This article lists frequently asked questions about sensitivity labeling in the Microsoft Purview Data Map, with their answers and links to more information as needed.
Important
Labeling in the Microsoft Purview Data Map is currently in PREVIEW. The Supplemental Terms of Use for Microsoft Azure Previews include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Licensing and setup
What are the licensing requirements to use sensitivity labels on files and database columns in the Microsoft Purview Data Map?
To use sensitivity labels in the Microsoft Purview Data Map, you'll need at least one Microsoft 365 license/account within the same Microsoft Entra tenant as your Microsoft Purview account.
The following Microsoft 365 licenses are required to automatically apply sensitivity labels to your assets in Microsoft 365 and the Microsoft Purview Data Map:
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/G5 Compliance
- Microsoft 365 E5/A5/G5 Information Protection, and Governance
- Office 365 E5, Enterprise Mobility + Security E5/A5/G5, and AIP Plan 2
For more information, see Microsoft 365 service descriptions.
How are sensitivity labels applied to Azure Storage and Azure SQL?
You can create and apply autolabeling policies to detect Microsoft out-of-the-box classifiers to specific or all data assets that are registered in the Purview Data Map for Azure Storage and Azure SQL server.
- After creation and activation of autolabeling policy, wait 15 minutes for the policy to sync.
- Any future scans will automatically apply the highest sensitivity label from autolabeling policies when the autolabeling conditions are met.
- Sensitivity labels are applied only to the asset metadata in the Microsoft Purview Data Map and aren't applied to the actual files and database columns. These sensitivity labels don't modify your files and databases in any way.
Classifications vs sensitivity labels
What is the difference between classifications and sensitivity labels?
The following table lists the differences between classifications and sensitivity labels:
Comparison | Classifications | Sensitivity labels |
---|---|---|
Definition | Classifications are regular expressions or patterns that can help identify data types that exist inside an asset. | Sensitivity labels are tags that allow organizations to categorize data based on business impact, while abstracting the type of data from the user. |
Examples | Social Security Number, Drive license number, Bank account number, etc. | Highly confidential, Confidential, General, Public, etc. |
Scope | The scope of classifications applied to an asset is limited to the Microsoft Purview Data Map where the classifications were applied. If the data moves to an asset managed by another Microsoft Purview Data Map, classifications applied in the original location aren't visible in the new location. | Sensitivity labels applied on an asset travel with the data no matter where the data goes. For example, this means that sensitivity labels applied to a file in Microsoft Purview Information Protection are automatically visible and remain applied to the file, even if it moves to Azure, SharePoint, or Teams. |
Scan Process | Scanning an asset in the Microsoft Purview Data Map looks for both system-defined and user-defined (custom) classifications in your data. If found, classifications are added in the Microsoft Purview map for the scanned asset. | If you autolabeling policy for Azure Storage or Azure SQL, scanning an asset in the Microsoft Purview Data Map applies the labels to assets in the catalog based on the classifications found in the scan. |
Authoring environment | Custom classifications and classification rules can be created in the Microsoft Purview Data Map. You can also create custom classifications in Microsoft Purview Information Protection. However, we don't yet support importing them to the Microsoft Purview Data Map. | Manage sensitivity labels using the Microsoft Purview Information Protection. |
Assignment Limits | Assets can have no classifications, or one or more classifications assigned. | Each asset can have only one sensitivity label. |
Asset application workflow | You can use Microsoft Purview Unified Catalog to manually add or modify classifications that are assigned to an asset. | In the Microsoft Purview Data Map, sensitivity labels are automatically assigned to assets based on classifications found. Applying labels manually in the Microsoft Purview Data Map isn't currently supported. |
More Information | Learn more about classifications. | Learn more about sensitivity labels. |
Are classifications and Sensitive Information Types (SITs) the same thing?
While classifications and SITs are fundamentally the same things, classifications are a Microsoft Purview Data Map concept and SITs are a Microsoft Purview Information Protection concept. Both classifications and SITs are used by their respective services to identify the type of data found in an asset.
Labeling capabilities in the Microsoft Purview Data Map
Which data sources can I apply sensitivity labels to in the Microsoft Purview Data Map?
You can apply sensitivity labels to all the data sources listed under Supported data sources for sensitivity labels in the Microsoft Purview Data Map.
Which file types can I apply sensitivity labels to in the Microsoft Purview Data Map?
You can apply sensitivity labels to all Microsoft Purview Data Map supported file types.
Can I use my custom Sensitive Information Type (SIT) in Microsoft Purview Information Protection for schematized data assets?
No, custom sensitive information types aren't supported in the Microsoft Purview Data Map at this time. The Microsoft Purview Data Map currently only supports Microsoft Purview Information Protection built-in sensitive information types.
Can I use the advanced classifiers from Microsoft Purview Information Protection in the Microsoft Purview Data Map?
No, advanced classifiers aren't currently supported in the Microsoft Purview Data Map and won't appear.
Can I manually label an asset, or manually modify or remove a label in the Microsoft Purview Data Map?
The Microsoft Purview Data Map supports autolabeling only. Labels are automatically applied to assets in the data map based on autolabeling policy configuration.
The Microsoft Purview Data Map doesn't currently support manually applying a label, modifying, or removing a label from an asset.
Can autolabeling for Purview Data Map apply to assets that might include credential content?
The Microsoft Purview Data Map currently doesn't support scanning for credentials. When the Data Map supports scanning for credentials, you should be able to apply labels based on credentials found.
Can I apply encryption and/or content marking to files in the Microsoft Purview Data Map, as I can for Office documents and emails?
No, although the sensitivity label might be configured for these protection actions, we don't currently support encryption and content marking for files in the Microsoft Purview Data Map. We only support protection actions that are configured in protection policies.
Does the Microsoft Purview Data Map support data loss prevention?
No, the Microsoft Purview Data Map doesn't currently provide data loss prevention (DLP) capabilities. Data Loss Prevention is currently supported only for Microsoft 365 apps and services.
Access and roles
Where can I manage my autolabeling policies for labeling beyond Microsoft 365?
Sensitivity labels and autolabeling policies are managed in Microsoft Purview Information Protection. For more information, see How to create sensitivity labels in Microsoft Purview Information Protection.
Who can manage sensitivity labels?
The following built-in admin roles include permissions to manage sensitivity labels:
- Global Administrator
- Compliance Administrator
For more information, see Permissions required to create and manage sensitivity labels. After you have compliance and global administrators configured, those administrators can give access to individual users.
Note
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Who can search and browse assets with sensitivity labels in Microsoft Purview Unified Catalog?
All users with at least data reader access to the Microsoft Purview Data Map have permissions to search and browse assets with sensitivity labels in Unified Catalog.
Who can view the sensitivity label insights report in Microsoft Purview Data Estate Insights?
All users with the insights reader role and at least data reader permissions on applicable collections will have permissions to view sensitivity label insights reports in Microsoft Purview Data Estate Insights.
Technical details
Does the Microsoft Purview Data Map scan an entire asset when applying autolabeling policies to the database columns?
The Microsoft Purview scanner samples the data. For more information, see sampling data for classification and autolabeling.
If there are multiple sensitivity labels that meet the classification criteria, which label is applied?
Sensitivity labels have a priority 'order' and the Microsoft Purview Data Map uses this order to assign labels. If there are multiple labels meeting the classification criteria, the Microsoft Purview Data Map selects the label with the highest order.
For more information, see Label priority order matters.
SQL data discovery and classification
Why does Microsoft support two classification experiences for SQL databases, Microsoft Purview and SQL data discovery and classification?
Microsoft Purview provides a classification and labeling experience for all your Azure assets including SQL databases. Microsoft Purview is intended for organizations that want to manage their entire data estate in a single place with the power of classification, labeling, alerting, and more. Microsoft Purview uses sensitivity labels, which have a global scope and travel with your data no matter where it moves to or what it transforms into.
In contrast, SQL data discovery and classification is built into SQL. SQL data discovery and classification existed before Microsoft Purview as a way to provide basic capabilities for discovering, classifying, labeling, and reporting the sensitive data in your SQL databases. SQL data discovery and classification use local labels that don't have a global scope and don't support sensitivity labels.
I applied labels in SQL data discovery and classification. Why are these labels not showing up on my asset in Microsoft Purview?
SQL classification uses local labels, while Microsoft Purview uses sensitivity labels. Labels applied in the SQL classification experience won't show up in Microsoft Purview. For more information, see Labeling for SQL databases.
For more information, see: