Microsoft Purview Information Protection: The Enterprise Guide to Sensitivity Labels, Data Classification, and DLP
Data breaches are expected to cost enterprises an average of $4.88 million in 2025. Furthermore, 82% of these breaches involve data that is either improperly classified or unprotected.
Microsoft Purview Information Protection assists organizations in:
- Discovering sensitive data
- Classifying data accurately
- Labeling data for protection
- Protecting sensitive data across their entire digital estate
This guide covers:
- Enterprise deployment strategies
- Sensitivity label taxonomies
- Auto-labeling configurations
- DLP policies
- Compliance mappings for HIPAA, SOC 2, and GDPR
These insights are based on over 500 deployments by EPC Group.
Microsoft Purview Information Protection Guide 2026
Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) helps classify, label, and protect sensitive data. It operates across various platforms, including:
- Documents
- SharePoint
- Teams
- Third-party apps
EPC Group has completed over 500 Purview Information Protection deployments.
This guide includes:
- Sensitivity labels
- Data Loss Prevention (DLP)
- Classification
- Compliance with HIPAA, SOC 2, and GDPR
Last updated: 2026 · Read time: ~7 min
Key facts
- EPC Group has completed 500+ Microsoft Purview Information Protection deployments.
- Purview Information Protection operates on a three-step model: Know your data, Protect your data, Prevent data loss.
- Sensitivity labels travel with content — wherever a file goes, the label and its protections follow.
- Auto-labeling covers SharePoint, OneDrive, Exchange, and Teams without requiring users to label manually.
- Sensitivity labels and retention labels are different tools. Both can exist on the same document at the same time.
What is Microsoft Purview Information Protection?
Microsoft Purview Information Protection (formerly MIP) is the classification and labeling layer of the Microsoft 365 compliance ecosystem. It helps discover, classify, label, and protect sensitive data.
- Coverage includes emails
- Documents
- SharePoint sites
- Teams messages
- Third-party cloud applications
The platform works on three steps:
- Know your data. Discover and classify sensitive information across your Microsoft 365 environment and connected data sources.
- Protect your data. Apply sensitivity labels with encryption and access controls. Labels travel with the content wherever it goes.
- Prevent data loss. Use DLP policies to enforce restrictions across email, Teams, SharePoint, endpoints, and third-party apps.
Sensitivity labels vs retention labels
These two label types serve different purposes. Both can exist on the same document at the same time.
Sensitivity labels manage access and enforce encryption. They address the question: "Who can view this data and what actions can they take?"
For example, a Highly Confidential label may:
- Allow only certain users to open a file.
- Prevent printing of the document.
- Restrict forwarding of the file.
Retention labels manage the data lifecycle. They help answer important questions like: "How long do we need to keep this data?" and "When should we delete it?"
For example, a 7-year retention label on a financial record will:
- Keep the file for 7 years.
- Trigger a review for disposition before deletion.
Sensitivity label design
Effective label taxonomies balance protection with usability. Too many labels confuse users. Too few miss important data categories.
Recommended baseline taxonomy
- Public. Intended for external audiences. No access restrictions.
- General. Internal content not requiring special protection.
- Confidential. Business-sensitive content. Restrict external sharing by default.
- Highly Confidential. Executive, financial, legal, or regulated data. Require encryption and restrict to specific groups.
- Restricted. Most sensitive data — M&A, HR investigations, executive compensation. Encrypt and limit to specific named individuals.
Sub-labels for regulated content
Add sub-labels under Confidential and Highly Confidential for content categories with distinct handling requirements: HR, Finance, Legal, M&A, PHI/PII (healthcare), and PCI (payment card data).
Auto-labeling
Auto-labeling applies sensitivity labels to existing and new content automatically. It does not require users to label manually.
Auto-labeling runs in two modes:
- Client-side auto-labeling. Labels are suggested or applied automatically as users create or edit documents in Office apps. Users see the label recommendation and can accept or change it.
- Service-side auto-labeling. Labels are applied to content in SharePoint, OneDrive, and Exchange without any user interaction. This is how you classify large volumes of existing content.
Auto-labeling utilizes built-in sensitive information types. These include SSN, credit card numbers, medical record numbers, and passport numbers. It also employs custom trainable classifiers and exact data match (EDM) for organization-specific patterns.
DLP policy design
DLP policies control actions taken when sensitive data is found. They operate with sensitivity labels. A DLP rule can activate based on:
- A label condition
- A match with a sensitive information type
- Both criteria
Three dimensions of DLP policy design
- What content to protect. Use label conditions for precision. Keyword matching alone generates false positives.
- What action to take. Options include block (prevent sharing), warn with override (allow sharing with documented justification), and notify (alert the compliance team without blocking).
- Where to apply. Exchange email, Teams messages, SharePoint, OneDrive, endpoints (Windows 10/11), and Microsoft Defender for Cloud Apps for third-party SaaS protection.
HIPAA compliance with Purview Information Protection
Healthcare organizations use Purview Information Protection to meet HIPAA Security Rule technical safeguard requirements. EPC Group configures the following for HIPAA clients:
- Sensitivity labels encrypt PHI at rest and in transit. PHI cannot be read by unauthorized users even if a file is exfiltrated.
- DLP policies prevent unauthorized PHI sharing via email or Teams. Policies require business justification for external PHI sharing.
- Auto-labeling identifies PHI patterns — medical record numbers, ICD-10 diagnosis codes, patient names combined with dates of birth — and applies protection automatically.
- Audit logs track PHI access events with the detail required by HIPAA Security Rule Section 164.312.
SOC 2 and GDPR alignment
SOC 2 Type II requires documented access controls and audit trails. Sensitivity labels provide access control documentation. Purview audit logs provide the access trail for SOC 2 auditors.
GDPR requires organizations to classify data and to locate and delete personal data upon request. Purview's content search and sensitivity label taxonomy meet these requirements.
EPC Group configures GDPR-specific label sub-labels for EU personal data. This helps to distinguish it from general confidential content.
Frequently asked questions
What is the difference between Microsoft Purview Information Protection and Microsoft Information Protection (MIP)?
Microsoft Information Protection (MIP) was the previous name for the sensitivity label and classification features now called Microsoft Purview Information Protection. In 2022, Microsoft rebranded its compliance product family under the Purview umbrella.
The underlying technology is the same — the Azure Information Protection (AIP) unified labeling client and the Microsoft 365 compliance center are the same tools under the new name.
How are sensitivity labels different from Azure Information Protection labels?
Azure Information Protection (AIP) classic labels are now part of Microsoft Purview sensitivity labels, which are also called unified labeling. If your organization used AIP classic client labels before 2021, these labels have been migrated or should be migrated to unified labeling.
AIP classic was retired in 2022. All new implementations use Microsoft Purview sensitivity labels managed through the Microsoft Purview compliance portal.
Can sensitivity labels protect files outside Microsoft 365?
Yes. Microsoft Purview Information Protection extends to third-party cloud apps through Microsoft Defender for Cloud Apps integration.
Sensitivity labels can be used with various applications. These include Box, Dropbox, Salesforce, and other connected apps. Additionally, the Azure Information Protection scanner applies labels to:
- On-premises file shares
- SharePoint Server content
How many sensitivity labels should an enterprise use?
EPC Group suggests beginning with 5 top-level labels and 10–15 sub-labels for a typical enterprise.
Using more than 25 total labels can lead to user confusion and lower adoption rates.
The goal is to create a taxonomy that helps make clear DLP policy decisions. It should avoid overwhelming users with too many choices.
To achieve this, we use:
- Trainable classifiers
- Auto-labeling
These tools lessen the need for users to manually select the correct option.
Does Purview Information Protection work with macOS and mobile devices?
Yes. Sensitivity labels apply in Microsoft 365 apps on macOS (Word, Excel, PowerPoint, Outlook) and in Outlook Mobile on iOS and Android.
To use built-in labeling in Office apps, you need Microsoft 365 Apps for Enterprise (formerly Office 365 ProPlus). This feature allows you to label documents easily.
The Azure Information Protection unified labeling client offers additional support. It extends labeling to File Explorer on Windows for non-Office file types.
Ready to deploy Purview Information Protection for your enterprise? Contact EPC Group for a classification and labeling assessment.
Frequently Asked Questions
What is Microsoft Purview Information Protection?
Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) is a suite of tools within the Microsoft 365 compliance ecosystem that helps organizations discover, classify, label, and protect sensitive data across emails, documents, SharePoint sites, Teams messages, and third-party cloud applications. It includes sensitivity labels, auto-labeling policies, data loss prevention (DLP), and encryption — all managed from the Microsoft Purview compliance portal. EPC Group has deployed Purview Information Protection for over 500 enterprise clients.
How do sensitivity labels work in Microsoft Purview?
Sensitivity labels are metadata tags applied to documents, emails, and containers (SharePoint sites, Teams, Microsoft 365 Groups) that define the classification level and enforce protection actions. When a user applies a "Confidential" label, Purview can automatically encrypt the file, add watermarks, restrict copy/paste, prevent forwarding, and control who can access the content. Labels can be applied manually by users, recommended by Purview based on content inspection, or automatically enforced through auto-labeling policies that scan for sensitive data patterns like SSNs, credit card numbers, or HIPAA identifiers.
How long does it take to deploy Microsoft Purview Information Protection?
A phased Purview Information Protection deployment typically takes 12-20 weeks for enterprise organizations. Phase 1 (weeks 1-4) covers planning, taxonomy design, and pilot group deployment. Phase 2 (weeks 5-10) involves auto-labeling policies, DLP rules, and expanded user rollout. Phase 3 (weeks 11-16) includes endpoint DLP, third-party app integration, and compliance validation. Organizations with HIPAA or FedRAMP requirements should add 4-6 weeks for additional audit documentation and validation testing.
What is the difference between sensitivity labels and retention labels?
Sensitivity labels protect data by controlling access and applying encryption — they answer "who can see this data and what can they do with it." Retention labels govern the data lifecycle by defining how long data must be kept and when it should be deleted — they answer "how long must we keep this and when do we dispose of it." Both label types can coexist on the same document. For example, a healthcare record might have a "Highly Confidential - HIPAA" sensitivity label (encrypts, restricts access) and a "Retain 7 Years" retention label (prevents deletion for regulatory compliance).
Can Microsoft Purview protect data in non-Microsoft applications?
Yes. Microsoft Purview extends protection beyond Microsoft 365 through several mechanisms: Microsoft Defender for Cloud Apps applies sensitivity labels to files in Box, Dropbox, Google Workspace, and Salesforce. The Azure Information Protection unified labeling client protects PDFs and non-Office file types. Microsoft Purview Data Map scans and classifies data in Azure SQL, AWS S3, Google Cloud Storage, on-premises SQL Server, and SAP. Endpoint DLP policies protect sensitive data on Windows and macOS devices regardless of the application being used.
What licenses are required for Microsoft Purview Information Protection?
Basic sensitivity labels (manual application) are included in Microsoft 365 E3/A3/G3 and Microsoft 365 Business Premium. Advanced features require Microsoft 365 E5/A5/G5 or the Microsoft 365 E5 Compliance add-on ($12/user/month): automatic labeling, trainable classifiers, exact data match, endpoint DLP, and Defender for Cloud Apps integration. For organizations needing only specific features, standalone add-ons include Microsoft 365 E5 Information Protection & Governance ($10/user/month) and Microsoft 365 E5 Insider Risk Management ($10/user/month).
How does Microsoft Purview support HIPAA compliance?
Microsoft Purview supports HIPAA compliance through multiple layers: sensitivity labels encrypt Protected Health Information (PHI) at rest and in transit, DLP policies prevent unauthorized sharing of patient data via email or Teams, auto-labeling identifies PHI patterns (medical record numbers, diagnosis codes, patient names) and applies protection automatically, and audit logs provide the access trail required by HIPAA Security Rule Section 164.312. EPC Group has implemented HIPAA-compliant Purview configurations for over 100 healthcare organizations.