Excluding a specific user (or group) from Sensitivity labels

I’m excited to share a practical guide I’ve created that walks you through the process of excluding specific users or groups from Microsoft Purview Sensitivity Labels. This guide comes from a real-world scenario where an organization is piloting a new approach to simplify its labeling structure. They wanted to test how reducing the number of labels applied to users would affect workflows and information protection. To support this, I’ve put together detailed instructions on how to effectively manage exclusions in Purview, along with a back-out process to ensure a smooth rollback if needed.

This PDF guide is packed with step-by-step instructions, screenshots, and expert tips to help you navigate the nuances of label exclusions. Whether you’re in the middle of a label simplification pilot or simply looking to better control label application, this guide will help streamline your process. Get ready to dive in and experience a more flexible, user-centered approach to managing Sensitivity Labels in Microsoft Purview!

From Novice to Ninja: a new CISOs guide to DLP

Congratulations, CISO! 🎉 Great job in landing your new role, where protecting sensitive data isn’t just a job—it’s a daily tightrope walk over a pit of cyber threats, compliance demands, and evolving technology.

Now that you’re at the steering wheel, your inbox is probably overflowing with security concerns, regulatory requirements, and a few “fun” audit emails. Don’t worry, you’re in good company. This guide is here to give you actionable steps to set up your Data Loss Prevention (DLP) strategy, ensuring you don’t just survive in this role—you thrive.

So, what does being a CISO mean? Well, you’re now the go-to person when sensitive data sneaks out, malicious insiders get a bit too curious, or someone clicks that suspicious link promising free money from an unknown relative in Timbuktu. No pressure, right? But here’s the deal: inaction is risk. Delaying or overlooking the core elements of a solid DLP strategy could lead to breaches that cost more than your next cybersecurity budget.

To make your journey smoother, I’ve prepared a handy worksheet that you can use right now to take action on your Data Loss Prevention strategy. These aren’t just checkboxes—these are critical steps to lock down your organization’s data and avoid waking up to a breach nightmare.

You can Download the worksheet below.

Here’s what you can expect see inside:

1. Classifying Data and Why It’s Important

Why it matters: Not all data is created equal. By classifying your data, you can prioritize resources and security measures where they’re needed most. Would you protect the company picnic plan with the same force as your customers’ financial information? (Spoiler: probably not!)

Example:

  • High-risk data: Customer credit card details, proprietary code, or confidential HR files—things you’d never want to see in the wrong hands.
  • Medium-risk data: Internal meeting notes, marketing strategies—sensitive, but not catastrophic if leaked.
  • Low-risk data: Public reports, customer FAQs—this is the stuff you’d share at a conference.

Take Action Today: Review your organization’s data and start tagging it by risk level. Ask yourself, “What would happen if this data got out?” and use that to guide your classification efforts

2. Why and How to Identify Sensitive Data

Why it matters: You can’t protect what you don’t know exists. Sensitive data is often hidden across different platforms—sometimes even in the most unexpected places (like a random email attachment or NTFS file shares). Identifying it is the first step to ensuring it stays secure.

Example:

  • Sensitive Data: Personally Identifiable Information (PII) like social security numbers or health records, intellectual property (IP), and anything that’s subject to regulations like GDPR or HIPAA.
  • Surprise Discovery: Finding a list of client emails attached to a forgotten project buried in a shared folder.

Take Action Today: Use a discovery tool or audit your data manually. Start with cloud storage, email servers, and shared folders. Look for data that could lead to a privacy violation or financial loss if exposed.

3. Developing a Data Handling Policy

Why it matters: A solid data handling policy is the foundation of your DLP strategy. Without clear rules in place, sensitive information can slip through the cracks, exposing your organization to unnecessary risk. Your data handling policy ensures everyone—from top execs to interns—understands the dos and don’ts of handling sensitive information.

Example:

  • Clear Guidelines: For high-risk data like financial information, the policy might mandate encryption during transfer and restricted access to authorized personnel only.
  • Real-Life Scenario: Imagine your marketing team accidentally sharing a file with customer details over an unsecured network. A proper data handling policy would prevent this by enforcing secure file transfer practices.

Take Action Today: Draft a policy that covers how different types of data (high, medium, low risk) should be handled. It should specify everything from encryption requirements to access control and data retention periods. Involve key stakeholders (Legal, IT, HR) to ensure all bases are covered.

Now that you know the key steps to securing your organization’s data, it’s time to plan it out, partner with your internal stakeholders, and take action. DLP isn’t a one-person job—it’s a team effort that involves collaboration across IT, Legal, HR, and beyond. The risks of inaction are far too high, so don’t wait until something goes wrong. Proactively implementing these best practices today will not only protect your data but also strengthen your leadership as a new CISO.

Take a Load Off and SIT (an oversimplified explanation of using SIT)

In my Purview Ninja Training (you can take the training too, click here), one of the Purview capabilities that I struggled understanding at first was using the Sensitive Information Types for automatic classification. Not because it’s difficult to understand but becaue there were so many different options you can choose from that can be applied to similar use cases.

So to save time in understanding it, here is an over-simplified matrix of when to use the different automatic classification options using Microsoft Purview Information Protection.

When to use each capability.

  • Built-in SIT: Ready-to-use, predefined data types like social security numbers, credit card numbers, and other common sensitive data formats. Ideal for general compliance and basic data protection needs.
  • Custom SIT: Customizable to meet unique organizational requirements. Suitable for both structured and unstructured data.
  • EDM (Exact Data Match SITs): Best for exact matches of structured data with consistent formats, such as financial records and personal IDs.
  • Document Fingerprinting: Detects and protects standardized documents with repeatable structures, like legal forms and templates.
  • Named Entities SIT: Used for for detecting contextual sensitive or important data, like names or organizations, particularly within unstructured formats.
  • Trainable Classifiers: Useful for complex or ever changing data types, especially in unstructured data, where static rules or patterns are inadequate

Dude, Where’s my DATA

Data is the new currency in today’s digital age. Just as you wouldn’t leave your house title lying around for anyone to take, understanding where your data resides is crucial for its protection. Knowing the exact location of your data allows you to implement proper security measures, ensuring it’s not vulnerable to unauthorized access or breaches.

Understanding your data’s location also plays a vital role in regulatory compliance. For instance, CIS controls (https://www.cisecurity.org/controls) Control 13: Data Protection and Control 14: Controlled Access Based on the Need to Know, emphasize the need to secure data and limit access strictly to those who need it. By mapping out where your data lives, you can better align your practices with these controls, reducing risks and meeting compliance requirements.

In this blog, I will guide you through the various methods to discover where your data resides, the specific tools to use for different types of data, and when and how to effectively utilize each tool.


The 2 Methods in discovery data

    Manual methods involve physically documenting all the locations where your data is stored. This approach requires you to actively track and record each data repository, whether it’s on-premises, in the cloud, or across various applications and devices. While this method can be thorough and provide a deep understanding of your data landscape, it is also time-consuming and prone to human error. Think of it as manually creating an inventory of every item in your home – it’s detailed but can be exhausting and easy to miss something.

    Automatic methods leverage technology to scan, map, and classify your data across different environments. These methods use specialized tools to automatically discover data locations, classify sensitive information, and provide insights into data usage and movement.


    Type of Data in an Organization

    Organizations typically handle two primary types of business data: documents and organizational business data.

    Documents include files like reports, presentations, spreadsheets, and PDFs, which often contain sensitive information and require careful management and protection.

    On the other hand, Organizational business data encompasses the data generated from business operations, workflows, and applications, such as transaction records, customer information, and operational metrics. Think of applications such as Dynamics 365, Workday data, SAP data, etc. This type of data is what is used for day-to-day operations.

    Now that we know about the 2 different data in an organisation, let’s go have a look at what are the available Microsoft solutions to use to DISCOVER DATA (most of which are already included in your Microsoft Business Premium, or E3 and E5 licenses)

    Quick Note:

    There are solutions that are not on this list that has some form of search/ discovery capability (ex. Purview Data Life Cycle Management, Audit Log Search) I’ve omitted it in this list as their primary purpose is data governance and the data discovery capability relies on the other items that I’ve listed down below


    Document discovery tool

    Microsoft Purview Information Protection: (for documents stored in Email, SharePoint, OneDrive and Teams): It helps classify and label data based on its sensitivity. Start by defining your data classification schema, apply labels to your documents using built-in or custom labels, and configure policies to automatically classify and protect sensitive information as it is created or modified.

    Microsoft Purview Information Scanner (for On-prem data): This is designed to scan and classify on-premises data. To use it, deploy the scanner to your on-premises environment, configure scanning jobs to target specific data repositories, and review the scan results to understand where sensitive information resides and how it is being used.

    Microsoft Compliance Center (Content Search Tool): The Content search tool in the Microsoft Compliance Center allows you to search for and manage content across your organization.

    Microsoft 365 eDiscovery: This helps you manage and analyze large volumes of data for legal and compliance purposes. To use it, access the eDiscovery portal, create a case, add data sources, and run searches and analytics to gather relevant information for your legal or compliance needs.

    Defender for Cloud Apps: This is a comprehensive solution for monitoring and controlling data movement across cloud applications. The tool also offers data classification and protection through integration with Microsoft Purview Information Protection, ensuring consistent data security across your organization​

    Priva (using Privacy Assessments): This is specifically just for Personal data discovery. Automates the discovery, documentation, and evaluation of personal data use across your entire data estate. Using this regulatory-independent solution, you can automate privacy assessments and build a complete compliance record for the responsible use of personal data.

    Organizational Business Data Tools

    Purview Data Map: Helps you create a unified map of your data estate by automatically scanning and classifying your data sources. To use it, configure scanning rules and connect your data sources to Purview. The Data Map will continuously update, providing an up-to-date view of your data landscape, including classification and sensitivity labels, which helps in managing data compliance and governance.

    Purview Data Catalog: Provides a searchable catalog of data assets, making it easy to discover and understand data across your organization. To use it, start by connecting your data sources to Purview, which will automatically scan and index your data. Users can then search for data assets, view metadata, and understand data lineage, facilitating better data governance and management.

    Information Rights Management vs. Encryption via Sensitivity Labels: Why You Can’t Use Both on One Document

    An interesting use case came from a client where they were looking at enabling encryption using Sensitivity labels and do away with the existing Information Rights Management (IRM) to protect their files in Sharepoint.

    One of the Security analyst asked why not use BOTH at the same time. If both of them offers security protection, surely having DOUBLE protection will be better right? Well…

    Before we dive deeper in to the reason, let’s have an understanding first of what is Information Rights Management and Encryption through Sensitivity labels.


    What is IRM? Information Rights Management (IRM) is a tool that helps protect and control who can access, edit, print, or forward your documents and emails. Think of it as a digital lock that only lets certain people in and tells them what they can and can’t do with the information.

    How to Use IRM in Microsoft 365:

    1. Go to the document or email you want to protect.
    2. Click on the “File” tab.
    3. Select “Info” and then “Protect Document.”
    4. Choose “Restrict Access” and set the permissions for who can access and what they can do.

    What are Sensitivity Labels? Sensitivity Labels are part of Microsoft Information Protection solutions. They allow organizations to classify and protect documents and emails based on their sensitivity. These labels can apply encryption, watermarking, and content marking, as well as define access policies. Key features include: The organisation designs which label enables encryption.

    In simple terms, the encryption is applied once the appropriate Label is selected.


    Here’s why you can’t use both of them at the same time.

    The primary reason you cannot use both IRM and Sensitivity Labels encryption simultaneously on a document is due to overlapping functionalities and potential conflicts between the two systems:

    • Redundant Encryption: Both systems apply encryption, which can lead to conflicts or redundancy in the encryption process. Encrypting a document twice can complicate access management and decryption processes.
    • Policy Conflicts: IRM and Sensitivity Labels both define access and usage policies. Applying both might result in conflicting policies, making it difficult to enforce a clear and consistent set of rules.

    Which Encryption wins if these 2 were used at the same time?

    Based on my testing, Information Rights Management (IRM) Wins. When a document is protected by both IRM and a Sensitivity Label, the document retains the IRM encryption and loses the Sensitivity Label.

    This outcome makes sense because IRM encryption is embedded directly into the document. On the other hand, Sensitivity Label encryption is more flexible and can be easily changed by applying or reapplying different labels. Therefore, the more rigid and integrated IRM encryption overrides the more adaptable Sensitivity Label encryption.

    Lessons from the Field: Communication

    I’ve been a consultant (I’m also counting my time as an in-house consultant) for more than 15 years. I’ve been providing my skills in simplifying tech for end-users and business stakeholders and learning many important skills along the way.

    Here are the things that I wish someone has taught me a loooong time ago. Let’s start with the most important one. Communication.

    Entering the world of consulting, it’s crucial to recognize that a significant part of your role revolves around communication. Whether it’s engaging with your boss, collaborating with colleagues, presenting to clients, liaising with vendors, or conducting interviews, effective communication is at the heart of it all.

    So, let’s dive into the essentials of how to leverage communication in our consulting roles. Below, we’ll explore the foundational elements that builds an effective communication, setting the stage for a deeper understanding of this vital skill.

    • Message: This is all about figuring out the main point you want to share. It’s like deciding what the heart of your message is—what you really want to say.
    • Medium : Once you know what you want to say, the next step is figuring out how to share that message so everyone understands it. This is about choosing the best way to get your point across, making sure it’s clear to your audience. It’s like planning how to tell a story so everyone listens and gets it. This is where you think about how you send the message: Do you do it verbally, written down, in an email, a Teams call, or face to face etc. There’s also a hierarchy to this depending on the message (we’ll get to that soon)

    Lesson: The 2 most important communication blocks.

    Mastering the first 2 (Message and Medium) will get you ahead of the pack.

    I’ve observed numerous new consultants struggle with nailing these two crucial aspects. Understanding the difference between sending an email and opting for a face-to-face meeting for critical project updates seems to be a fading skill in today’s landscape.


    • Words and Grammar: Now, think about the words you use and how you put them together. This part is about picking the right words and arranging them well so your message is clear and sounds professional. It’s like choosing the best ingredients for a recipe to make sure it tastes good.
    • Voice and Emotion: Here, you consider how your message sounds—not just the words, but the feeling behind them. This can make a big difference in how people react to your message. It’s about how you say something, using your voice tone and emotion to connect with people.
    • Marketing: The final step is about making sure your message doesn’t just get heard but also inspires people to act or think differently. This involves thinking about how to present your message so it stands out and convinces people. It’s like making sure your message sticks and moves people to do something.

    Creating an Insider Risk Management Strategy: A Simplified Guide

    When thinking about Insider Risk Management strategy, it’s easy to get lost in a maze of complex solutions and cutting-edge technologies. However, before we dive into program specifics, let’s take a step back.

    Simplification is our guiding principle here, and it brings us to the core four elements essential for any successful strategy: People, Process, Technology, and Implementing the Action.

    People: The Core of Insider Risk Management

    Insider risk management starts with understanding that your people are both your biggest asset and potential risk. Training and awareness are crucial. Employees should be aware of the organization’s policies, the significance of data protection, and the consequences of non-compliance. Engage departments across the board—security, HR, legal—to foster a culture of accountability and transparency. Regular training ensures everyone is up-to-date on the latest protocols and threats.

    Ask yourself the following:

    • How can we enhance our current training programs to better address the specific risks and policies relevant to our organization, ensuring all employees are not only aware but fully understand their role in data protection?
    • In what ways can we foster a stronger culture of accountability and transparency within our organization, encouraging open communication between departments such as security, HR, and legal?
    • What measures can we implement to regularly update and refresh our team’s knowledge on the latest data protection protocols and potential insider threats, keeping our defenses as current as possible?

    Process: Streamlining Risk Management

    The process involves setting up a clear, structured approach to identifying, investigating, and responding to insider threats. Begin with establishing clear policies using Microsoft Purview Insider Risk Management, which offers templates for common scenarios like data theft by departing users or unintentional data leaks. Regular audits and analytics help in preemptively identifying potential risks, while a defined triage process ensures timely response to alerts. Cases are managed systematically, from investigation to action, ensuring a thorough review and appropriate response to each incident.

    Ask yourself the following:

    • How can we tailor Microsoft Purview Insider Risk Management templates to better reflect our organization’s specific risk scenarios and policies, ensuring a more targeted and effective approach?
    • What strategies can we implement to enhance our regular audit and analytics processes, enabling us to identify potential insider risks more proactively and accurately?
    • How can we improve our triage process for responding to alerts, ensuring that each case is addressed timely and efficiently, from investigation to action?

    Technology: Leveraging Microsoft Purview for Enhanced Security

    Technology underpins the entire insider risk management framework. Microsoft Purview Insider Risk Management provides a comprehensive suite of tools for monitoring, detection, and response. Use its analytics for a deep dive into user activities, identifying anomalies that could signal potential risks. The platform’s case management feature streamlines investigations, integrating data from various sources for a holistic view of each incident. Collaboration tools facilitate cross-departmental action, ensuring a unified response to insider threats.

    Ask yourself the following:

    • In what ways can we optimize the use of the platform’s case management features to ensure a more efficient investigation process, integrating data from diverse sources for a comprehensive analysis of incidents?
    • What steps can we take to enhance collaboration across departments using the tools provided by Microsoft Purview, ensuring a coordinated and unified response to insider risks?

    Implementing Your Strategy

    1. Audit and Analytics: Activate auditing to track activities within your organization. Use insider risk analytics to scan for potential risks even before setting up specific policies.
    2. Policy Setup: Choose from Microsoft Purview’s policy templates tailored to different risk scenarios. Customize these to align with your organization’s specific needs.
    3. Alert Management: Configure alerts to notify you of suspicious activities. Establish a process for reviewing, evaluating, and addressing these alerts efficiently.
    4. Investigation and Action: Investigate incidents with the aid of user activity reports and take decisive actions based on your findings. Collaborate with HR, legal, and security teams to ensure comprehensive case management.
    5. Continuous Review and Optimization: Regularly review your insider risk policies and processes. Update them as needed to adapt to evolving threats and organizational changes.

    In essence, managing insider risks effectively requires a blend of proactive people engagement, streamlined processes, and advanced technology.

    By leveraging Microsoft Purview Insider Risk Management and Communication Compliance, organizations can establish a robust framework that mitigates risks while fostering a culture of security and compliance.

    For more detailed guidance on setting up and optimizing your insider risk management framework with Microsoft Purview, you can explore resources directly from Microsoft Learn and Microsoft Security playlist.

    Additional resources:

    Embrace Change, Secure Data: Navigating the UK’s Data Protection Evolution with Microsoft Purview

    UK’s Data Protection Refresh

    The UK is introducing a new law that plans to introduce a host of new updates to the existing UK Data Protetion bill. You can read details of the change here and here and from the UK government source themselves here.

    The UK Data Protection and Digital Information Bill proposes a transformative approach to data protection, aiming to balance innovation with data security. The bill introduces easier data transfer processes, a risk-based approach to international transfers, and a streamlined accountability framework. This legislative evolution represents the UK’s commitment to fostering a secure yet flexible data-driven landscape post-Brexit.

    To kickstart your journey towards embracing the changes, I encourage your organization to consider initiating with these key steps. This approach not only prepares you for the transition but also positions you to leverage change using proven tools that are purpose built for Security and Compliance.

    Microsoft Purview: Your Data Protection Ally
    Microsoft Purview is a comprehensive toolkit designed to help organizations navigate the complexities of the new data protection landscape. Here’s how:

    1. Simplified Data Transfers: With Microsoft Purview Information Protection, organizations can classify, label, and protect data, ensuring compliance with the bill’s simplified data transfer requirements.
    2. Streamlined Accountability in Action: Microsoft Priva adapts to the bill’s accountability revamp, offering privacy management solutions that align with the shift towards a “senior responsible individual” model.
    3. Legitimate Interests Simplified: The platform aids in discerning when and how to process data based on legitimate interests, reflecting the bill’s nuanced take on data processing rights.
    4. Embracing a Risk-Based Approach: Microsoft Purview Data Loss Prevention (DLP) fortifies organizations against data breaches, embodying the bill’s risk-based ethos for international data transfers.

    The Takeaway: Future-Proof Your Data Practices
    The UK’s legislative update signals a new era of data protection, where flexibility and security go hand in hand. Microsoft Purview stands out as a the go-to resource for organizations aiming to thrive in this changing regulatory environment. By leveraging Purview’s suite of solutions, businesses can ensure their data practices are not only compliant but also conducive to growth and innovation in the digital age.

    Dive Deeper:
    For those keen to explore the intricacies of the UK Data Protection and Digital Information Bill and Microsoft Purview’s capabilities further, insightful resources await at IAPP’s overview and Pinsent Masons’ detailed analysis here.