Microsoft Purview · Information Protection

Information Protection

Full control over all information protection features including DLP, sensitivity labels, and classification.

Scope: Complete information protection administration organization-wide

Permissions

  • DLP Policies - All DLP policy creation and management (Exchange, SharePoint, OneDrive, Teams, Copilot, Devices)
  • Sensitivity Labels - Create and configure sensitivity labels with encryption and marking
  • Auto-Labeling - Configure auto-labeling policies with machine learning classifiers
  • Trainable Classifiers - Manage trainable classifiers (custom and pre-built)
  • Content Explorer - Access Content Explorer (view labeled file content)
  • Activity Explorer - Access Activity Explorer (view labeling and DLP events)
  • On-Premises Scanner - Configure Microsoft Purview Information Protection scanner for on-premises
  • Encryption - Manage encryption and Azure Rights Management templates
  • Label Policies - Configure label policy scoped to specific users, groups, or admin units
  • EDM Schemas - Create exact data match (EDM) and document fingerprinting schemas
  • Reports - Full access to information protection reports and analytics
  • Records Integration - Manage records management and retention labels integration

Common use cases

  • Chief Information Security Officer with comprehensive oversight responsibility
  • Data Protection Officer managing full information protection compliance program
  • Information governance lead implementing enterprise-wide protection strategy
  • Senior compliance architect designing multi-layered protection framework
  • Security operations lead coordinating DLP, encryption, and classification
  • Privacy officer managing data protection and GDPR compliance
  • Enterprise architect integrating on-premises and cloud protection
  • Full-time information protection specialist role in large organizations

Best practices

  • Develop comprehensive information protection strategy aligned with business objectives
  • Implement sensitivity labels before DLP for better automatic classification
  • Use pilot groups and simulation mode for testing before broad deployment
  • Coordinate labels, DLP policies, and retention for consistency across tools
  • Regular review of protection effectiveness using Activity Explorer metrics
  • Document classification schema, label descriptions, and protection rationale
  • Deploy Microsoft Purview Information Protection scanner for on-premises discovery
  • Configure trainable classifiers with sufficient training documents (300+ per category)
  • Use administrative units to scope policies for multinational or large organizations
  • Implement label inheritance to ensure consistent classification through workflows
  • Monitor Copilot location policies to balance security with AI productivity
  • Create label policy with clear visual markings and user guidance tooltips

Security considerations

  • Broad access to protection controls - monitor all changes with audit logging
  • Can access Content Explorer showing actual content of labeled files organization-wide
  • Policy and label changes affect entire organization or scoped admin units
  • Should maintain separation from IT infrastructure admin roles for segregation of duties
  • Consider Privileged Identity Management (PIM) for just-in-time activation
  • Encryption templates and rights management changes can lock users out of files
  • Auto-labeling with encryption can be difficult to reverse once applied
  • On-premises scanner service account requires appropriate directory permissions
  • Trainable classifiers may inadvertently expose sensitive content during training
  • Content Explorer access requires separate role and should be limited to investigative needs

Official Microsoft Learn documentation →

Open the interactive RBACMap →