Use the data classification dashboard to monitor sensitivity labels

Completed

As the global consulting firm continues to advance its data security strategy with Microsoft Purview Information Protection, attention turns to monitoring the effectiveness of implemented sensitivity labels. The firm uses the Data classification dashboard within the Microsoft Purview compliance portal for a comprehensive overview of how sensitivity labels are being applied across the organization. This dashboard shows:

  • The distribution of sensitivity labels.
  • User activities on sensitive content.
  • Locations of sensitive data.

You can find the data classification dashboard by navigating to Data classification in the Microsoft Purview compliance portal.

Permissions needed for the data classification dashboard

In order to get access to the data classification page, an account must be assigned membership in any one of the roles or groups listed in the table.

Microsoft Purview roles Microsoft Purview role groups Microsoft 365 roles Microsoft 365 role groups
Information Protection Admin Information Protection Global Admins Compliance Administrator
Information Protection Analyst Information Protection Admins Compliance Admins Security Administrator
Information Protection Investigator Information Protection Investigators Security Admins Security Reader
Information Protection Reader Information Protection Analysts Compliance Data Admins
Information Protection Readers

The data classification overview dashboard

The Data Classification Overview page in Microsoft Purview provides a centralized summary of how your organization classifies its data. It displays key metrics on the application of sensitivity and retention labels, identifies top sensitive information types across your data, and summarizes user activities on sensitive content. This dashboard offers insights into the distribution and management of classified data across Microsoft 365 services, empowering administrators to make informed decisions about data protection and compliance strategies.

Top sensitivity labels applied to content

In the Top sensitivity labels applied to content section, the dashboard shows how sensitivity labels affect your organization. Sensitivity labels do two things when you apply them:

  1. Embeds a tag: A tag that indicates the value of the item to your organization is embedded in the document and follows the document everywhere it goes.
  2. Activates protective measures: The presence of the tag enables various protective behaviors, such as mandatory watermarking or encryption. With end point protection enabled, you can even prevent an item from leaving your organizational control.

Sensitivity labels must be enabled for files that are in SharePoint and OneDrive in order for the corresponding data to surface in the data classification page.

Breakdown of content by sensitivity label classification placeholder screenshot.

The data classification content explorer

The content explorer for sensitivity labels enables administrators to closely monitor and manage the application of these labels across SharePoint, OneDrive, and Exchange content. It offers a real-time, detailed view of items tagged with sensitivity labels, allowing for an in-depth analysis of how sensitive information is stored, shared, and handled within the organization. Administrators can see which labels are applied most frequently, assess the distribution of labeled content across various locations, and directly access individual items to review their labeling and content.

Required permissions to access items in content explorer

Access to content explorer, which allows reading the contents of scanned files, is restricted and managed through two roles within the Microsoft Purview compliance portal:

  • Content Explorer List viewer grants the ability to view item listings and their locations. The data classification list viewer role is preassigned to this role group.
  • Content Explorer Content viewer grants the ability to view the contents of items. The data classification content viewer role is preassigned to this role group.

Users can be assigned to either or both roles, depending on their need to view item listings or access content directly. Global Administrators can assign these roles to users directly or through custom role groups for tailored access control.

Using the content explorer

  1. Navigate to the Microsoft Purview compliance portal > Data classification > Content explorer.
  2. Use the filter box to search for a specific label or sensitive information type, if known.
  3. Alternatively, explore available items by expanding the label type categories and choosing the desired label.
  4. Under All locations choose a specific location and explore the folder hierarchy to find your item.
  5. To view an item directly within content explorer, double-click on it.

Export and filter with content explorer

In the content explorer, the Export feature lets you create a .csv file capturing the current view's data. This option is useful for documenting and analyzing information outside the platform. It might take up to seven days for counts to be updated in the content explorer.

The Filter function becomes available as you navigate deeper into specific locations, like Exchange or Teams folders, or SharePoint and OneDrive sites. This tool helps you to narrow down your searches within the All locations pane, using different search criteria:

  • Exchange or Teams: Search using the full email address (for example, user@domainname.com).
  • SharePoint or OneDrive: The filter appears when accessing site names, folders, and files, allowing searches based on site names (for example, https://contoso.onmicrosoft.com/sites/sitename), file names (RES_Resume_1234.txt), beginnings of file names (RES), text after an underscore (Resume or 1234), and file extensions (txt).

The data classification activity explorer

The data classification overview and content explorer tabs show you labeled content and its location. Activity explorer rounds out this set by tracking actions on labeled content, offering a historical view from the Microsoft 365 unified audit logs. Activity explorer reports on up to 30 days worth of data.

Activity types

Activity explorer gathers information from the audit logs of multiple sources of activities.

Some examples of the Sensitivity label activities and Retention labeling activities from applications native to Microsoft Office, the Microsoft Purview Information Protection scanner, SharePoint, Exchange (sensitivity labels only), and OneDrive include:

  • Label applied
  • Label changed (upgraded, downgraded, or removed)
  • Auto-labeling simulation
  • File read

Labeling activity particular to Microsoft Purview Information Protection scanner that comes into activity explorer includes:

  • Protection applied
  • Protection changed
  • Protection removed
  • Files discovered

Monitor the use of sensitive information in your organization interactive guide

Use the interactive guide for a walkthrough on using the content explorer and activity explorer to monitor sensitivity labels.

Cover for an interactive guide that says How to: Monitor the use of sensitive information in your organization.