuration for service-side auto-labeling:
Apply to all locations (Exchange, SharePoint, OneDrive)
1. Apply Confidential \ Anyone (unrestricted) if 1-9 credit card numbers
2. Apply Confidential \ All Employees if 10+ credit card numbers
3. Apply Confidential \ Anyone (unrestricted) if 1-9 US personal data and full names
4. Apply Confidential \ All Employees if 10+ US personal data and full names
Manage sensitivity labels in Office apps

Enable sensitivity labels for files in SharePoint and OneDrive

Enable co-authoring for files encrypted with sensitivity labels

Configure a default sensitivity label for a SharePoint document library

Apply a sensitivity label to content automatically

Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites

Use sensitivity labels to protect calendar items, Teams meetings, and chat

Use sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive

Apply a sensitivity label to a model in Microsoft Syntex

Sensitivity labels in Power BI
3 Discover, label, and protect sensitive items that reside in data stores in the cloud (Box, GSuite, SharePoint, and OneDrive) by using Microsoft Defender for Cloud Apps with your sensitivity labels.

Example configuration for a file policy: Looks for credit card numbers in files stored in a Box account, and then applies a sensitivity label to identify the highly confidential info and encrypt it.
Discover, classify, label, and protect regulated and sensitive data stored in the cloud
4 Discover, label, and protect sensitive items that reside in data stores on premises by deploying the information protection scanner with your sensitivity labels. Configuring and installing the information protection scanner
5 Extend your sensitivity labels to Azure by using Microsoft Purview Data Map, to discover and label items for Azure Blob Storage, Azure files, Azure Data Lake Storage Gen1, and Azure Data Lake Storage Gen12. Labeling in Microsoft Purview Data Map

If you're a developer who wants to extend sensitivity labels to line-of-business apps or third-party SaaS apps, see Microsoft Information Protection (MIP) SDK setup and configuration.

Additional protection capabilities

Microsoft Purview includes additional capabilities to help protect data. Not every customer needs these capabilities, and some might be superseded by more recent releases.

Refer to the Protect your data with Microsoft Purview page for the full list of protection capabilities.

Prevent data loss

Prevent data loss for Microsoft Purview Information Protection solution overview

Deploy Microsoft Purview Data Loss Prevention (DLP) policies to govern and prevent the inappropriate sharing, transfer, or use of sensitive data across apps and services. These policies help users make the right decisions and take the right actions when they're using sensitive data.

Step Description More information
1 Learn about DLP.

Organizations have sensitive information under their control, such as financial data, proprietary data, credit card numbers, health records, and social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).
Learn about data loss prevention
2 Plan your DLP implementation.

Every organization will plan for and implement data loss prevention (DLP) differently, because every organization's business needs, goals, resources, and situation are unique to them. However, there are elements that are common to all successful DLP implementations.
Plan for data loss prevention
3 Design and create a DLP policy.

Creating a data loss prevention (DLP) policy is quick and easy, but getting a policy to yield the intended results can be time consuming if you have to do a lot of tuning. Taking the time to design a policy before you implement it gets you to the desired results faster, and with fewer unintended issues, than tuning by trial and error alone.

Example configuration for a DLP policy: Prevents emails being sent if they contain credit card numbers or the email has a specific sensitivity label that identities highly confidential info.
Design a DLP policy

DLP policy reference

Create and deploy data loss prevention policies

4 Tune your DLP policies.

After you deploy a DLP policy, you'll see how well it meets the intended purpose. Use that information to adjust your policy settings for better performance.
Create and deploy data loss prevention policies

Deployment strategies

The credit card number examples are often helpful for initial testing and end user education. Even if your organization doesn't typically need to protect credit card numbers, the concept of these being sensitive items that need protection is easily understood by users. Many websites provide credit card numbers that are suitable for testing purposes only. You can also search for sites that provide credit card number generators so that you can paste the numbers into documents and emails.

When you're ready to move your automatic labeling and DLP policies into production, change to classifiers and configurations that are suitable for the type of data used by your organization. For example, you might need to use trainable classifiers for intellectual property and specific types of documents, or exact data match (EDM) sensitive information types for privacy data that's related to customers or employees.

Or, you might want to start by discovering and protecting IT-related information that is frequently the target of security attacks. Then, supplement this by checking for and preventing the sharing of passwords with DLP policies for email and Teams chat:

  • Use the trainable classifiers IT and IT Infra and Network Security Documents
  • Use the built-in sensitive info type General Password and create a custom sensitive info type for "password is" for the different languages used by your users

Deploying an information protection solution isn't a linear deployment but iterative, and often circular. The more you know your data, the more accurately you can label it, and prevent data leakage. The results of those applied labels and policies flow into the data classification dashboard and tools, which in turn makes more sensitive data visible for you to protect. Or, if you're already protecting that sensitive data, consider whether it requires additional protective actions.

You can start to manually label data as soon as you've defined sensitivity labels. The same classifiers that you use for DLP can be used to automatically find and label more data. You can even use sensitivity labels as a classifier, for example, block sharing items that are labeled highly confidential.

Most customers already have some solutions in place to protect their data. Your deployment strategy might be to build on what you already have, or focus on gaps that offer the most business value or addresses high risk areas.

To help you plan your unique deployment strategy, reference Get started with sensitivity labels and Plan for data loss prevention.

Consider a phased deployment

You might prefer to deploy information protection by using a phased deployment that implements progressively restrictive controls. This approach gradually introduces new protection measures for users as you gain familiarity and confidence with the technology. For example:

  • From default labels and no encryption, to recommending labels that apply encryption when sensitive data is found, and then automatically applying labels when sensitive data is found.
  • DLP policies that progress from auditing oversharing actions, to more restrictive blocking with warning to educate users, and then blocking all sharing.

Details of such a phased deployment might look something like the following plan, where sensitivity labels and DLP policies become more integrated with each other to provide greater data protection than if they were used independently:

Conceptual graphic for a phased deployment where sensitivity labels and DLP policies become more integrated and the controls more restricted.

Sensitivity label configurations:

  • General\All Employees: Default label for email. No encryption. If applied on emails, block users from over-sharing.
  • Confidential\All Employees: Default label for documents. No encryption. If applied on emails, block users from over-sharing.
  • Highly Confidential\All Employees: No encryption. If applied on emails, block users from over-sharing.

DLP policy A:

  • If 1-2 instances of credit cards are found, block external sharing except if the item is labeled as Personal or Confidential\Anyone (unrestricted). Use logging and reporting for analysis.

DLP policy B:

  • If 3-9 instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives except if the item is labeled as Confidential\Anyone (unrestricted). Use logging and reporting for analysis.

DLP policy C:

  • If 10+ instances of credit cards are found, block external sharing, cloud egress, and copy to removable drives with no exceptions. Use logging and reporting for analysis.

Configuration details for this example phased deployment:

Training resources

Interactive guides: Microsoft Purview Information Protection

Learning modules for consultants and admins:

To help train your users to apply and use the sensitivity labels that you configure for them, see End-user documentation for sensitivity labels.

When you deploy data loss prevention policies for Teams, you might find the following end-user guidance useful as an introduction to this technology. It includes some potential messages that users might see: Teams messages about data loss prevention (DLP) and communication compliance policies.