Classifying and Protecting Sensitive Data with Microsoft Purview (2026)

Data security has become a race against time. Between the explosion in data volumes (+30% per year on average), multicloud dispersion, and the massive adoption of generative AI like Microsoft 365 Copilot, the attack surface of organizations has considerably expanded.

IT and Security teams can no longer simply build walls around the perimeter. The central challenge of 2026 is Data Security Posture Management (DSPM): knowing where sensitive data is located, who accesses it, and how it is protected.

2026 Update: What's New in Microsoft Purview?

The Microsoft security ecosystem has evolved. Microsoft Purview is now a unified platform bringing together governance, compliance, and protection.

• AI Context: Classification is an essential best practice for securing Copilot and preventing data overexposure.
• Unification: Native integration of labels in Teams, SharePoint, Outlook, and even non-Microsoft data (through specific connectors).
• Automation: Enhanced auto-classification through machine learning (Trainable Classifiers).

1. Classifying and Protecting: Challenges Reinforced by GDPR and AI

Data breaches, whether accidental (internal negligence) or malicious (exfiltration), represent a major financial and reputational risk. With GDPR and new directives (NIS2, DORA), data traceability is no longer optional.

But a new risk has emerged: governance debt. Millions of unclassified, obsolete, or "ROT" (Redundant, Obsolete, Trivial) files accumulate. Without classification, sensitive data (PII, patents, strategy) is treated as public data.

• Security risk: Uncontrolled access.
• Operational risk: Copilot can surface confidential information to unauthorized users if permissions are too open.

2. The 5-Step Approach to Mastering Your Data

To transform this chaos into secure capital, the recommended method follows a progressive logic:

Step 1: Identify (Discovery)

Before protecting, you must know. Data inventory (Data Discovery) answers key questions:

• What types of data do we have (banking, health, intellectual property)?
• Where are they stored (SharePoint, OneDrive, file servers, endpoints)?
• What are the volumes of "dark data" (Dark Data)?

Step 2: Define the Taxonomy

It is crucial to define a classification framework that is simple and understandable by everyone. Too many levels kill adoption. The market standard has stabilized around 4 levels:

1. Public (Web data, public marketing)
2. Internal (Standard company data)
3. Confidential (Project data, HR, clients - restricted access)
4. Highly Confidential (Executive committee, strategic - very strict access)
   
   

Step 3: Classify and Label (Labeling)

This is the heart of the system. Applying a Sensitivity Label anchors classification in the file's metadata.

This label follows the data wherever it goes, even if it leaves the Microsoft 365 environment (but their application/encryption outside M365 depends on client support, e.g., Adobe PDF may not recognize labels. Protection may be lost on certain formats/platforms).

Step 4: Protect (Encryption & Access Control)

The label drives protection. Unlike past methods, we don't encrypt everything blindly.

• "Public" label = No protection.
• "Confidential" label = Encryption, watermark, prohibition on copy/paste. Encryption is provided by Microsoft Purview Information Protection (formerly Azure Information Protection/Azure RMS).

Note: These protections are configurable by the administrator, not automatic. A "Confidential" label may have no technical protection if the admin has not configured it.

Step 5: Monitor (Audit & DLP)

Once labeled, data becomes traceable. DLP (Data Loss Prevention) policies can then block the exit of a "Confidential" document to a USB drive or personal Gmail address.

3. Microsoft Purview Information Protection: The Technical Solution

Microsoft Purview is not just a tool, but a complete governance suite. The Information Protection module (formerly MIP/AIP) is the component dedicated to classification and encryption.

Extended Functional Scope

Purview Information Protection now covers the entire data lifecycle:

• Office 365: Word, Excel, PowerPoint, Outlook (on PC, Mac, Mobile, and Web).
• Collaboration: Labeling of Teams and SharePoint sites.
• Hybrid & Multicloud: Via Purview Information Protection Scanner (for on-premise file servers) and integration with other clouds.
• PDF and images: Native support.

Understanding Licenses (E3 vs E5)

Access to features depends on your Microsoft 365 license level. This is a budgetary consideration:

• Microsoft 365 E3 / Business Premium:
• Manual or recommended classification: The user must choose the label themselves.
• Consumption of encrypted content.
• Standard DLP features.
• Microsoft 365 E5 / E5 Compliance Add-on:
• Automatic classification: Purview analyzes content (e.g., detects a credit card number) and applies the label without human intervention.
• On-premise scanner: To discover and label file servers.
• Machine Learning: Trainable classifiers to recognize specific documents (e.g., standard contracts).
• Advanced DLP and Insider Risk Management.

(Note: Some advanced features require additional E5 Compliance or E5 Information Protection & Governance modules).

4. Classifying and Labeling Sensitive Data with Microsoft Purview (MIP)

Microsoft Purview Information Protection (MIP) enables you to classify and label documents and emails to protect your organization's sensitive data. Data identification and classification can be performed in two ways: manually by users or automatically through predefined rules.

Manual Labeling

Manual labeling is available in all Microsoft 365 licenses (including E3, Business Premium, etc.). Users can select the appropriate sensitivity label directly from their Office applications (Word, Excel, PowerPoint, Outlook).

When a label is applied:

• Metadata marking is systematically added to the file
• Visual markers (header, footer, watermark) may be displayed according to the label's configuration
• Access restrictions can be applied if the label includes encryption

Some organizations configure a default label to encourage classification at document creation. The user can then modify this label according to the actual sensitivity level of the content, unless a mandatory labeling policy is in place.

Automatic Labeling with Microsoft Purview Scanner

The Microsoft Purview unified scanner enables automatic detection and classification of sensitive data stored on-premises (Windows file shares, SharePoint Server on-premises, etc.).

The scanner analyzes document content using:

• Sensitive Information Types (SIT): credit card numbers, social security numbers, etc.
• Trainable classifiers to detect specific document types
• Custom classification rules defined by the organization

Upon completion of the analysis, the scanner can:

• Recommend a sensitivity label (discovery mode)
• Automatically apply the appropriate label (Confidential, Highly Confidential, etc.)
• Generate compliance reports

Prerequisites and Licenses for Automatic Scanner

Using the Microsoft Purview unified scanner requires one of the following licenses:

• Microsoft 365 E5 / A5 / G5
• Microsoft 365 E5 / A5 / G5 Compliance
• Azure Information Protection Premium P2
• Microsoft Information Protection for Office 365 Premium P2

Technical prerequisites:

• A Windows server (Windows Server 2019 or later recommended)
• Read access rights on file shares and repositories to be scanned
• Service account with appropriate permissions
• Internet connection for synchronization with the cloud service

Important: The scanner is a powerful tool but requires precise configuration (content profile settings, classification rules, exception management) to avoid false positives and optimize scanning performance.

Data Encryption with Azure Rights Management (Azure RMS)

When a sensitivity label configured for encryption is applied to a document or email, Microsoft Purview Information Protection uses the Azure Rights Management (Azure RMS) service to protect the content.

How Azure RMS Encryption Works

Azure RMS applies AES 256-bit encryption to the entire file content, not just the metadata. The process works as follows:

1. Document encryption: The complete content is encrypted locally on the user's device
2. Addition of a usage license: A "publishing license" is embedded in the file, defining:

• Users authorized to access the document
• Usage rights (read-only, edit, print, copy, etc.)
• Validity period of the rights

1. Persistent protection: Encryption remains active regardless of file location (cloud, network share, USB drive, email)

Authorization Policies

Azure RMS establishes granular access control policies based on user identity:

• Internal users: Authentication via Microsoft Entra ID (formerly Azure AD)
• External users: Ability to grant access to people outside the organization, who must authenticate via their Microsoft account or guest account

Rights may include:

• View only (View)
• Edit (Edit)
• Print (Print)
• Copy/Extract (Extract - required for use with Copilot)
• Forward (Forward)
• Reply (Reply/Reply All - for emails)
  
  

Protection Beyond Organizational Boundaries

Key point: Even when a document encrypted by Azure RMS is shared with a person outside the organization, protection remains active.

• The external recipient must authenticate to prove their identity
• The rights defined in the usage license apply, even outside the Microsoft 365 tenant
• The sender retains control: ability to revoke access at any time (if the configuration allows)
• Encryption cannot be removed without appropriate permissions, even if the file is copied or moved

This persistent file-level protection ensures that sensitive data remains secure throughout its lifecycle, regardless of the sharing channels used (email, public cloud, physical media, etc.).

5. The Key Role of Employees: The First Line of Defense

Despite automation through AI, technology cannot solve everything. 80% of unstructured data requires business context to be properly qualified. The user remains the strong link if properly equipped.

Empowerment Through Labeling

The sensitivity label materializes the document's value for the user. When an employee sees a red "Highly Confidential" bar in their email, their behavior changes (increased vigilance).

Best Practices to Disseminate

1. Classification at the source: Label the document upon creation.
2. Principle of least privilege: Restrict access rights to what is strictly necessary (avoid "Everyone" links on labeled data).
3. Regular review: Should a "Project X Confidential" document remain so 3 years after the project ends? Purview's Data Lifecycle Management feature enables retention and deletion management, but business decisions take priority.
   
   

6. IDECSI: Operationalizing Purview Governance

While Microsoft Purview provides the infrastructure for classification and protection, companies often encounter an "operational gap": how to ensure that labels are properly applied and that permissions remain consistent over time?

This is where IDECSI comes in with native complementarity to Microsoft 365.

Visibility Focused on Real Risk

IDECSI ingests unified logs and Purview sensitivity labels to offer a consolidated view:

• Which "Confidential" documents are shared with external guests?
• Where are the bottlenecks (sensitive files stored in public Teams)?
• Detection of permissive configurations that could be exploited by Copilot.

MyDataSecurity: Engaging the User in Remediation

Microsoft admin consoles are designed for IT experts, not for business users.

With MyDataSecurity, IDECSI directly notifies the Data Owner in case of an anomaly on a classified file:

• "You shared this 'Confidential' file with a public link, is this normal?"
• "Do you validate Mr. X's access to this sensitive folder?"

This approach enables real-time permission correction, reduces false positives for the SOC, and maintains data hygiene essential for compliance and AI effectiveness.