Data is everywhere—and in most environments I’ve worked in, it’s completely uncontrolled.
Sensitive files get emailed externally, copied to personal devices, or uploaded to cloud apps with zero visibility. Even worse, most organisations think they’re protected because they’ve created a few labels—but they’re rarely enforced or automated.
That’s the real problem: manual classification doesn’t scale.
If users have to remember to label data, they won’t. And when they don’t, your DLP policies are effectively blind.
This is where Microsoft Purview DLP and Sensitivity Labels with auto-labelling become critical.
In this article, I’ll walk through:
- How to properly implement DLP policies across Microsoft 365
- How to deploy sensitivity labels that actually get used
- How to configure auto-labeling for key data types (credit cards, PII, financial data)
- Real-world lessons from deployments that worked—and those that didn’t
Quick Fix Summary
If you want a secure baseline quickly:
- ✅ Create sensitivity labels for key data types (Confidential, Highly Confidential)
- ✅ Enable auto-labeling for built-in sensitive info types (PII, financial data)
- ✅ Deploy DLP policies across Exchange, SharePoint, OneDrive, and Teams
- ✅ Start in audit mode before enforcing blocking actions
- ✅ Train users with policy tips instead of silently blocking
Why DLP and Sensitivity Labels Often Fail
The Common Mistake
Most environments:
- Create labels but don’t enforce them
- Deploy DLP without understanding data flows
- Skip auto-labeling entirely
- Go straight to blocking → cause business disruption → roll back
Reality Check (From Experience)
In one deployment:
- 70% of sensitive documents were unlabelled
- DLP policies weren’t triggering because labels didn’t exist
- Users bypassed controls using personal email
Fix: Auto-labeling + gradual enforcement
Understanding the Architecture (Microsoft Purview)
Key components:
| Component | Purpose |
|---|---|
| Sensitivity Labels | Classify and protect data |
| Auto-Labeling | Automatically apply labels based on content |
| DLP Policies | Detect and prevent data leakage |
| Sensitive Info Types | Built-in detectors (e.g., TFN, credit cards) |
Step-by-Step: Create Sensitivity Labels
Step 1: Navigate to Microsoft Purview
Go to:
https://compliance.microsoft.com
Navigate:
Information Protection → Labels
Step 2: Create a Label
Example:
- Name: Highly Confidential – Financial
- Encryption: Enabled
- Content Marking: Optional
- Scope:
- Files & Emails
Step 3: Configure Protection
- Encryption:
- Assign access to specific users/groups
- Permissions:
- View only / Do Not Forward
Step 4: Publish Labels
Go to:
Label policies → Publish labels
Assign to:
- Users or groups
- All locations (Exchange, SharePoint, OneDrive)
Step-by-Step: Configure Auto-Labelling
Step 1: Create Auto-Labeling Policy
Navigate:
Information Protection → Auto-labeling
Step 2: Choose Sensitive Info Types
Common ones:
- Credit Card Numbers
- Bank Account Numbers
- Tax File Numbers (AU-specific)
- Passport Numbers
Step 3: Define Conditions
Example:
- Apply label if:
- ≥ 1 credit card number
- Confidence level: High
Step 4: Select Locations
- SharePoint
- OneDrive
- Exchange
Step 5: Run in Simulation Mode
Always start here.
Review matches before enforcing.
Step-by-Step: Create DLP Policies
Step 1: Navigate to DLP
Data Loss Prevention → Policies → Create Policy
Step 2: Choose Template or Custom
Templates:
- Financial Data
- Privacy Data
- Health Data
Step 3: Configure Rules
Example rule:
- If:
- Content contains credit card number
- Then:
- Block external sharing
- Show policy tip
- Alert admin
Step 4: Enable User Notifications
- Policy tips in Office apps
- Email alerts
Step 5: Deploy in Audit Mode First
Then:
- Move to block with override
- Then to strict enforcement
Real-World Example: What Actually Works
Scenario: Finance Department Data Leakage
Problem:
- Users emailing spreadsheets externally
Solution:
- Auto-label files containing financial data
- Apply encryption via label
- DLP blocks external sharing
Result:
- Immediate reduction in data leaks
- Minimal user disruption due to policy tips
PowerShell: Useful Commands
Connect to Compliance Center
Connect-IPPSSession
View DLP Policies
Get-DlpCompliancePolicy
View Sensitive Info Types
Get-DlpSensitiveInformationType
Additional Tips / Pro Tips
✅ Pro Tip: Start with Audit Mode
Jumping straight to blocking will break workflows.
⚠️ Warning: Auto-Labelling Can Over-Classify
Test carefully:
- False positives can frustrate users
✅ Pro Tip: Use Exact Data Match (EDM)
For higher accuracy:
- Match internal datasets (e.g., customer database)
⚠️ Warning: Don’t Ignore Endpoint DLP
Cloud-only DLP misses:
- USB transfers
- Local file copies
✅ Pro Tip: Integrate with Defender for Cloud Apps
Extend protection to:
- Third-party SaaS apps
Troubleshooting Common Issues
DLP Not Triggering
Check:
- Policy scope
- Sensitive info type confidence level
- Label presence
Auto-Labelling Not Applying
Check:
- Policy status (simulation vs active)
- File location supported
- Licensing (E5 required)
Users Bypassing Controls
Common methods:
- Personal email
- Screenshots
Mitigation:
- Endpoint DLP
- Conditional Access
FAQ Section
1. What’s the difference between DLP and sensitivity labels?
Sensitivity labels classify and protect data, while DLP detects and prevents data leakage based on rules and conditions.
2. Do I need E5 for auto-labeling?
Yes, auto-labeling typically requires Microsoft 365 E5 or equivalent licensing.
3. Can DLP block emails with sensitive data?
Yes. DLP can block, encrypt, or allow with override depending on policy configuration.
4. What is the best way to start DLP deployment?
Start in audit mode, review results, then gradually enforce policies.
5. Does auto-labeling work on existing files?
Yes, with auto-labeling policies for data at rest, but it can take time to process.
Conclusion / Actionable Takeaways
Implementing DLP and sensitivity labels properly is one of the highest-impact security improvements you can make in Microsoft 365—but only if done correctly.
Next Steps:
- Define your data classification framework
- Create and publish sensitivity labels
- Enable auto-labeling for key data types
- Deploy DLP in audit mode
- Gradually enforce policies with user awareness
From real-world experience, success comes down to balancing security with usability. If users feel blocked, they’ll find workarounds. If you guide them with smart policies and automation, you’ll dramatically reduce risk without slowing the business down.
Last Updated
April 2026 – Updated for latest Microsoft Purview, Microsoft 365 DLP, and auto-labeling capabilities.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.