The only way to really know if we’re a good fit is to get in touch, so let’s have a chat! One of our friendly experts will get straight back to you. You never know, this could be the beginning of a great partnership.


+ 27 (0) 10 591 2323

information protection

Getting started with Microsoft Purview Information Protection

Information Protection is one of the cornerstones of Microsoft’s “Purview” capabilities. As a concept, it straddles both security and compliance to protect data in transit, at rest, and in use across various environments and platforms.

In practice (for Microsoft-based organisations) ‘information protection’ revolves around defining and applying Office 365 security labels (better known as sensitivity labels) to content in order to appropriately restrict how that content is handled. Encryption, access restrictions, usage limitations, and internal or external sharing boundaries are all examples of commonly used controls.

Why are Office 365 security labels important?

Sensitivity labels enable you to classify and protect your organisation’s data to in order to prevent personal or confidential information from reaching unauthorised eyes. That’s obviously critically important in this highly regulated day and age, but it’s not the only important thing sensitivity labels can do.

Implemented strategically, sensitivity labels can also play a powerful role in reinforcing a security and compliance-conscious organisational culture. Acting as a visual cue for users interacting with potentially sensitive documents, labels are valuable reminder to keep security and compliance policies in mind at all times.

Equally important is sensitivity labels’ ability to enforce these critical policies – without impacting user productivity or (appropriate) collaboration – regardless of where data is stored. This ties in very closely with the latest data governance and access control best practices, which are increasingly focussed on managing data types rather than data locations.

What do sensitivity labels control?

Sensitivity labels can be configured to:

    • Encrypt content to prevent unauthorised access.
    • Control which users/groups have access to specific content, which actions they may perform on that content, and how long their access will last.
    • Apply watermarks, headers or footers to emails, meeting invites or documents. (Watermarks cannot be applied to emails or meeting invites.)
    • Protect content in containers like sites and groups (when enabled for Microsoft Teams,
      Microsoft 365 groups and SharePoint sites).
    • Be automatically applied to files and emails, or prompt users to apply a recommended label via a policy tip.
    • Set the default scope and permissions (sharing link type) for sharing documents from
      SharePoint sites and OneDrive.
    • Protect content in third-party apps and services (via Microsoft Defender for Cloud Apps).

Who decides what labels are required?

Defining sensitivity labels is not a one-person job. It takes representatives from across the business to adequately define what constitutes sensitive information within each context, and agree on what would be considered breach.

Once these definitions are clear, they can be translated by a smaller team into a set of labels that achieve the desired protections.

(These will need to be reviewed regularly to remain relevant to evolving threats and regulatory requirements.)

What is the difference between DLP/sensitivity labels in Microsoft 365 E3 and E5?

Sensitivity labels are available on both E3 and E5 licences, but there are some important differences in the capabilities provided. (Correct at time of publication – read the latest from Microsoft, here.)

information protection

What can go wrong when implementing sensitivity labels?

Like all IT projects, sensitivity labels require a combination of people, process and technology for success. Each of these facets has its own challenges to keep in mind.

On the people side, getting to grips with a whole new world of labelling can be disruptive and
annoying to users. A strong change management programme that focusses on explaining the what, why and how is important to minimise this disruption and expedite success timelines.

On the process side, you’ll also find sensitivity labelling deployments need regular attention. We recommend ongoing monitoring to assess how well your labels are working, review any alerts, tweak configurations and re-educate users if necessary.

You’ll also want to stay on top of technology updates and the latest developments in both threats and emerging capabilities. Like most security and compliance-related projects, DLP is not a silver bullet. Shifting goal posts and evolving threat landscapes make ongoing monitoring, review and improvement a necessity for the foreseeable future.

Confidence to advance your compliance journey with Microsoft.

Our team combines Microsoft certified technicians and extraordinarily tech-savvy legal and risk experts.