Microsoft Purview Information Protection: The Enterprise Guide to Sensitivity Labels, Data Classification, and DLP
Data breaches cost enterprises an average of $4.88 million in 2025, and 82% involve data that was improperly classified or unprotected. Microsoft Purview Information Protection gives organizations the ability to discover, classify, label, and protect sensitive data across their entire digital estate. This guide covers enterprise deployment strategies, sensitivity label taxonomies, auto-labeling configurations, DLP policies, and compliance mappings for HIPAA, SOC 2, and GDPR — based on 500+ deployments by EPC Group.
Microsoft Purview Information Protection Guide 2026
Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) classifies, labels, and protects sensitive data across email, documents, SharePoint, Teams, and third-party apps. EPC Group has delivered 500+ Purview Information Protection deployments. This guide covers sensitivity labels, DLP, classification, and HIPAA, SOC 2, and GDPR compliance. Last updated: 2026 · Read time: ~7 min
Key facts
- EPC Group has completed 500+ Microsoft Purview Information Protection deployments.
- Purview Information Protection operates on a three-step model: Know your data, Protect your data, Prevent data loss.
- Sensitivity labels travel with content — wherever a file goes, the label and its protections follow.
- Auto-labeling covers SharePoint, OneDrive, Exchange, and Teams without requiring users to label manually.
- Sensitivity labels and retention labels are different tools. Both can exist on the same document at the same time.
What is Microsoft Purview Information Protection?
Microsoft Purview Information Protection (formerly MIP) is the classification and labeling layer of the Microsoft 365 compliance ecosystem. It discovers, classifies, labels, and protects sensitive data. Coverage extends across emails, documents, SharePoint sites, Teams messages, and third-party cloud applications.
The platform works on three steps:
- Know your data. Discover and classify sensitive information across your Microsoft 365 environment and connected data sources.
- Protect your data. Apply sensitivity labels with encryption and access controls. Labels travel with the content wherever it goes.
- Prevent data loss. Use DLP policies to enforce restrictions across email, Teams, SharePoint, endpoints, and third-party apps.
Sensitivity labels vs retention labels
These two label types serve different purposes. Both can exist on the same document at the same time.
Sensitivity labels control access and apply encryption. They answer: "Who can see this data and what can they do with it?" A Highly Confidential label might allow only specific users to open a file and prevent printing or forwarding.
Retention labels govern the data lifecycle. They answer: "How long must we keep this and when do we delete it?" A 7-year retention label on a financial record keeps the file for 7 years and then triggers disposition review before deletion.
Sensitivity label design
Effective label taxonomies balance protection with usability. Too many labels confuse users. Too few miss important data categories.
Recommended baseline taxonomy
- Public. Intended for external audiences. No access restrictions.
- General. Internal content not requiring special protection.
- Confidential. Business-sensitive content. Restrict external sharing by default.
- Highly Confidential. Executive, financial, legal, or regulated data. Require encryption and restrict to specific groups.
- Restricted. Most sensitive data — M&A, HR investigations, executive compensation. Encrypt and limit to specific named individuals.
Sub-labels for regulated content
Add sub-labels under Confidential and Highly Confidential for content categories with distinct handling requirements: HR, Finance, Legal, M&A, PHI/PII (healthcare), and PCI (payment card data).
Auto-labeling
Auto-labeling applies sensitivity labels to existing and new content automatically. It does not require users to label manually.
Auto-labeling runs in two modes:
- Client-side auto-labeling. Labels are suggested or applied automatically as users create or edit documents in Office apps. Users see the label recommendation and can accept or change it.
- Service-side auto-labeling. Labels are applied to content in SharePoint, OneDrive, and Exchange without any user interaction. This is how you classify large volumes of existing content.
Auto-labeling uses built-in sensitive information types — SSN, credit card numbers, medical record numbers, passport numbers — plus custom trainable classifiers and exact data match (EDM) for organization-specific patterns.
DLP policy design
DLP policies enforce what happens when sensitive data is detected. They work alongside sensitivity labels — a DLP rule can trigger based on a label condition, a sensitive information type match, or both.
Three dimensions of DLP policy design
- What content to protect. Use label conditions for precision. Keyword matching alone generates false positives.
- What action to take. Options include block (prevent sharing), warn with override (allow sharing with documented justification), and notify (alert the compliance team without blocking).
- Where to apply. Exchange email, Teams messages, SharePoint, OneDrive, endpoints (Windows 10/11), and Microsoft Defender for Cloud Apps for third-party SaaS protection.
HIPAA compliance with Purview Information Protection
Healthcare organizations use Purview Information Protection to meet HIPAA Security Rule technical safeguard requirements. EPC Group configures the following for HIPAA clients:
- Sensitivity labels encrypt PHI at rest and in transit. PHI cannot be read by unauthorized users even if a file is exfiltrated.
- DLP policies prevent unauthorized PHI sharing via email or Teams. Policies require business justification for external PHI sharing.
- Auto-labeling identifies PHI patterns — medical record numbers, ICD-10 diagnosis codes, patient names combined with dates of birth — and applies protection automatically.
- Audit logs track PHI access events with the detail required by HIPAA Security Rule Section 164.312.
SOC 2 and GDPR alignment
SOC 2 Type II requires documented access controls and audit trails. Sensitivity labels provide access control documentation. Purview audit logs provide the access trail for SOC 2 auditors.
GDPR requires data classification and the ability to locate and delete personal data on request. Purview's content search and sensitivity label taxonomy satisfy both requirements. EPC Group configures GDPR-specific label sub-labels for EU personal data to separate it from general confidential content.
Frequently asked questions
What is the difference between Microsoft Purview Information Protection and Microsoft Information Protection (MIP)?
Microsoft Information Protection (MIP) was the previous name for the sensitivity label and classification capabilities now called Microsoft Purview Information Protection. Microsoft rebranded the compliance product family under the Purview umbrella in 2022.
The underlying technology is the same — the Azure Information Protection (AIP) unified labeling client and the Microsoft 365 compliance center are the same tools under the new name.
How are sensitivity labels different from Azure Information Protection labels?
Azure Information Protection (AIP) classic labels have been migrated to Microsoft Purview sensitivity labels (unified labeling). If your organization used AIP classic client labels before 2021, those have been or should be migrated to unified labeling.
AIP classic was retired in 2022. All new implementations use Microsoft Purview sensitivity labels managed through the Microsoft Purview compliance portal.
Can sensitivity labels protect files outside Microsoft 365?
Yes. Microsoft Purview Information Protection extends to third-party cloud apps through Microsoft Defender for Cloud Apps integration.
Sensitivity labels can be applied to files in Box, Dropbox, Salesforce, and other connected apps. The Azure Information Protection scanner also applies labels to on-premises file shares and SharePoint Server content.
How many sensitivity labels should an enterprise use?
EPC Group recommends starting with 5 top-level labels and 10–15 sub-labels for a standard enterprise. More than 25 total labels typically creates user confusion and reduces adoption.
The goal is a taxonomy that is specific enough to drive meaningful DLP policy decisions without requiring users to choose among too many options. Trainable classifiers and auto-labeling reduce the burden on users to make the right choice manually.
Does Purview Information Protection work with macOS and mobile devices?
Yes. Sensitivity labels apply in Microsoft 365 apps on macOS (Word, Excel, PowerPoint, Outlook) and in Outlook Mobile on iOS and Android.
Built-in labeling in Office apps requires Microsoft 365 Apps for Enterprise (formerly Office 365 ProPlus). The Azure Information Protection unified labeling client extends coverage to File Explorer on Windows for non-Office file types.
Ready to deploy Purview Information Protection for your enterprise? Contact EPC Group for a classification and labeling assessment.
Frequently Asked Questions
What is Microsoft Purview Information Protection?
Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) is a suite of tools within the Microsoft 365 compliance ecosystem that helps organizations discover, classify, label, and protect sensitive data across emails, documents, SharePoint sites, Teams messages, and third-party cloud applications. It includes sensitivity labels, auto-labeling policies, data loss prevention (DLP), and encryption — all managed from the Microsoft Purview compliance portal. EPC Group has deployed Purview Information Protection for over 500 enterprise clients.
How do sensitivity labels work in Microsoft Purview?
Sensitivity labels are metadata tags applied to documents, emails, and containers (SharePoint sites, Teams, Microsoft 365 Groups) that define the classification level and enforce protection actions. When a user applies a "Confidential" label, Purview can automatically encrypt the file, add watermarks, restrict copy/paste, prevent forwarding, and control who can access the content. Labels can be applied manually by users, recommended by Purview based on content inspection, or automatically enforced through auto-labeling policies that scan for sensitive data patterns like SSNs, credit card numbers, or HIPAA identifiers.
How long does it take to deploy Microsoft Purview Information Protection?
A phased Purview Information Protection deployment typically takes 12-20 weeks for enterprise organizations. Phase 1 (weeks 1-4) covers planning, taxonomy design, and pilot group deployment. Phase 2 (weeks 5-10) involves auto-labeling policies, DLP rules, and expanded user rollout. Phase 3 (weeks 11-16) includes endpoint DLP, third-party app integration, and compliance validation. Organizations with HIPAA or FedRAMP requirements should add 4-6 weeks for additional audit documentation and validation testing.
What is the difference between sensitivity labels and retention labels?
Sensitivity labels protect data by controlling access and applying encryption — they answer "who can see this data and what can they do with it." Retention labels govern the data lifecycle by defining how long data must be kept and when it should be deleted — they answer "how long must we keep this and when do we dispose of it." Both label types can coexist on the same document. For example, a healthcare record might have a "Highly Confidential - HIPAA" sensitivity label (encrypts, restricts access) and a "Retain 7 Years" retention label (prevents deletion for regulatory compliance).
Can Microsoft Purview protect data in non-Microsoft applications?
Yes. Microsoft Purview extends protection beyond Microsoft 365 through several mechanisms: Microsoft Defender for Cloud Apps applies sensitivity labels to files in Box, Dropbox, Google Workspace, and Salesforce. The Azure Information Protection unified labeling client protects PDFs and non-Office file types. Microsoft Purview Data Map scans and classifies data in Azure SQL, AWS S3, Google Cloud Storage, on-premises SQL Server, and SAP. Endpoint DLP policies protect sensitive data on Windows and macOS devices regardless of the application being used.
What licenses are required for Microsoft Purview Information Protection?
Basic sensitivity labels (manual application) are included in Microsoft 365 E3/A3/G3 and Microsoft 365 Business Premium. Advanced features require Microsoft 365 E5/A5/G5 or the Microsoft 365 E5 Compliance add-on ($12/user/month): automatic labeling, trainable classifiers, exact data match, endpoint DLP, and Defender for Cloud Apps integration. For organizations needing only specific features, standalone add-ons include Microsoft 365 E5 Information Protection & Governance ($10/user/month) and Microsoft 365 E5 Insider Risk Management ($10/user/month).
How does Microsoft Purview support HIPAA compliance?
Microsoft Purview supports HIPAA compliance through multiple layers: sensitivity labels encrypt Protected Health Information (PHI) at rest and in transit, DLP policies prevent unauthorized sharing of patient data via email or Teams, auto-labeling identifies PHI patterns (medical record numbers, diagnosis codes, patient names) and applies protection automatically, and audit logs provide the access trail required by HIPAA Security Rule Section 164.312. EPC Group has implemented HIPAA-compliant Purview configurations for over 100 healthcare organizations.