Whether data is at rest or in transit, there's always a risk associated with holding that data. Within Microsoft 365 there are many different ways organizations can ensure that data is protected. By using tools like Data Classification or implementing Data Loss Prevention Policies, you can make sure that data is accessed only by those who have proper access. Let's start off with sensitivity labels. Sensitivity labels essentially allow classification of data to protect it without affecting authorized user access or collaboration features. 

They can apply to things like documents, groups, or emails, and can be thought of as a virtual stamp attached to that piece of data. These stamps signify different levels of sensitivity for the data that it's attached to, which are labels like personal, public, general, confidential, and highly confidential. The sensitivity labels are stored in metadata of that data, so the label travels with the data wherever it goes. This is important as different sensitivity labels can apply or enforce different settings depending upon options set by the organization. These settings can be something like encrypting emails or documents or marking content with things like watermarks. 

Labels also store as clear text in the metadata essentially meaning that third party apps outside of Microsoft 365 can read that label and apply security settings to the data as well. The greatest strength of sensitivity labels, however, is the option to have different labels apply automatically based on content that matches certain conditions. You can have a document with sensitive data like a phone number be automatically labeled, so that way you don't need to worry about users properly classifying each document. This ensures that across your organization's, all the data is classified and labeled in the same process without having to worry about user error.