Understanding Sensitivity Labels & Data Loss Prevention (DLP) Policies

Audience

Faculty & Staff

Question

What is Microsoft Purview Data Loss Prevention, and what are Sensitivity Labels in M365?

Answer

Microsoft Purview Sensitivity Labels and Data Loss Prevention (DLP) policies help us protect sensitive information across Microsoft 365. These tools classify, label, and restrict access to files and emails based on their content — ensuring compliance and reducing risk.

What are Sensitivity Labels?

Sensitivity labels are applied to content in Microsoft 365 (Word, Excel, PowerPoint, Outlook, SharePoint, OneDrive, Teams) to indicate how sensitive the information is and what protections should be enforced. Labels can be applied manually by users or automatically by policies that detect sensitive information types (SITs).

Sensitivity labels are defined in M365 to follow data classification standards at Central Piedmont.

CPCC Defined Sensitivity Labels
Label Description Application Method Policy Restrictions
Public For content that is non-sensitive and safe to share publicly (e.g., public website drafts). Manually applied by user None
Internal For general internal use across Central Piedmont. Automatically applied via policy Informational only; no encryption or access restrictions.
Restricted For content containing sensitive personal or financial data (e.g., SSNs, bank info, Colleague ID). Automatically applied via policy May trigger policy tips, block sharing, or require justification.
Highly Restricted For highly sensitive content requiring encryption and strict access control. Manually applied in M365 desktop applications (Word, Excel, etc) Encrypts files, blocks external sharing, and allows owners to define permissions.

Note: Labels follow a hierarchy — Highly Restricted > Restricted > Internal > Public. Downgrading the label requires justification, which is logged and reviewed.

How Auto-Labeling Works

Microsoft Purview uses auto-labeling policies to apply sensitivity labels based on specific detection rules and content context. These policies evaluate documents and emails for certain parameters, which may include:

  • Presence of Sensitive Information Types (SITs) such as Social Security Numbers, bank account details, or Colleague IDs.
  • Location of the content — for example, the “Internal” label may be automatically applied to files simply because they exist within the Central Piedmont Microsoft 365 tenant.
  • Metadata and file properties — such as file type, author, or storage location.
  • User behavior or access patterns — in future phases, policies may consider who is accessing or sharing the content.

Auto-labeling helps ensure consistent classification without requiring manual intervention. It’s especially useful for identifying sensitive data that users may not realize needs protection.

Only two labels are currently being automatically applied by auto-labeling policies. 

1. Internal: This label is applied to all supported file types that are stored in Central Piedmont's M365 tenant. 

2. Restricted: This label is applied to all supported file types that contain any of the following defined sensitive information types (SITs): 

  • U.S. Bank Account Number
  • Credit Card Number
  • SWIFT Code
  • International Banking Account Number (IBAN)
  • U.S. Social Security Number (SSN)
  • U.S. Driver's License Number
  • U.S. Individual Taxpayer Identification Number (ITIN)
  • Colleague ID (w/ Full Name)

The Sensitive Information Types (SITs) used in our auto-labeling policies were selected based on their relevance to regulatory compliance requirements. These data types, such as Social Security Numbers, bank account details, and taxpayer identification details, are governed by laws and standards like GLBA, HIPAA, FERPA, and PCI-DSS. Their inclusion ensures that our labeling and protection policies align with legal obligations and institutional risk management. Labeling content that contains them helps us meet legal and data protection standards.

Where to Find and Apply Sensitivity Labels

You can find sensitivity labels in most Microsoft 365 apps, including:

  • Word, Excel, PowerPoint (Desktop apps):
  1. Go to the Home tab.
  2. Look for the Sensitivity button in the ribbon.

Location of sensitivity labels in desktop applications

  • Word, Excel, PowerPoint (Desktop apps):
  1. Open the document in Word, Excel, or PowerPoint online.
  2. Look at the top center of the toolbar — the current sensitivity label will appear next to the file name.

Sensitivitiy label location in M365 web applications

  • Outlook (Desktop and Web):

    • When composing an email, select Sensitivity from the toolbar.

Sensitvity label location in Outlook

 

Manually Applying the Highly Restricted Label:

The Highly Restricted label can only be applied in M365 desktop applications. If you want to apply this label, you must open the file in a desktop app. When the label is selected, you are then prompted to define permissions such as view/edit permissions. 

Permissions dialog box

Downgrading a Label

While Microsoft Purview uses advanced detection rules and auto-labeling policies, labeling is not always perfectly accurate. Labels may be applied based on content context, metadata, or the presence of sensitive information types (SITs), but these triggers can sometimes misclassify a document.

If you believe a label has been incorrectly applied, you can downgrade it — but you’ll need to provide a justification.

How to Downgrade a Label

  1. Open the document or email.

  2. Click the Sensitivity button.

  3. Select a less restrictive label (e.g., change from “Restricted” to “Internal”).

  4. A prompt will appear asking for a justification. Choose one of the following:

    • Previous label no longer applies

    • Previous label was incorrect

    • Other (with explanation)

  5. Submit your reason. The change will be logged and reviewed by ITS.

Label downgrade justification dialog box

Important Note: Downgrading a label without valid justification may violate policy and trigger alerts.

What Are DLP Policies?

Data Loss Prevention (DLP) policies prevent accidental sharing of sensitive data. They:

  • Alert users when content violates a policy (e.g., trying to email a Highly Restricted document externally).

  • May block actions like sending, sharing, or downloading.

  • Require justification or approval for exceptions.

You may see policy tips in Office apps or Outlook when attaching labeled files. These tips explain why an action is blocked and what to do next.

Email Notifications:

If you violate a DLP policy, you may receive an email notification explaining:

  • What triggered the policy

  • What action was blocked

  • What steps to take (e.g., request an exception or contact IT)

ITS is also alerted for review and compliance tracking.

Known Limitations

  • Outlook Mobile and Outlook for Mac do not support policy tips and some other Purview functions.
  • Policy tips do not currently identify the exact location (e.g., page or line number) of sensitive information within a document. If a file is flagged, users will need to manually review the content to locate the triggering data.

Report Issues or Feedback

If you encounter problems with sensitivity labels or DLP policies — such as incorrect labeling, blocked sharing, or confusing alerts — we want to hear from you.

How to Report:

Since the dedicated DLP support service is still being developed, please submit a Service Request (SR) directly to:

  • ITS Cybersecurity & CISO Team

Include the following details in your request:

  • A brief description of the issue

  • The name or link to the affected document or email

  • Any screenshots or attachments that help illustrate the problem

Further Reading

Print Article