DEMO: Retention Sensitivity Labels
Start course

This course is designed to give you a solid understanding of data loss prevention (DLP) in Microsoft 365. You will learn how data loss prevention works and why you as a Microsoft 365 administrator would want to implement it.

After a general DLP overview, you will be guided through a series of demonstrations that will show you how to create, test, and edit DLP policies, report on DLP and view alerts, and automatically apply labels based on data loss policy matches.

Learning Objectives 

  • Obtain a foundational understanding of data loss prevention
  • Learn how to implement data loss prevention in Microsoft 365
  • Learn how to report on data loss prevention policies

Intended Audience

This course is intended for anyone preparing for the MS-101 or MS-500 exam or who simply wants to learn about data loss prevention in Microsoft 365.


To get the most out of this course, you should have some basic experience using Microsoft 365.

Additional Resources

Microsoft Licensing Guide: 


All right, so the next thing we're going to do is run through automatically applying labels based off the data loss policy matches. So what we'd need to do is go into the security and compliance center rather than the Microsoft 365 compliance. So if we go back into here and we go down to retention labels, in this area we can create a label.

So if we create one... So we'll say the description will, this will disable deletion for 10 years. Go next. You can add in these things if you wish, which we do not wish. And now we turn on retention where you're going to make that for 10 years like we've said in our description. We could also make it delete the content automatically, but we're not going to. Next. And create the label. So now we've created this label called Do Not Delete. What we can do here is go into the label policies and then we'll set auto apply label. Choose the label that we've just created. So now we've set that to do not delete. 

In here we'll say, apply the label to content that contains specific information. And we're just going to set it, again, to our Australian financial data. You could do a custom, the same as you made the DLP policy but we're just going to do it with the template. The same as we made the DLP policy as well. And then go next. We will name the policy and we'll give it some description and hit next. And then we're going to say in all locations. You could also change it to let you choose specific. The same way that you would have before in the other stuff that we've made, but we're just going to do it on all locations. And then you can review your settings at any time. You can change it.

Once again, with a lot of these changes, it does take some time for it to propagate through exchange and everything. So here it does tell you, it will take up to seven days to automatically apply the labels that match your conditions. Then we'll tick auto apply. And that's it. Now we've got our do not delete that attaches the label here, and it makes the retention period for 10 years. That will now set the retention period.

So the other type of label we can do as well is a sensitivity type label. So let's go through that. So what you can do is hit create the label, enter a name. See, I give it a name, a display name. Give it all the names that it needs. And then hit next. And then you select your scope. So we're going to say files and emails for this scope. The other ones are blocked because we haven't completed these steps.

If you do want to complete the steps, you click those links and fill out the details or configure the settings that are needed. So if you do want to be able to use it on groups and sites or Azure Purview, you will need to complete additional steps to enable these features. So for the scope of this video, we're just configuring it on files and emails. So we'll click next. And now we can say, what do we want to do? So we can encrypt the files and emails and we can also mark the content of the files. So we're going to tick both.

So what do you want to happen with the encryption, with this? You can click here to learn more about the encryption settings. So that will take you, like a lot of those other links, will take you straight to the docs and you can see all of the details about it. But we're just going to leave it blank and continue on. So we're not going to set up any encryption. You can also do content marketing. So if you want custom headers and footers or watermarks. So let's turn that on.

We're going to add a watermark and we'll just call it confidential. Confidential. Do not share. And we'll make the font size 15. Font color red and the text diagonal. And we'll do the same for a header. And the same for the footer. So what this will do is it will mark the documents with the words confidential, do not share in both, in all three things. So the watermark, the header and the footer of any documents that are found that match these sensitivity labels. So if you can apply the manually, but we're going to do it so it auto applies and it will automatically apply this sensitivity label to any documents that match our data loss policies. So we're not going to set up auto labeling in here. What we're going to do is do it in our auto labeling policies. So if we hit next.

So because we haven't configured the settings needed for teams and groups and stuff, these options are not there. But if you did have it set up like it showed in the links before, then these options would be available. And same thing here. We haven't got anything on Azure Purview so we can't set that up.

So now let's create the label. So now we've created our sensitivity label called sensitive info. We will also need to turn on the ability to actually use the sensitivity labels in One Drive and SharePoint, which is quite simple. We can click turn on now and now we're allowed to use it.

So the next thing we'll go to do now that we've turned it on is quite simple. We'll go to auto labeling. So now we're going to actually create the policy that will automatically apply the labels based off any matches to your data which will apply the sensitivity label settings that we just defined before in the label.

So let's create the auto labeling policy and we're going to use the template for Australian financial data. Click next. So then just give it a name so it stands out. The next thing will be to set the locations that we're going to use this policy in. One thing to be aware of is you only have a maximum of 10 SharePoint sites that you're allowed to connect to an auto labeling policy. Otherwise it will not let you create the policy.

At the moment, you can see the included in exchange is all. If you wanted to choose specific users, you can, like you had before. The other thing we can do now is select SharePoint sites. So if you choose the site, let's choose retail, U.S. sales, leadership and community. Hit done.

Now, because I've got four sites chosen, it will let me go next. Let's for example, add in more sites. So I'll show you what happens when you do that. So that's more than 10 sites now, and you can see we've got 13 sites. If I go to go next, it says the total number of selected SharePoint and One Drive for business locations has exceeded the allowed count of 10. So you can see there, like I said before, you're only allowed to have 10. Otherwise it comes up with this message. Pretty easy to fix. Just remove a couple from there. Make it under 10 sites. Hit next. Then you can choose whether you want common rules or advanced rules.

I prefer common rules. And then just setting up different policies with the same rules applied to the whole policy, rather than defining the specific rules for each location. If you did want to do that, you can, but we're not going to. Then you can see here in our define the rules for content in all locations. You can say here we've got the templated rules. So Australian financial data, Australian financial data. Same as it was in the other videos where we've configured the DLP policies.

Now it's where you choose the label you wish to auto apply. So here we just choose our label that we created before and click add. So now you can say the sensitive info label is automatically going to apply when we get the match to these policy rules. And then we go to policy mode. One thing to be aware of when creating the policy, you can't turn it on straight away because the sensitivity labels restrict what you can do with the document and can automatically add watermarks and stuff like that. It doesn't allow you to turn the policy on by default. So it forces you to run it in simulation mode, which is a good idea. You're probably better off running it in simulation mode for a while, just to check to see that it is working the way that you thought it would.

Then click next, review your settings. If anything's wrong, you can go back by clicking any of these buttons here and then create the policy. So there you go. Now we've created the policy in simulation mode. You can check the overview after some time to see the results.

So if we hit done, we can then see here, this is in simulation. You can click on it. It will take it to the overview of the simulation to let us know what's actually happened before we turn it on into production. See here, in the simulation, we've got it here. It will tell you the results for the items matched, the rules that were matched and you can review the matched items. You can click here to see them. Over the date range, same sort of thing as before. Change the filters to how you want to see that information. And it will give you the file name, the rule that was matched, the location, the sensitive info type that it was matched on that and the last modified date. So yeah, that's how to automatically create the labels and apply them based off your DLP policy settings.

About the Author

Jake is an IT manager for a managed services company that works with small- to medium-size businesses and manages their IT. He mainly works with a Microsoft Stack, from Servers to Microsoft 365 & Azure. He also specializes in business process improvement helping businesses to leverage technology to speed up their workflows. Jake really enjoys testing out new technologies and seeing what they can do. Outside of work he enjoys kayak fishing, gardening, and going to the gym.