CAB Runbook: Sensitivity Labels and DLP Policies
This runbook supports a Change Advisory Board (CAB) submission for deploying a sensitivity label taxonomy and foundational Data Loss Prevention (DLP) policies in Microsoft Purview. Complete the bracketed fields before submitting to your CAB.
Change Summary
| Field | Value |
|---|---|
| Change Title | Deploy Microsoft Purview Sensitivity Label Taxonomy, Foundational DLP Policies, and SSN PII Baseline |
| Change Type | Standard — New Capability |
| Risk Level | Medium |
| Estimated Downtime | None — configuration changes only; no service interruption expected |
| Rollback Available | Yes — labels and policies can be disabled or deleted within minutes |
| Implementation Window | [Insert maintenance window date/time and duration] |
| Implementer | [Insert name, title] |
| Backup Implementer | [Insert name, title] |
| CAB Sponsor | [Insert name, title] |
| Ticket / Change ID | [Insert change management ticket number] |
Business Justification
- GCC High (CMMC)
- Commercial
CMMC Level 2 requires that Controlled Unclassified Information (CUI) be identified, marked, and protected from unauthorized disclosure. This change implements the technical controls required by:
- NIST SP 800-171 Rev. 2 3.1.3 — Control the flow of CUI in accordance with approved authorizations
- NIST SP 800-171 Rev. 2 3.13.1 — Monitor, control, and protect communications at external boundaries
- NIST SP 800-171 Rev. 2 3.13.16 — Protect the confidentiality of CUI at rest
Without sensitivity labels, the organization cannot consistently identify CUI across Microsoft 365, and DLP policies cannot enforce information flow controls against unlabeled content. This change is the prerequisite for all subsequent Purview-based compliance controls.
This change implements data classification and loss prevention controls required to meet regulatory obligations and reduce the risk of unauthorized disclosure of sensitive business information. Applicable frameworks include:
- NIST SP 800-171 Rev. 3 3.1.3 — Control the flow of CUI in accordance with approved authorizations
- HIPAA 45 CFR § 164.312(e) — Encryption and integrity controls for ePHI in transit
- GLBA Safeguards Rule 16 CFR Part 314 — Implement safeguards to control access to customer financial data
Without a deployed label taxonomy, DLP policies cannot reliably identify sensitive content at the point of sharing. This change is the prerequisite for all subsequent information protection controls.
Scope of Change
In Scope — Phase A: Sensitivity Labels
- Enable MIP container labels for Microsoft 365 Groups in Entra ID (one-time PowerShell command — no user-facing impact)
- Create four sensitivity labels in the Microsoft Purview compliance portal
- GCC High (CMMC)
- Commercial
| Label | CUI Mapping | Encryption | Container Support |
|---|---|---|---|
| Public | Not CUI | No | No |
| General | Not CUI — internal operational data | No | Yes |
| CUI — Basic | CUI Basic (standard safeguarding) | Recommended | Yes |
| CUI — Specified | CUI Specified (enhanced safeguarding) | Required | Yes |
| Label | Sensitivity Tier | Encryption | Container Support |
|---|---|---|---|
| Public | Publicly available data | No | No |
| Internal | Internal operational data | No | Yes |
| Confidential | Regulated content (PII, financial) | No | Yes |
| Restricted | Board-level / HR / credentials | Yes | Yes |
- Publish a label policy targeting all users with the following settings:
- Default label for files and emails: General (or Internal)
- Mandatory labeling: On — users must select a label before saving or sending
- Justification required on downgrade or removal: On
In Scope — Phase B: Foundational DLP Policies
Thirteen DLP policies deployed across Exchange, SharePoint, OneDrive, and Teams:
| Priority | Policy Name | Workload | Initial Rollout | Action |
|---|---|---|---|---|
| 0 | Exchange — Credential Alert | Exchange | Enforced, test group → All users | Block send + alert |
| 1 | OneDrive — Credential Alert | OneDrive | Enforced, test group → All users | Block access + alert |
| 2 | SharePoint — Credential Alert | SharePoint | Simulation tenant-wide → Enforced | Block access + alert |
| 3 | Teams — Credential Alert | Teams | Enforced, test group → All users | Alert only |
| 4 | Exchange — CUI Specified / Restricted Label External Sharing | Exchange | Enforced, test group → All users | Block + override with justification |
| 5 | OneDrive — CUI Specified / Restricted Label External Sharing | OneDrive | Enforced, test group → All users | Block access + alert |
| 6 | SharePoint — CUI Specified / Restricted Label External Sharing | SharePoint | Enforced tenant-wide (label-based condition is deterministic) | Block access + alert |
| 7 | Exchange — CUI Basic / Confidential Label External Sharing | Exchange | Enforced, test group → All users | Alert |
| 8 | OneDrive — CUI Basic / Confidential Label External Sharing | OneDrive | Enforced, test group → All users | Alert |
| 9 | SharePoint — CUI Basic / Confidential Label External Sharing | SharePoint | Enforced tenant-wide (label-based condition is deterministic) | Alert |
| 10 | Exchange — SSN Alert | Exchange | Enforced, test group → All users | Alert |
| 11 | OneDrive — SSN Alert | OneDrive | Enforced, test group → All users | Alert |
| 12 | SharePoint — SSN Alert | SharePoint | Simulation tenant-wide for 30 days → Enforced (Alert action retained) | Alert |
Rollout pattern. Exchange, OneDrive, and Teams DLP support user/group scoping — deploy Enforced to the documented test group, observe real friction (override rates, helpdesk volume, alert count), then expand to All users. SharePoint DLP is site-scoped rather than user-scoped, so test-group enforcement is not available. For SharePoint policies with SIT-based conditions (Priority 2 Credential Alert and Priority 12 SSN Alert), use Simulation mode tenant-wide for 30 days to baseline false positives before promoting to Enforced. For SharePoint policies with label-based conditions (Priorities 6 and 9), the condition is deterministic — a file either carries the label or does not — and simulation is unnecessary; deploy Enforced from the start.
The "Block + override with justification" pattern used at Priority 4 (Exchange highest-tier label external sharing) is two settings working together in the Purview DLP rule editor: an Action (Restrict access or encrypt the content in Microsoft 365 locations → Block everyone) AND the User overrides setting (Allow users to override policy restrictions + Require business justification to override). Configuring only the override without an Action results in pure alerting with no block — the override checkbox has no visible effect because there is no restriction to override. Per Microsoft Learn — DLP policy tips: "If you set the NotifyAllowOverride action to WithoutJustification or WithJustification or FalsePositives, make sure BlockAccess is set to true and BlockAccessScope has appropriate value. Otherwise, the policy tip comes up but the user doesn't find an option to override the email with justification."
Out of Scope — Reserved for Phase 2 Submission
The following capabilities are excluded from this change and will be addressed in a subsequent CAB submission:
- Endpoint DLP (USB copy, cloud upload, print, RDP clipboard controls)
- Microsoft 365 Copilot label enforcement
- Client-side and service-side auto-labeling policies
- Insider Risk Management integration
- Finance SIT-based detection policies (the SSN PII baseline is included as Step B-4 below; additional PII SITs — driver's license, ITIN, bank account, passport — are reserved for Phase 2)
Prerequisites
All prerequisites must be verified before the implementation window opens.
| # | Prerequisite | Verified By | Notes |
|---|---|---|---|
| 1 | Microsoft Purview compliance portal access — Global Administrator or Compliance Administrator role | [Name] | Required to create labels and policies |
| 2 | Exchange Online Administrator role | [Name] | Required for IPPS session during container label sync |
| 3 | Microsoft Entra ID P1 or P2 license for at least one admin account | [Name] | Required for container label enablement |
| 4 | Microsoft 365 E3/E5 or equivalent licenses for all in-scope users | [Name] | Sensitivity labels require M365 Apps for Enterprise; DLP requires E3 minimum |
| 5 | No existing conflicting label policies in the tenant | [Name] | Check in Purview portal → Information Protection → Label policies |
| 6 | Approved list of partner/external domains authorized to receive CUI or sensitive content | [Name] | Required for Phase B DLP Allowed Domains configuration |
| 7 | Security team distribution group or mailbox for DLP incident reports — substitute the client's real address everywhere the runbook shows [YOUR_DLP_ALERT_EMAIL] | [Name] | Client-provided. Must be an active, monitored mailbox or group before Phase B begins. |
| 8 | Change freeze status confirmed — no competing changes to Exchange transport rules or mail flow during window | [Name] | Avoid overlapping with mail flow configuration changes |
| 9 | SharePoint Admin Center — unmanaged device access set to Allow limited, web-only access | [Name] | Required for sensitivity label container controls to restrict unmanaged device access. See SharePoint Admin Center — Unmanaged Device Access |
Implementation Plan
Estimated total implementation time: 90–120 minutes for a tenant with no pre-existing label configuration.
Phase A: Sensitivity Labels (~45 minutes)
Step A-1: Enable container labels in Entra ID (~10 minutes)
- Open PowerShell as an account with Global Administrator or Entra roles.
- Run the following commands:
# Install required modules if not present
Install-Module Microsoft.Graph.Beta -Scope CurrentUser -Force
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
# Enable MIP labels for M365 Groups
Connect-MgGraph -Scopes "Directory.ReadWrite.All"
$template = Get-MgBetaDirectorySettingTemplate | Where-Object { $_.DisplayName -eq "Group.Unified" }
$settingParams = @{
TemplateId = $template.Id
Values = @(@{ Name = "EnableMIPLabels"; Value = "True" })
}
New-MgBetaDirectorySetting -BodyParameter $settingParams
# Sync labels from Purview to Entra ID — one-time after enabling container labels.
# For GCC High, pass -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/
# and -AzureADAuthorizationEndpointUri https://login.microsoftonline.us/organizations to Connect-IPPSSession.
Connect-IPPSSession
Execute-AzureADLabelSync
Disconnect-ExchangeOnline
- Verify: In Entra ID → Groups → Settings, confirm
EnableMIPLabels = True.
Step A-2: Create sensitivity labels (~20 minutes)
Navigate to Microsoft Purview compliance portal → Information Protection → Labels → + Create a label. Create labels in order from least to most sensitive — label priority is determined by creation order.
The table below lists every setting in wizard order. Fill in each row as you step through the wizard.
- GCC High (CMMC)
- Commercial
| Setting | Public | General | CUI — Basic | CUI — Specified |
|---|---|---|---|---|
| Name | Public | General | CUI - Basic | CUI - Specified |
| Display name | Public | General | CUI — Basic | CUI — Specified |
| Description for users | Data approved for public release. | Internal operational data. No special handling required. | Controlled Unclassified Information. Standard NIST 800-171 safeguarding required. | Controlled Unclassified Information. Enhanced safeguarding required. Confidential distribution. |
| Label color | Green | Blue | Yellow | Red |
| Scope — Files & other data assets | On | On | On | On |
| Scope — Emails | On | On | On | On |
| Scope — Meetings | Off | Off | Off | Off |
| Scope — Groups & sites | Off | On | On | On |
| Control access | Off | Off | On | On |
| Apply content marking | Off | On | On | On |
| Assign permissions now or let users decide | — | — | Assign permissions now | Assign permissions now |
| User access to content expires | — | — | Never | Never |
| Allow offline access | — | — | 30 days | 7 days |
| Assigned users or groups | — | — | All Employees (or tenant authenticated users group) | Confidential group — e.g., sg-cui-specified-access |
| Permissions | — | — | Co-Author | Co-Author |
| Footer text | — | General | CUI — Basic | CUI — Specified |
| Auto-labeling for files and emails | Off | Off | Off | Off |
| Privacy and external user access (check this protection setting) | — | On | On | On |
| External sharing and Conditional Access (check this protection setting) | — | On | On | On |
| Private teams discoverability and shared channel settings (check this protection setting) | — | Off | Off | Off |
| Auto apply settings | — | None | None | None |
| Privacy | — | Public or Private | Private | Private |
| Let group owners add people outside the organization as guests | — | On | Off | Off |
| External sharing — Content can be shared with | — | Anyone | Existing guests | Only people in your organization |
| Access from unmanaged devices | — | Full access | Allow limited, web-only access | Block access |
| Setting | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| Name | Public | Internal | Confidential | Restricted |
| Display name | Public | Internal | Confidential | Restricted |
| Description for users | Data that is publicly available or has been approved for public release. | For internal use. May be shared externally when appropriate. No special handling required. | Contains sensitive personal or financial information subject to regulatory requirements. Share only with authorized parties. | Highly sensitive. External sharing not permitted. Access from authorized devices only. |
| Label color | Green | Blue | Yellow | Red |
| Scope — Files & other data assets | On | On | On | On |
| Scope — Emails | On | On | On | On |
| Scope — Meetings | Off | Off | Off | Off |
| Scope — Groups & sites | Off | On | On | On |
| Control access | Off | Off | Off | On |
| Apply content marking | Off | On | On | On |
| Assign permissions now or let users decide | — | — | — | Assign permissions now |
| User access to content expires | — | — | — | Never |
| Allow offline access | — | — | — | Never |
| Assigned users or groups | — | — | — | EID_Sensitivity_Label_Restricted |
| Permissions | — | — | — | Co-Author |
| Footer text | — | Internal | Confidential | Restricted |
| Auto-labeling for files and emails | Off | Off | Off | Off |
| Privacy and external user access (check this protection setting) | — | On | On | On |
| External sharing and Conditional Access (check this protection setting) | — | On | On | On |
| Private teams discoverability and shared channel settings (check this protection setting) | — | Off | Off | Off |
| Auto apply settings | — | None | None | None |
| Privacy | — | Public | Private | Private |
| Let group owners add people outside the organization as guests | — | On | Off | Off |
| External sharing — Content can be shared with | — | Anyone | Existing guests | Only people in your organization |
| Access from unmanaged devices | — | Full access | Allow limited, web-only access | Block access |
EID_Sensitivity_Label_Restricted must be a Microsoft 365 Group. Create it in the Microsoft 365 admin center (admin.microsoft.com → Teams & groups → Active teams & groups) before running this wizard. Microsoft 365 Groups cannot be created in the Entra ID portal or the Intune portal.
Container labels exist to restrict — every Groups & sites setting (privacy, external sharing, unmanaged-device access) tightens access compared to tenant defaults. Public means "no restrictions needed," so a Public container scope would either repeat tenant defaults or accidentally relax a stricter one — a downgrade footgun where a user picks Public to dodge friction and locks the site into the most permissive posture. Keeping Public at file/email scope only preserves its intended use (marking individual files and emails approved for public release) without making it pickable in the site-creation label dropdown.
Repeat the wizard for each of the four labels. After all labels are created, if container labels were enabled for the first time in Step A-1 above, run the post-enablement sync below — this forces Purview to push the new labels into Entra ID so they become available for application to SharePoint sites, M365 Groups, and Teams sites. For tenants stood up after September 2019 this happens automatically and the command is a no-op safety measure; for older tenants it is required.
Import-Module ExchangeOnlineManagement
Connect-IPPSSession
Execute-AzureADLabelSync
The cmdlet does not influence the Purview-to-Azure-Rights-Management sync (encryption configuration) or label visibility in Office client apps — both of those are automatic on Microsoft's schedule. See Label Sync Timing for the full sync-path breakdown.
- GCC High (CMMC)
- Commercial
Verification: All four labels should appear in the Information Protection → Labels list with correct priority order (Public = 0, General = 1, CUI — Basic = 2, CUI — Specified = 3). Each label should show a green checkmark indicating successful creation.
Verification: All four labels should appear in the Information Protection → Labels list with correct priority order (Public = 0, Internal = 1, Confidential = 2, Restricted = 3). Each label should show a green checkmark indicating successful creation.
Step A-3: Publish label policy (~15 minutes)
- Navigate to Information Protection → Label policies → Publish labels.
- Select all four labels.
- Assign to: All users and groups (or a pilot group if a phased rollout is preferred — see Risk Register).
- Configure policy settings:
- Require justification for label removal or downgrade: On
- Require users to apply a label to their emails and documents: On
- Require users to apply a label to their Fabric and Power BI content: On
- Provide a help link: [Insert link to internal data classification policy]
- Set default labels:
- Default label for documents: General (or Internal)
- Default label for emails: General (or Internal)
- Name the policy:
[ORG] — Standard Label Policy v1.0
Sensitivity labels appear in Office clients (Word, Excel, Outlook) within 24 hours of policy publication. Plan the communication timeline accordingly.
Step A-4: Enable co-authoring for encrypted files (~5 minutes) — Microsoft Docs
Without this setting, users on Office desktop apps must check out encrypted labeled files before editing, blocking real-time collaboration. Enabling it allows multiple users to edit encrypted files simultaneously and enables AutoSave for those files.
Once enabled, this setting cannot be turned off from the Purview portal. Disabling it requires PowerShell and will cause labeling metadata to be lost from any unencrypted Word, Excel, and PowerPoint files that were labeled while the setting was active. Enable only after confirming no scripts, Exchange mail flow rules, or third-party tools in your environment read sensitivity label metadata from the old custom document properties location. Standard Microsoft 365 services (DLP policies, auto-labeling, Defender for Cloud Apps) all support the new metadata format and require no changes.
- Navigate to Microsoft Purview portal → Settings → Solution settings → Information Protection → Co-authoring for files with sensitivity labels.
- Read the prerequisites and summary displayed on the page.
- Select Turn on co-authoring for files with sensitivity labels → Apply.
- Wait 24 hours before relying on co-authoring for encrypted documents.
Phase B: Foundational DLP Policies (~45–75 minutes)
Step B-1: Verify the security alert mailbox
Before creating policies, confirm that the security team mailbox or distribution group that will receive DLP incident reports is active and monitored: [YOUR_DLP_ALERT_EMAIL]
There is no separate global setting for this in the DLP portal. The recipient is configured within the Incident reports rows of each policy table in B-2 and B-3 below.
Step B-2: Create credential alert policies (Priorities 0–3)
For each policy: DLP → Policies → Create policy → Custom → Custom policy → full directory scope → single rule.
| Setting | Exchange (P0) | OneDrive (P1) | SharePoint (P2) | Teams (P3) |
|---|---|---|---|---|
| Policy name | Exchange — Credential Alert | OneDrive — Credential Alert | SharePoint — Credential Alert | Teams — Credential Alert |
| Locations | Exchange email | OneDrive accounts | SharePoint sites | Teams chat and channel messages |
| Included users/groups | EID_Sensitivity_Label_Test_Users — expand to All after validation | ← same | Not supported — SharePoint scopes by site URL, not by user/group | EID_Sensitivity_Label_Test_Users — expand to All after validation |
| Condition — Sensitive info type | All credentials (bundled SIT — covers passwords, API keys, tokens, and secrets) | ← same | ← same | ← same |
| Action | Block the email; notify the user | Restrict access or encrypt the content → Block everyone except the content owner, last modifier, and site admin | Restrict access or encrypt the content → Block everyone except the content owner, last modifier, and site admin | Alert only |
| User notifications | On | On | On | Off |
| Incident reports — Admin alert | On | On | On | On |
| Incident reports — Recipients | [YOUR_DLP_ALERT_EMAIL] | ← same | ← same | ← same |
| Incident reports — Alert frequency | Every rule match | ← same | ← same | ← same |
| Alert severity | High | High | High | Medium |
| Policy mode | Enforced (test group) → Enforced (All) | Enforced (test group) → Enforced (All) | Simulation tenant-wide — promote to Enforced after reviewing alert log | Enforced (test group) → Enforced (All) |
Step B-3: Create label-based external sharing policies (Priorities 4–9)
For each policy: DLP → Policies → Create policy → Custom → Custom policy → full directory scope → single rule.
- GCC High (CMMC)
- Commercial
Sensitive label policies (Priorities 4–6)
| Setting | Exchange (P4) | OneDrive (P5) | SharePoint (P6) |
|---|---|---|---|
| Policy name | Exchange — CUI Specified Label External Sharing | OneDrive — CUI Specified Label External Sharing | SharePoint — CUI Specified Label External Sharing |
| Locations | Exchange email | OneDrive accounts | SharePoint sites |
| Included users/groups | EID_Sensitivity_Label_Test_Users — expand to All after validation | ← same | Not supported — deploying Enforced across all sites; false positive risk is low given the tight condition (labeled content + shared externally) |
| Condition — Content is labeled | CUI — Specified | ← same | ← same |
| Condition — Content is shared | With people outside the organization | ← same | ← same |
| Exceptions → Recipient domain is | Required — list approved GCC High partner domains (added in the Exceptions section of the rule, not within the Content is shared condition) | ← same | ← same |
| Action | Restrict access or encrypt the content → Block everyone (email undelivered) | Restrict access or encrypt the content → Block everyone except the content owner, last modifier, and site admin | Restrict access or encrypt the content → Block everyone except the content owner, last modifier, and site admin |
| User overrides | Allow users to override → Require business justification (override is logged via audit log X-header; the Block action MUST be configured for the override option to appear to users — see info callout below the Phase B summary table) | Off — Block is absolute for stored content | Off — Block is absolute for stored content |
| User notifications | On | On | On |
| Incident reports — Admin alert | On | On | On |
| Incident reports — Recipients | [YOUR_DLP_ALERT_EMAIL] | ← same | ← same |
| Incident reports — Alert frequency | Every rule match | ← same | ← same |
| Alert severity | High | High | High |
| Policy mode | Enforced | Enforced | Enforced |
CUI Basic label policies (Priorities 7–9)
| Setting | Exchange (P7) | OneDrive (P8) | SharePoint (P9) |
|---|---|---|---|
| Policy name | Exchange — CUI Basic Label External Sharing | OneDrive — CUI Basic Label External Sharing | SharePoint — CUI Basic Label External Sharing |
| Locations | Exchange email | OneDrive accounts | SharePoint sites |
| Included users/groups | EID_Sensitivity_Label_Test_Users — expand to All after validation | ← same | Not supported — deploying Enforced across all sites; alert-only action means false positives have no user impact |
| Condition — Content is labeled | CUI — Basic | ← same | ← same |
| Condition — Content is shared | With people outside the organization | ← same | ← same |
| Exceptions → Recipient domain is | Required — list approved GCC High partner domains (added in the Exceptions section of the rule, not within the Content is shared condition) | ← same | ← same |
| Action | Alert only | Alert only | Alert only |
| User notifications | On | On | On |
| Incident reports — Admin alert | On | On | On |
| Incident reports — Recipients | [YOUR_DLP_ALERT_EMAIL] | ← same | ← same |
| Incident reports — Alert frequency | Every rule match | ← same | ← same |
| Alert severity | Medium | Medium | Medium |
| Policy mode | Enforced | Enforced | Enforced |
Restricted label policies (Priorities 4–6)
| Setting | Exchange (P4) | OneDrive (P5) | SharePoint (P6) |
|---|---|---|---|
| Policy name | Exchange — Restricted Label External Sharing | OneDrive — Restricted Label External Sharing | SharePoint — Restricted Label External Sharing |
| Locations | Exchange email | OneDrive accounts | SharePoint sites |
| Included users/groups | EID_Sensitivity_Label_Test_Users — expand to All after validation | ← same | Not supported — deploying Enforced across all sites; false positive risk is low given the tight condition (labeled content + shared externally) |
| Condition — Content is labeled | Restricted | ← same | ← same |
| Condition — Content is shared | With people outside the organization | ← same | ← same |
| Exceptions → Recipient domain is | Optional — list approved regulatory recipients (auditors, regulators, law firms), added in the Exceptions section of the rule | ← same | ← same |
| Action | Restrict access or encrypt the content → Block everyone (email undelivered) | Restrict access or encrypt the content → Block everyone except the content owner, last modifier, and site admin | Restrict access or encrypt the content → Block everyone except the content owner, last modifier, and site admin |
| User overrides | Allow users to override → Require business justification (override is logged via audit log X-header; the Block action MUST be configured for the override option to appear to users — see info callout below the Phase B summary table) | Off — Block is absolute for stored content | Off — Block is absolute for stored content |
| User notifications | On | On | On |
| Incident reports — Admin alert | On | On | On |
| Incident reports — Recipients | [YOUR_DLP_ALERT_EMAIL] | ← same | ← same |
| Incident reports — Alert frequency | Every rule match | ← same | ← same |
| Alert severity | High | High | High |
| Policy mode | Enforced | Enforced | Enforced |
Confidential label policies (Priorities 7–9)
| Setting | Exchange (P7) | OneDrive (P8) | SharePoint (P9) |
|---|---|---|---|
| Policy name | Exchange — Confidential Label External Sharing | OneDrive — Confidential Label External Sharing | SharePoint — Confidential Label External Sharing |
| Locations | Exchange email | OneDrive accounts | SharePoint sites |
| Included users/groups | EID_Sensitivity_Label_Test_Users — expand to All after validation | ← same | Not supported — deploying Enforced across all sites; alert-only action means false positives have no user impact |
| Condition — Content is labeled | Confidential | ← same | ← same |
| Condition — Content is shared | With people outside the organization | ← same | ← same |
| Exceptions → Recipient domain is | Optional | ← same | ← same |
| Action | Alert only | Alert only | Alert only |
| User notifications | On | On | On |
| Incident reports — Admin alert | On | On | On |
| Incident reports — Recipients | [YOUR_DLP_ALERT_EMAIL] | ← same | ← same |
| Incident reports — Alert frequency | Every rule match | ← same | ← same |
| Alert severity | Medium | Medium | Medium |
| Policy mode | Enforced | Enforced | Enforced |
Step B-4: Create SSN alert policies (Priorities 10–12)
For each policy: DLP → Policies → Create policy → Custom → Custom policy → full directory scope → single rule.
| Setting | Exchange (P10) | OneDrive (P11) | SharePoint (P12) |
|---|---|---|---|
| Policy name | Exchange — SSN Alert | OneDrive — SSN Alert | SharePoint — SSN Alert |
| Locations | Exchange email | OneDrive accounts | SharePoint sites |
| Included users/groups | EID_Sensitivity_Label_Test_Users — expand to All after validation | ← same | Not supported — SharePoint scopes by site URL, not by user/group |
| Condition — Sensitive info type | U.S. social security number (SSN) — high-confidence variant only (formatted SSN pattern ddd-dd-dddd + a keyword from Keyword_ssn within 300 characters; minimizes false positives from non-SSN nine-digit numbers) | ← same | ← same |
| Action | Alert only — do not restrict or block. Phase 1 is a baseline-and-tune period before deciding on enforcement | ← same | ← same |
| User notifications | On — informs users that SSN content is now monitored and sets expectations for future enforcement | ← same | ← same |
| Incident reports — Admin alert | On | On | On |
| Incident reports — Recipients | [YOUR_DLP_ALERT_EMAIL] | ← same | ← same |
| Incident reports — Alert frequency | Every rule match | ← same | ← same |
| Alert severity | Medium | Medium | Medium |
| Policy mode | Enforced (test group) → Enforced (All) | Enforced (test group) → Enforced (All) | Simulation tenant-wide for 30 days — promote to Enforced (Alert action retained) after reviewing simulation log |
The SSN SIT has three confidence levels. High confidence requires a formatted SSN pattern (ddd-dd-dddd or ddd dd dddd) plus a keyword from Keyword_ssn (e.g., "SSN", "social security", "SSA Number") within 300 characters. Medium and low confidence drop the formatting requirement and produce substantially higher false-positive volume from any nine-digit number (part numbers, invoice IDs, employee IDs). Starting with high-confidence only keeps Phase 1 alert volume manageable; expand to medium and low confidence in a subsequent CAB submission after baseline tuning. See U.S. social security number (SSN) for the full pattern definition.
Step B-5: Verify policy priority order
- Navigate to DLP → Policies.
- Confirm policies are ordered 0 through 12 as specified. Adjust priority manually if the portal has assigned different numbers.
Validation Plan
Complete all validation steps before closing the change ticket. Document pass/fail for each test. The plan has five layers — DLP credential detection, per-label feature tests, container-vs-content matrix, cross-tier sanity tests, and audit visibility.
Required Test Sites
Each site holds 4–5 test files.
Container labels on Team Sites exercise the full surface area: SharePoint-level controls (external sharing, unmanaged-device access, default sharing link type) plus Group-level controls (privacy public/private, Teams sensitivity inheritance, group mailbox external email). Communication Sites only exercise the SharePoint subset.
Cleanup: each Team Site provisions a Microsoft 365 Group, group mailbox, and Planner. When tearing down the test environment, delete the M365 Group (Entra admin center → Groups → [Group] → Delete), not just the SharePoint site.
The Public label is file/email-scope only and cannot be applied as a container label (see Phase A-2 above).
- GCC High (CMMC)
- Commercial
| # | Site Name | Container Label | Carries Which Tests |
|---|---|---|---|
| S-1 | Test-General | General | L-2 (General per-label feature) |
| S-2 | Test-CUI-Basic | CUI - Basic | L-3 (CUI-Basic per-label feature); B-1 and B-2 (2×2 cells with labeled site); X-4 (General file external-share attempt) |
| S-3 | Test-CUI-Specified | CUI - Specified | L-4 (CUI-Specified per-label feature, includes V-4 external-share check); X-2 (Public file in CUI-Specified site) |
| S-4 | Test-Unlabeled | (none) | L-1 (Public per-label feature — site label irrelevant for a file-label test); B-3 and B-4 (2×2 cells with unlabeled site); X-1 (CUI-Specified file in unlabeled site); X-3 destination (move-out OneDrive personal can substitute) |
| # | Site Name | Container Label | Carries Which Tests |
|---|---|---|---|
| S-1 | Test-Internal | Internal | L-2 (Internal per-label feature) |
| S-2 | Test-Confidential | Confidential | L-3 (Confidential per-label feature); B-1 and B-2 (2×2 cells with labeled site); X-4 (Internal file external-share attempt) |
| S-3 | Test-Restricted | Restricted | L-4 (Restricted per-label feature, includes V-4 external-share check); X-2 (Public file in Restricted site) |
| S-4 | Test-Unlabeled | (none) | L-1 (Public per-label feature — site label irrelevant for a file-label test); B-3 and B-4 (2×2 cells with unlabeled site); X-1 (Restricted file in unlabeled site); X-3 destination (move-out OneDrive personal can substitute) |
Layer 1: DLP Credential and SSN Detection
Validates DLP credential and SSN rules across Exchange, OneDrive, SharePoint, and Teams. Environment-agnostic — same expected behavior in Commercial and GCC High.
| # | Test | Expected Result | Validated By |
|---|---|---|---|
| V-1 | Send an email containing a plaintext password to an external address | Exchange — Credential Alert triggers; email is blocked; user receives policy tip | [Name] |
| V-2 | Upload a file containing a test credential string to OneDrive and share externally | OneDrive — Credential Alert triggers; external sharing link is removed | [Name] |
| V-3 | From a test-group member, post a message in a Teams channel containing a test credential string | Teams — Credential Alert triggers; alert generated to security mailbox; sender sees policy tip | [Name] |
| V-4 | Send an email containing a test SSN (e.g., 123-45-6789 with the keyword SSN nearby) to an external address | Exchange — SSN Alert triggers (Alert only — no block); incident report delivered to security mailbox; sender sees policy tip | [Name] |
| V-5 | Upload a file containing the same test SSN string to OneDrive | OneDrive — SSN Alert triggers; incident report delivered; file remains accessible (Alert action only) | [Name] |
| V-6 | Upload a file containing the same test SSN string to a SharePoint site | SharePoint — SSN Alert match appears in the policy's simulation log (DLP → Policies → SharePoint — SSN Alert → View matches); no user-facing alert during the 30-day simulation period | [Name] |
Layer 2: Per-Label Feature Tests
Confirms each label's specific enforcement (markings, encryption, external-share block, downgrade justification) behaves as designed. The presence of all four labels in the Office client picker is implicitly validated — if the label cannot be applied, the test cannot be run.
- GCC High (CMMC)
- Commercial
| # | Test | Expected Result | Validated By |
|---|---|---|---|
| L-1 | In Test-Unlabeled (S-4), apply Public label to a test document; save and reopen | Save succeeds; no header/footer/watermark; no encryption | [Name] |
| L-2 | In Test-General (S-1), apply General label to a test document; save and reopen | Save succeeds; "General" footer text appears; no encryption | [Name] |
| L-3 | In Test-CUI-Basic (S-2), apply CUI - Basic label to a test document; save and attempt to open as a non-permitted user | Save succeeds with encryption; "CUI — Basic" header/footer applied; non-permitted user cannot decrypt | [Name] |
| L-4 | In Test-CUI-Specified (S-3), apply CUI - Specified label to a test document; share externally via SharePoint | Encryption applies; "CUI — Specified" markings visible; external sharing blocked by Sensitive Label External Sharing policy; alert to security mailbox (replaces V-4) | [Name] |
| L-5 | Downgrade a CUI - Specified document to Public | Justification prompt appears; downgrade is recorded in Activity Explorer and Unified Audit Log (replaces V-6) | [Name] |
| # | Test | Expected Result | Validated By |
|---|---|---|---|
| L-1 | In Test-Unlabeled (S-4), apply Public label to a test document; save and reopen | Save succeeds; no header/footer/watermark; no encryption | [Name] |
| L-2 | In Test-Internal (S-1), apply Internal label to a test document; save and reopen | Save succeeds; "Internal" footer text appears; no encryption | [Name] |
| L-3 | In Test-Confidential (S-2), apply Confidential label to a test document; save and attempt to open as a non-permitted user | Save succeeds with encryption; "Confidential" header/footer applied; non-permitted user cannot decrypt | [Name] |
| L-4 | In Test-Restricted (S-3), apply Restricted label to a test document; share externally via SharePoint | Encryption applies; "Restricted" markings visible; external sharing blocked by Sensitive Label External Sharing policy; alert to security mailbox (replaces V-4) | [Name] |
| L-5 | Downgrade a Restricted document to Public | Justification prompt appears; downgrade is recorded in Activity Explorer and Unified Audit Log (replaces V-6) | [Name] |
Layer 3: Container vs Content Boundary (2×2)
Validates that container labels and content labels enforce independently. This is the highest-confusion area in Purview audits — each cell isolates one observable behavior.
- GCC High (CMMC)
- Commercial
| # | Site | File Label | Expected Result | Validated By |
|---|---|---|---|---|
| B-1 | Test-CUI-Basic (S-2) | CUI - Basic | Site blocks external sharing; file is encrypted; DLP matches on label condition | [Name] |
| B-2 | Test-CUI-Basic (S-2) | (unlabeled) | Site blocks external sharing; file is not encrypted — confirms the container label does not auto-protect content. Mandatory labeling normally prevents this state in production; this cell demonstrates the gap if mandatory labeling is bypassed | [Name] |
| B-3 | Test-Unlabeled (S-4) | CUI - Basic | Site permits external sharing of the link; file remains encrypted — non-permitted external recipient cannot open content even though the link is shareable. Confirms encryption travels with the file | [Name] |
| B-4 | Test-Unlabeled (S-4) | (unlabeled) | No protection at any layer. Baseline / control case — the "shadow CUI" risk that mandatory labeling and auto-labeling are designed to eliminate | [Name] |
| # | Site | File Label | Expected Result | Validated By |
|---|---|---|---|---|
| B-1 | Test-Confidential (S-2) | Confidential | Site blocks external sharing; file is encrypted; DLP matches on label condition | [Name] |
| B-2 | Test-Confidential (S-2) | (unlabeled) | Site blocks external sharing; file is not encrypted — confirms the container label does not auto-protect content. Mandatory labeling normally prevents this state in production; this cell demonstrates the gap if mandatory labeling is bypassed | [Name] |
| B-3 | Test-Unlabeled (S-4) | Confidential | Site permits external sharing of the link; file remains encrypted — non-permitted external recipient cannot open content even though the link is shareable. Confirms encryption travels with the file | [Name] |
| B-4 | Test-Unlabeled (S-4) | (unlabeled) | No protection at any layer. Baseline / control case — the "shadow data" risk that mandatory labeling and auto-labeling are designed to eliminate | [Name] |
Layer 4: Cross-Tier Sanity
Validates that file labels travel with the file, container labels apply to all content regardless of file label, and tier mismatches behave defensibly.
- GCC High (CMMC)
- Commercial
| # | Test | Expected Result | Validated By |
|---|---|---|---|
| X-1 | Place a CUI - Specified file in Test-Unlabeled (S-4) | File encryption persists; non-permitted user cannot decrypt regardless of permissive site sharing settings | [Name] |
| X-2 | Place a Public file in Test-CUI-Specified (S-3); attempt external share | Site-level container restrictions block the external share even though the file label permits it | [Name] |
| X-3 | Move a CUI - Basic file from Test-CUI-Basic (S-2) to OneDrive personal | File label and encryption persist across the move; permission scope unchanged | [Name] |
| X-4 | Place a General file in Test-CUI-Basic (S-2); attempt external share | Container label blocks the external share; file label alone would have permitted it | [Name] |
| # | Test | Expected Result | Validated By |
|---|---|---|---|
| X-1 | Place a Restricted file in Test-Unlabeled (S-4) | File encryption persists; non-permitted user cannot decrypt regardless of permissive site sharing settings | [Name] |
| X-2 | Place a Public file in Test-Restricted (S-3); attempt external share | Site-level container restrictions block the external share even though the file label permits it | [Name] |
| X-3 | Move a Confidential file from Test-Confidential (S-2) to OneDrive personal | File label and encryption persist across the move; permission scope unchanged | [Name] |
| X-4 | Place an Internal file in Test-Confidential (S-2); attempt external share | Container label blocks the external share; file label alone would have permitted it | [Name] |
Layer 5: Audit Visibility
| # | Test | Expected Result | Validated By |
|---|---|---|---|
| A-1 | Open Activity Explorer in Purview and confirm test events from V-1 through X-4 are visible | All test events appear with user, workload, label, and justification data (replaces V-8) | [Name] |
30-Day Post-Deployment Review
Within 30 days of implementation:
- Review DLP Alerts dashboard for false-positive alert volume on credential policies across the test group.
- Review the SharePoint simulation logs for Priority 2 (Credential Alert) and Priority 12 (SSN Alert). If false-positive rates are acceptable, promote each to Enforced tenant-wide (SSN retains Alert-only action) and submit a minor change request.
- Promote the test-group-scoped policies (Exchange, OneDrive, Teams credential and label-sharing alerts; Exchange and OneDrive SSN alerts) from the test group to All users once friction metrics are acceptable.
- Categorize SSN false-positive sources (employee IDs, invoice IDs, part numbers, etc.) and decide whether to: (a) keep Alert-only, (b) author a custom SIT excluding known false-positive number formats, or (c) promote to Block once volume is manageable.
- Export Activity Explorer data to confirm label adoption rates are trending upward.
- Present findings to the CAB sponsor before the Phase 2 submission.
Rollback Plan
Labels and DLP policies can be reversed without service interruption.
| Scenario | Rollback Procedure | Estimated Time |
|---|---|---|
| Label policy causes user disruption (help desk volume spike) | Set mandatory labeling to Off in the label policy settings; this removes the forced prompt while leaving labels available | 5 minutes |
| DLP policy causes legitimate mail to be blocked | Set the affected policy to Simulation mode or disable the specific rule; does not require deleting the policy | 5 minutes |
| Labels need to be removed entirely | Unpublish the label policy first; wait 24 hours for client propagation to clear; then delete labels. Labels cannot be deleted while active in a policy. | 24+ hours |
| Container label sync causes Groups configuration issue | Revert EnableMIPLabels to False via the Entra directory settings PowerShell commands | 10 minutes |
Sensitivity labels that have been applied to files cannot be removed by deleting the label definition — the label metadata persists in the file. Rollback of the label policy only affects new labeling behavior, not already-labeled content. Do not delete label definitions unless directed by Microsoft support.
Risk Register
- GCC High (CMMC)
- Commercial
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Mandatory labeling generates help desk volume in the first week | High | Low | Pre-deployment communication with brief user guidance; set a 5-business-day support buffer |
| Credential DLP blocks a legitimate automated process (service account, pipeline) | Low | High | Audit Exchange transport rules and known automation accounts before deployment; add sender exclusions for identified service accounts |
| CUI — Specified encryption prevents a user from opening a file on a non-corporate device | Medium | Medium | Scope CUI — Specified label permissions to a security group; add authorized external devices to the group before deployment |
| External partner blocks due to Allowed Domains list being incomplete | Medium | Medium | Confirm the approved partner domain list with the security team before deployment; test with a known partner tenant before go-live |
| Labels do not appear in Office clients within expected timeframe | Low | Low | Policy propagation can take up to 24 hours; inform users not to expect immediate availability; verify via test account |
| SSN policy generates false positives on non-SSN nine-digit numbers (employee IDs, part numbers, invoice IDs, etc.) | Medium | Low | Alert-only action prevents user impact during baseline period; high-confidence-only SIT variant requires formatted pattern + keyword within 300 characters to mitigate; review 30-day baseline volume before deciding on enforcement |
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Mandatory labeling generates help desk volume in the first week | High | Low | Pre-deployment communication with brief user guidance; set a 5-business-day support buffer |
| Credential DLP blocks a legitimate automated process (service account, pipeline) | Low | High | Audit Exchange transport rules and known automation accounts before deployment; add sender exclusions for identified service accounts |
| Restricted encryption prevents file access for an authorized external party | Medium | Medium | Scope Restricted encryption to a security group; add authorized users before deployment; test access with the recipient before go-live |
| DLP alert volume overwhelms the security mailbox | Medium | Medium | Set alert aggregation to daily digest for Medium-severity alerts; reserve real-time alerts for High-severity policies only |
| Labels do not appear in Office clients within expected timeframe | Low | Low | Policy propagation can take up to 24 hours; inform users not to expect immediate availability |
| SSN policy generates false positives on non-SSN nine-digit numbers (employee IDs, part numbers, invoice IDs, etc.) | Medium | Low | Alert-only action prevents user impact during baseline period; high-confidence-only SIT variant requires formatted pattern + keyword within 300 characters to mitigate; review 30-day baseline volume before deciding on enforcement |
Communication Plan
| Audience | Message | Timing | Delivered By |
|---|---|---|---|
| All Microsoft 365 users | New sensitivity labels are being added to Office applications. You will be asked to select a label when saving documents or sending email. A brief guide is available at [link]. | 5 business days before go-live | [Name / Communication channel] |
| IT Help Desk | Sensitivity label training brief: expected user questions, where labels appear, how to reset a label, and escalation path for legitimate DLP blocks | 3 business days before go-live | [Name] |
| Security / Compliance team | DLP incident report mailbox is live as of [date]. Review the alert dashboard at [Purview portal link] within 48 hours of go-live. Escalation path for enforcement disputes: [Name/ticketing queue]. | Day of go-live | [Name] |
| CAB Sponsor | Post-implementation summary within 5 business days of go-live confirming validation results and help desk ticket volume | Within 5 business days | [Name] |
Change Record
| Field | Value |
|---|---|
| Submitted by | [Name] |
| Submission date | [Date] |
| CAB review date | [Date] |
| CAB decision | [ ] Approved [ ] Approved with conditions [ ] Deferred [ ] Rejected |
| Conditions / Notes | |
| Approved by | [Name, title] |
| Implementation date (actual) | |
| Closed by | [Name] |
| Closure date |
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.