🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 2
Domain 2 — Module 2 of 10 20%
12 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 2: Data Protection & Governance Premium ⏱ ~12 min read

Sensitivity Labels & Data Classification

Before you can protect data, you need to know what you have. Sensitivity labels are the tags that tell Microsoft 365 how important a document is — and data classification finds the data that needs tagging.

What are sensitivity labels?

☕ Simple explanation

Sensitivity labels are like security clearance stickers on documents.

In the physical world, a document stamped “TOP SECRET” is treated differently from one stamped “PUBLIC”. People know not to leave it on the printer, not to discuss it in the cafeteria, and not to take it home.

Sensitivity labels do the same thing digitally. When a file is labelled “Highly Confidential”, Microsoft 365 can automatically encrypt it, restrict who can open it, prevent it from being emailed externally, and watermark it — all without the user doing anything extra.

Sensitivity labels in Microsoft Purview classify and protect data based on its sensitivity level. Labels can be applied manually by users, recommended by Purview, or applied automatically based on content inspection rules.

When applied, labels can enforce protection actions: encryption (Azure Rights Management), content marking (headers, footers, watermarks), access restrictions (prevent external sharing), and container-level protection (restrict settings on M365 Groups, Teams, and SharePoint sites).

How sensitivity labels work

Label hierarchy (example)

LabelProtection ActionsExample Content
PublicNone — anyone can accessMarketing brochures, blog posts
InternalHeader/footer markingInternal newsletters, meeting notes
ConfidentialEncryption + restrict external sharingBusiness plans, financial reports
Highly ConfidentialEncryption + watermark + prevent copy/print + restrict to named usersBoard papers, salary data, legal contracts

Three ways to apply labels

MethodHow It WorksBest For
ManualUser selects the label from the ribbon in Word/Excel/OutlookUser knows the sensitivity
RecommendedPurview detects sensitive content and suggests a label — user confirmsGuiding users to label correctly
AutomaticPurview detects sensitive content and applies the label without user actionEnforcing labelling at scale
💡 Scenario: Northwave's labelling strategy

Priya (Compliance Officer) sets up labels for Northwave:

  1. All users see: Public, Internal, Confidential, Highly Confidential in their Office apps
  2. Auto-labelling rule: Any document containing credit card numbers → auto-labelled “Confidential”
  3. Recommendation rule: Documents with keywords like “salary”, “performance review” → user is prompted to label as “Highly Confidential”
  4. Default label: All new documents start as “Internal” (users can change it)

Result: 80% of documents are labelled within the first month — most without users doing anything.

Data classification — finding what needs labels

Before you label, you need to know what data you have. Purview’s data classification tools:

ToolWhat It Does
Sensitive information types (SITs)Built-in patterns that detect data like credit cards, passport numbers, national IDs
Trainable classifiersAI models trained to recognise content types (contracts, resumes, source code)
Content explorerBrowse to see exactly what sensitive data exists and where
Activity explorerSee what’s happening to labelled data — who’s sharing, downloading, printing

Key exam concept: Sensitivity labels PROTECT data. Data classification DISCOVERS data. You need both — classification tells you what to label, labels enforce protection.

Labels on containers (Teams, Groups, Sites)

Labels can also be applied to containers — not just files:

  • M365 Group / Team → label controls privacy (public/private), external sharing, and guest access
  • SharePoint site → label controls sharing settings, access from unmanaged devices

This means labelling a Team as “Confidential” can automatically restrict guest access and limit sharing — at the container level, not per-file. Device-based restrictions (like requiring managed devices) are set through Conditional Access policies that complement the label.

🎬 Video walkthrough

🎬 Video coming soon

Sensitivity Labels & Classification — AB-900 Module 12

Sensitivity Labels & Classification — AB-900 Module 12

~10 min

Flashcards

Question

What do sensitivity labels do?

Click or press Enter to reveal answer

Answer

They classify and protect data by enforcing actions: encryption, content marking (headers/footers/watermarks), access restrictions (block external sharing), and container protection (control M365 Group/Team/Site settings).

Click to flip back
Question

What are the three ways to apply sensitivity labels?

Click or press Enter to reveal answer

Answer

1) Manual — user selects from the ribbon. 2) Recommended — Purview suggests, user confirms. 3) Automatic — Purview detects sensitive content and applies without user action.

Click to flip back
Question

What's the difference between sensitive information types (SITs) and trainable classifiers?

Click or press Enter to reveal answer

Answer

SITs use pattern matching (regex) to detect specific data formats (credit cards, IDs). Trainable classifiers use AI/ML to recognise content categories (contracts, resumes, complaints). SITs are precise; classifiers handle unstructured content.

Click to flip back

Knowledge Check

Knowledge Check

Clearfield Council needs all documents containing citizen ID numbers to be automatically encrypted and restricted from external sharing — without relying on users to remember to label them. What should Officer Patel configure?

Next up: Data Loss Prevention (DLP) — the policies that prevent sensitive data from leaving your organisation.

← Previous

Microsoft Purview: The Big Picture

Next →

Data Loss Prevention (DLP)

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.