What is Microsoft Purview Information Protection?

Date Published 11/05/2022
Author Rob Unger
Category Solutions

What is Microsoft Purview Information Protection?

Microsoft Purview Information Protection (formerly Microsoft Information Protection, or MIP) has long been a staple of the Microsoft compliance suite. Information Protection helps organisations discover, classify, and protect sensitive information, regardless of whether it’s at rest or in transit. This powerful tool enables organisations to embrace the data lifecycle illustrated below and forms a vital part of achieving a zero-trust operating model.


By building upon data classification capabilities such as sensitive information types or trainable classifiers (know your data), organisations and their users can apply sensitivity labels to documents, marking them with metadata (protect your data). A simple label will do nothing more than apply a marking, which is then detected by various compliance and security tools across the M365 platform.

Sensitivity labels can also apply headers, footers, and/or watermarks; these help by providing visual cues to end-users about the nature of the information they are handling. Where required, labels can also apply encryption to protect the content of the document. By leveraging the metadata applied by these labels, sensitivity labels can be used for data loss prevention policies (DLP), as well as across other M365 services, such as Insider Risk Management, Priva, Defender for Cloud Apps, and Exchange Online mail-transport rules (prevent data loss).

Sensitivity Labels

Labels are applied manually by end-users across platform types (Windows, macOS, iOS, and Android) using Microsoft 365 apps, or automatically by cloud services, such as SharePoint Online and Defender for Cloud Apps, depending on document content and data classification rules. Sensitivity labels can also be applied to Microsoft Team sites, SharePoint Online sites and M365 groups, ensuring consistent security is applied to these containers.

Protection capabilities include:

  • Mandating the privacy of a team site or group
  • Determining access by users external to the organisation
  • Mandating external sharing settings for SharePoint sites and access from unmanaged device

Applying Encryption

Encryption for labels is configured by the tenant administrator, alternatively, end-users can manually apply encryption settings depending on the document use case and when the capability is configured in a label. There are various options relating to access and permissions for the applied encryption, and these are assigned at a user, group, or tenant level. For example, a group of users in the organisation could have full control (co-author) of a document, however, everyone else in the organisation could have read access (viewer) access, safeguarding the integrity of the data, and reducing risks such as over-sharing or accidental/deliberate data loss.

Encryption is backed by Azure Rights Management Service (RMS) and applied, by default, using a Microsoft-managed platform key (MMK). Alternatives to this include the capabilities to bring your own key (BYOK) and double-key encryption (DKE) and these can be backed using hardware security modules (HSMs). Needless to say, BYOK and DKE are more complex in nature and carry increased administrative overheads but may be a necessary requirement where some (it is highly unlikely that all data will require this level of protection) platform data requires enhanced protection.


Licensing for Information Protection is complex, due to the many features and capabilities available. The barrier to entry however is quite low, and to create and manually apply sensitivity labels, the following licenses provide user rights to create and manually apply sensitivity labels:

  • Microsoft 365 E3 (or equivalent education/government SKU) and up
  • Office 365 E3 (or equivalent education/government SKU) and up
  • Enterprise Mobility + Security E3 or E5
  • AIP Plan 1 or AIP Plan 2

To deploy additional features, such as automatic or service-side labelling, higher tier licensing will be required. Please reach out to one of our colleagues at CPS who will be happy to discuss your requirements and provide guidance.



Rob Unger
Rob Unger
M365 Technical Architect - Security, Compliance & Identity
Discover The Latest Blogs
Discover The Latest Blogs
Read The Latest News & Articles
Read The Latest News & Articles
Browse Customer Case Studies
Browse Customer Case Studies

Free Fundamentals Assessment

Register your interest here to see if you are eligible for our free Security, Compliance and Identity Fundamentals Assessment

Find Out More

Talk To Us About Your Requirements