Classification & Protection
Apply labels FIRST so that discovery, DSPM, and governance reports are meaningful.
Why This Comes Before Discovery
DSPM can tell you where sensitive data exists—but without labels deployed, it can't tell you what's protected. If you run DSPM before implementing labels, you're measuring the problem without the solution in place.
This section establishes:
- Sensitivity labels to classify and protect data
- Auto-labeling to ensure consistent classification
Sensitivity Labels {#sensitivity-labels}
Goal: Create a label taxonomy that classifies data by sensitivity level and applies appropriate protections.
2.1 Design Label Taxonomy
Before creating labels, establish a classification framework approved by leadership.
Common Higher Education Label Taxonomy
| Label | Protection | Use Case |
|---|---|---|
| Public | None | Press releases, marketing, public websites |
| Internal | None (visual marking only) | General internal documents, announcements |
| Confidential | Encrypt, no external sharing | HR data, financials, contracts |
| FERPA | Encrypt, no forwarding | Student records, transcripts |
| HIPAA | Encrypt, audit, watermark | Health records, counseling notes |
| Research - Controlled | Encrypt, no copy, audit | CUI, CMMC, export-controlled |
| Highly Confidential | Encrypt, expire, revoke access | Board materials, legal privilege |
2.2 Create Sensitivity Labels
Navigate to Microsoft Purview portal → Solutions → Information protection → Labels.
PowerShell: Create Label Taxonomy
:::note Module Requirement Requires ExchangeOnlineManagement module v3.0+:
Install-Module ExchangeOnlineManagement -MinimumVersion 3.0.0
:::
# Connect to Security & Compliance PowerShell
Connect-IPPSSession
# Create parent labels (groups)
New-Label -DisplayName "Public" -Name "Public" -Tooltip "No protection required"
New-Label -DisplayName "Internal" -Name "Internal" -Tooltip "General internal use"
New-Label -DisplayName "Confidential" -Name "Confidential" -Tooltip "Sensitive business data"
New-Label -DisplayName "Regulatory" -Name "Regulatory" -Tooltip "Data subject to regulations"
# Create sublabels under Regulatory
New-Label -DisplayName "FERPA" -Name "FERPA" -ParentId "Regulatory" `
-Tooltip "Student education records"
New-Label -DisplayName "HIPAA" -Name "HIPAA" -ParentId "Regulatory" `
-Tooltip "Protected health information"
2.3 Configure Label Encryption
For labels that require encryption, configure protection settings in the label definition. Encryption is a native sensitivity label capability in Microsoft Purview Information Protection.
Encryption Settings Reference
| Setting | Public | Internal | Confidential | FERPA | HIPAA |
|---|---|---|---|---|---|
| Encrypt | |||||
| Allow offline access | — | — | 30 days | 7 days | 7 days |
| Co-authoring | — | — | |||
| External recipients | — | — | |||
| Do not forward | — | — | |||
| Content expires | — | — | Never | Never | 1 year |
2.4 Apply Visual Markings
Configure headers, footers, and watermarks to indicate classification level.
# Add visual markings to Confidential label
Set-Label -Identity "Confidential" `
-ApplyContentMarkingHeaderEnabled $true `
-ApplyContentMarkingHeaderText "CONFIDENTIAL" `
-ApplyContentMarkingHeaderFontColor "#FF0000" `
-ApplyContentMarkingHeaderFontSize 12
Set-Label -Identity "Confidential" `
-ApplyContentMarkingFooterEnabled $true `
-ApplyContentMarkingFooterText "For internal use only"
2.5 Publish Labels to Users
Create a label policy to make labels available in Office apps.
PowerShell: Publish Label Policy
# Create label policy for all users
New-LabelPolicy -Name "Enterprise Labels" `
-Labels "Public","Internal","Confidential","FERPA","HIPAA" `
-ExchangeLocation "All" `
-SharePointLocation "All" `
-OneDriveLocation "All" `
-ModernGroupLocation "All"
# Configure policy settings
Set-LabelPolicy -Identity "Enterprise Labels" `
-AdvancedSettings @{
"requiredowngradejustification" = "true"
"outlookdefaultlabel" = "Internal"
}
2.6 Validation Checkpoint
| Check | Expected Result |
|---|---|
| Labels appear in Word/Excel/Outlook | 5 labels visible |
| Encrypted label blocks external sharing | Blocked |
| Visual markings appear | Header/footer visible |
| Downgrade requires justification | Prompt appears |
Auto-Labeling {#auto-labeling}
Goal: Automatically classify content based on sensitive information types (SITs), reducing reliance on users to label correctly.
2.5.1 Client-Side Auto-Labeling
Configure labels to automatically apply when Office apps detect sensitive content.
Auto-Labeling Conditions Matrix
| Label | Auto-Apply When... |
|---|---|
| FERPA | Student ID + Name + Grade/GPA |
| HIPAA | SSN + Medical Terms + Provider ID |
| Confidential | SSN (alone) or Credit Card + Amount |
| Research - Controlled | CUI Markings or Export Control Terms |
# Configure auto-labeling for FERPA label
Set-Label -Identity "FERPA" `
-AutoApplyType "Recommend" `
-SensitiveInformationType @(
@{Name="U.S. Social Security Number (SSN)"; minCount=1},
@{Name="All Full Names"; minCount=1}
) `
-Locale "en-us" `
-AutoLabelingMessage "This document may contain FERPA-protected data."
2.5.2 Service-Side Auto-Labeling
For content already in SharePoint, OneDrive, and Exchange, create auto-labeling policies that run server-side.
PowerShell: Create Auto-Labeling Policy
# Create auto-labeling policy for FERPA content in SharePoint
New-AutoSensitivityLabelPolicy -Name "Auto-Label FERPA" `
-SharePointLocation "All" `
-OneDriveLocation "All" `
-ApplySensitivityLabel "FERPA" `
-Mode "Simulation" # Start in simulation mode
# Add conditions
New-AutoSensitivityLabelRule -Policy "Auto-Label FERPA" `
-Name "Student Records Rule" `
-ContentContainsSensitiveInformation @(
@{
Name="U.S. Social Security Number (SSN)"
MinCount=1
},
@{
Name="All Full Names"
MinCount=1
}
)
2.5.3 Auto-Labeling Workflow
flowchart LR
A[Create Policy] --> B[Simulation Mode]
B --> C{Review Matches}
C -->|False Positives| D[Refine Conditions]
D --> B
C -->|Accurate| E[Enable Policy]
E --> F[Monitor & Tune]
2.5.4 Simulation Best Practices
Run Simulation for 2+ Weeks
- Review matched items for false positives
- Check that high-value targets are captured
- Refine SIT confidence levels if needed
- Get stakeholder sign-off before enabling
2.5.5 Validation Checkpoint
| Check | Expected Result |
|---|---|
| Simulation mode shows matches | 100+ items matched |
| No critical false positives | <5% false positive rate |
| Auto-labeled files in SharePoint | Labels visible in library |
Data Lifecycle Management {#data-lifecycle}
Goal: Establish retention and deletion policies to manage the complete data lifecycle.
3.1 Retention Policy Strategy
Design retention policies based on regulatory requirements and business needs.
Common Retention Periods
| Content Type | Retain | Then... | Regulation |
|---|---|---|---|
| Student Records | 7 years after graduation | Delete | FERPA |
| Financial Records | 7 years | Delete | IRS |
| HR Employee Files | 7 years after separation | Delete | State law |
| Email (General) | 3 years | Delete | Policy |
| Teams Chats | 1 year | Delete | Policy |
| Research Data (Grant) | Duration + 3 years | Archive | NSF/NIH |
| Legal Holds | Indefinite | Manual release | Litigation |
3.2 Create Retention Policies
Navigate to Microsoft Purview portal → Solutions → Data lifecycle management → Policies → Retention policies.
PowerShell: Create Retention Policies
:::note Module Requirement Requires ExchangeOnlineManagement module v3.0+:
Install-Module ExchangeOnlineManagement -MinimumVersion 3.0.0
:::
# Connect to Security & Compliance PowerShell
Connect-IPPSSession
# Step 1: Create the policy (defines WHERE)
New-RetentionCompliancePolicy -Name "Email Retention - 3 Years" `
-ExchangeLocation "All" `
-Enabled $true
# Step 2: Create the rule (defines HOW LONG and WHAT ACTION)
New-RetentionComplianceRule -Name "Email 3 Year Rule" `
-Policy "Email Retention - 3 Years" `
-RetentionDuration 1095 `
-RetentionDurationDisplayHint Days `
-RetentionComplianceAction Delete
# Example: SharePoint site-specific retention
New-RetentionCompliancePolicy -Name "Student Records - 7 Years" `
-SharePointLocation "https://tenant.sharepoint.com/sites/StudentRecords"
New-RetentionComplianceRule -Name "Student Records Rule" `
-Policy "Student Records - 7 Years" `
-RetentionDuration 2555 `
-RetentionDurationDisplayHint Days `
-RetentionComplianceAction Delete
# Example: Teams retention (channels and chats)
New-RetentionCompliancePolicy -Name "Teams Chat - 1 Year" `
-TeamsChannelLocation "All" `
-TeamsChatLocation "All"
New-RetentionComplianceRule -Name "Teams 1 Year Rule" `
-Policy "Teams Chat - 1 Year" `
-RetentionDuration 365 `
-RetentionDurationDisplayHint Days `
-RetentionComplianceAction Delete
Two-Cmdlet Pattern Required
Modern retention policies require two cmdlets:
New-RetentionCompliancePolicy— Defines the locations (where)New-RetentionComplianceRule— Defines the retention settings (how long, what action)
Old examples showing -RetentionDuration on the policy itself are deprecated.
3.3 Retention Labels for Records Management
For content requiring formal records management (declaration, disposition review), use retention labels instead of policies.
Retention Labels vs. Policies
| Feature | Retention Policy | Retention Label |
|---|---|---|
| Applied to | Locations (all of Exchange, SharePoint) | Individual items |
| User can apply | (admin only) | |
| Records declaration | ||
| Disposition review | ||
| Event-based retention | ||
| Regulatory records |
3.4 Create Records Labels
# Create retention label for contract records
New-ComplianceTag -Name "Contract - Final" `
-Comment "Final executed contracts requiring records management" `
-RetentionAction "Keep" `
-RetentionDuration 2555 `
-RetentionType "CreationAgeInDays" `
-IsRecordLabel $true `
-Regulatory $false `
-ReviewerEmail "records@tamu.edu"
# Publish label policy
New-RetentionCompliancePolicy -Name "Records Labels" `
-RetentionComplianceTag "Contract - Final" `
-PublishComplianceTag $true `
-SharePointLocation "All"
3.5 Records Management Setup
For formal records management with disposition reviews:
- Navigate to Microsoft Purview portal → Records management
- Create File plan with retention labels
- Configure Disposition reviewers
- Set up Event types for event-based retention
3.6 Validation Checkpoint
| Check | Expected Result |
|---|---|
| Retention policies in portal | 3+ policies active |
| Email retention applies | Policy shows in mailbox |
| SharePoint retention applies | Policy visible in site |
| Records labels available | Labels in dropdown |
| Disposition review queue works | Items appear after expiration |
Classification Completion Checklist
Before moving to Discovery & DSPM, validate:
| Component | Status | Notes |
|---|---|---|
| Label taxonomy approved | Leadership sign-off | |
| 5+ sensitivity labels published | Visible in Office apps | |
| Encryption working on protected labels | Test with external recipient | |
| Auto-labeling simulation complete | <5% false positive rate | |
| Auto-labeling enabled (production) | At least 1 policy active | |
| Retention policies created | Email, SharePoint, Teams | |
| Records labels published (if needed) | For regulatory records |
Next Steps
With labels and lifecycle policies in place, you're ready to discover and measure:
- Discovery & DSPM — Now DSPM can report on labeled vs. unlabeled content, oversharing, and Copilot exposure
Related Resources
- Information Protection — Product overview
- Data Lifecycle Management — Retention product overview
- Records Management — Formal records management