Skip to main content

CAB Runbook: Sensitivity Labels and DLP Policies

This runbook supports a Change Advisory Board (CAB) submission for deploying a sensitivity label taxonomy and foundational Data Loss Prevention (DLP) policies in Microsoft Purview. Complete the bracketed fields before submitting to your CAB.

Change Summary

FieldValue
Change TitleDeploy Microsoft Purview Sensitivity Label Taxonomy and Foundational DLP Policies
Change TypeStandard — New Capability
Risk LevelMedium
Estimated DowntimeNone — configuration changes only; no service interruption expected
Rollback AvailableYes — labels and policies can be disabled or deleted within minutes
Implementation Window[Insert maintenance window date/time and duration]
Implementer[Insert name, title]
Backup Implementer[Insert name, title]
CAB Sponsor[Insert name, title]
Ticket / Change ID[Insert change management ticket number]

Business Justification

CMMC Level 2 requires that Controlled Unclassified Information (CUI) be identified, marked, and protected from unauthorized disclosure. This change implements the technical controls required by:

  • NIST SP 800-171 Rev. 2 3.1.3 — Control the flow of CUI in accordance with approved authorizations
  • NIST SP 800-171 Rev. 2 3.13.1 — Monitor, control, and protect communications at external boundaries
  • NIST SP 800-171 Rev. 2 3.13.16 — Protect the confidentiality of CUI at rest

Without sensitivity labels, the organization cannot consistently identify CUI across Microsoft 365, and DLP policies cannot enforce information flow controls against unlabeled content. This change is the prerequisite for all subsequent Purview-based compliance controls.

Scope of Change

In Scope — Phase A: Sensitivity Labels

  1. Enable MIP container labels for Microsoft 365 Groups in Entra ID (one-time PowerShell command — no user-facing impact)
  2. Create four sensitivity labels in the Microsoft Purview compliance portal
LabelCUI MappingEncryptionContainer Support
PublicNot CUINoNo
GeneralNot CUI — internal operational dataNoYes
CUI — BasicCUI Basic (standard safeguarding)RecommendedYes
CUI — SpecifiedCUI Specified (enhanced safeguarding)RequiredYes
  1. Publish a label policy targeting all users with the following settings:
    • Default label for files and emails: General (or Internal)
    • Mandatory labeling: On — users must select a label before saving or sending
    • Justification required on downgrade or removal: On

In Scope — Phase B: Foundational DLP Policies

Seven DLP policies deployed across Exchange, SharePoint, OneDrive, and Teams:

PriorityPolicy NameWorkloadInitial ModeAction
0Exchange — Credential AlertExchangeEnforcedBlock send + alert
1OneDrive — Credential AlertOneDriveEnforcedRestrict access + alert
2SharePoint — Credential AlertSharePointEnforcedRestrict access + alert
3Teams — Credential AlertTeamsSimulationAlert only
4Exchange — Sensitive Label External SharingExchangeEnforcedAlert + override with justification
5OneDrive — Sensitive Label External SharingOneDriveEnforcedAlert + restrict access
6SharePoint — Sensitive Label External SharingSharePointEnforcedAlert + restrict access
7Exchange — Restricted Label External SharingExchangeEnforcedAlert
8OneDrive — Restricted Label External SharingOneDriveEnforcedAlert
9SharePoint — Restricted Label External SharingSharePointEnforcedAlert

Teams Credential Alert (Priority 3) remains in Simulation mode for 30 days due to elevated false-positive risk on code snippets and configuration files shared in technical channels. Promotion to Enforced requires a post-deployment review (see Validation Plan).

Out of Scope — Reserved for Phase 2 Submission

The following capabilities are excluded from this change and will be addressed in a subsequent CAB submission:

  • Endpoint DLP (USB copy, cloud upload, print, RDP clipboard controls)
  • Microsoft 365 Copilot label enforcement
  • Client-side and service-side auto-labeling policies
  • Insider Risk Management integration
  • PII and Finance SIT-based detection policies

Prerequisites

All prerequisites must be verified before the implementation window opens.

#PrerequisiteVerified ByNotes
1Microsoft Purview compliance portal access — Global Administrator or Compliance Administrator role[Name]Required to create labels and policies
2Exchange Online Administrator role[Name]Required for IPPS session during container label sync
3Microsoft Entra ID P1 or P2 license for at least one admin account[Name]Required for container label enablement
4Microsoft 365 E3/E5 or equivalent licenses for all in-scope users[Name]Sensitivity labels require M365 Apps for Enterprise; DLP requires E3 minimum
5No existing conflicting label policies in the tenant[Name]Check in Purview portal → Information Protection → Label policies
6Approved list of partner/external domains authorized to receive CUI or sensitive content[Name]Required for Phase B DLP Allowed Domains configuration
7Security team distribution group or mailbox for DLP incident reports[Name]e.g., security-alerts@[org].com
8Change freeze status confirmed — no competing changes to Exchange transport rules or mail flow during window[Name]Avoid overlapping with mail flow configuration changes

Implementation Plan

Estimated total implementation time: 90–120 minutes for a tenant with no pre-existing label configuration.

Phase A: Sensitivity Labels (~45 minutes)

Step A-1: Enable container labels in Entra ID (~10 minutes)

  1. Open PowerShell as an account with Global Administrator or Entra roles.
  2. Run the following commands:
# Install required modules if not present
Install-Module Microsoft.Graph.Beta -Scope CurrentUser -Force
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force

# Enable MIP labels for M365 Groups
Connect-MgGraph -Scopes "Directory.ReadWrite.All"
$template = Get-MgBetaDirectorySettingTemplate | Where-Object { $_.DisplayName -eq "Group.Unified" }
$settingParams = @{
    TemplateId = $template.Id
    Values = @(@{ Name = "EnableMIPLabels"; Value = "True" })
}
New-MgBetaDirectorySetting -BodyParameter $settingParams

# Sync labels from Purview to Entra
Connect-IPPSSession
Execute-AzureAdLabelSync
Disconnect-ExchangeOnline
  1. Verify: In Entra ID → Groups → Settings, confirm EnableMIPLabels = True.

Step A-2: Create sensitivity labels (~20 minutes)

  1. Navigate to Microsoft Purview compliance portalInformation ProtectionLabels.
  2. Create each label in the order listed in the Scope section (Public first, highest sensitivity last).
  3. For each label, configure:
    • Display name and description (user-facing tooltip text)
    • Scope: Files, Emails (and Sites/Groups for General/Internal and above)
    • Encryption settings per the label design in the Scope section
    • Content marking: footer with the label name (CUI banner for CUI-aligned labels)
  4. Verify all four labels appear in the label list with correct priority order.

Step A-3: Publish label policy (~15 minutes)

  1. Navigate to Information ProtectionLabel policiesPublish labels.
  2. Select all four labels.
  3. Assign to: All users and groups (or a pilot group if a phased rollout is preferred — see Risk Register).
  4. Configure policy settings:
    • Default label for documents: General (or Internal)
    • Default label for emails: General (or Internal)
    • Require users to apply a label: On
    • Require justification for label removal or downgrade: On
    • Provide a help link: [Insert link to internal data classification policy]
  5. Name the policy: [ORG] — Standard Label Policy v1.0
Label propagation

Sensitivity labels appear in Office clients (Word, Excel, Outlook) within 24 hours of policy publication. Plan the communication timeline accordingly.

Phase B: Foundational DLP Policies (~45–75 minutes)

Step B-1: Configure compliance alert destination

  1. Navigate to Microsoft Purview compliance portalDLPAlertsSettings.
  2. Configure the incident report recipient mailbox: [security-alerts@org.com]
  3. Verify the mailbox is reachable and monitored.

Step B-2: Create credential protection policies (Priorities 0–3)

For each workload (Exchange, OneDrive, SharePoint, Teams):

  1. Navigate to DLPPoliciesCreate policyCustomCustom policy.
  2. Name: [Workload] — Credential Alert
  3. Scope: All locations within the workload
  4. Rule condition: Content containsSensitive info type → Add: General Password, Software Development Credentials, Azure Active Directory Client Secret
  5. Rule action:
    • Exchange: Block the email and notify the user
    • OneDrive / SharePoint: Restrict access — remove external sharing links
    • Teams: Alert only (Simulation mode for first 30 days)
  6. Alert settings: Generate an alert for every rule match; send to the incident report mailbox
  7. Policy mode: Enforced (Teams: Simulation)

Step B-3: Create label-based external sharing alert policies (Priorities 4–9)

For Exchange, OneDrive, and SharePoint:

  1. Navigate to DLPPoliciesCreate policyCustomCustom policy.
  2. Name per the priority table in the Scope section (e.g., Exchange — Sensitive Label External Sharing)
  3. Scope: The applicable workload
  4. Rule condition: Content is labeled[Highest sensitivity label] AND Content is sharedWith people outside the organization
  1. Add an Allowed Domains exception for each policy at priorities 4–9: Recipient domain is one of → list approved partner GCC High tenant domains. CUI may only be shared externally to these domains even if the user provides justification.
  1. Rule action:
    • Priorities 4–6 (Highest sensitivity): Alert + require override justification
    • Priorities 7–9 (Restricted tier): Alert only
  2. Alert severity:
    • Priorities 4–6: High
    • Priorities 7–9: Medium
  3. Policy mode: Enforced

Step B-4: Verify policy priority order

  1. Navigate to DLPPolicies.
  2. Confirm policies are ordered 0 through 9 as specified. Adjust priority manually if the portal has assigned different numbers.

Validation Plan

Complete all validation steps before closing the change ticket. Document pass/fail for each item.

#TestExpected ResultValidated By
V-1Send an email containing a plaintext password to an external addressExchange — Credential Alert triggers; email is blocked; user receives policy tip[Name]
V-2Upload a file containing a test credential string to OneDrive and share externallyOneDrive — Credential Alert triggers; external sharing link is removed[Name]
V-3Create a new Word document; attempt to save without applying a labelMandatory labeling prompt appears; document cannot be saved until a label is selected[Name]
V-4Apply the highest sensitivity label to a test file; share externally via SharePointSharePoint — Sensitive Label External Sharing policy triggers; alert generated to security mailbox[Name]
V-5In a test Teams channel, post a message containing a test credential stringTeams — Credential Alert records event in simulation log; no user-facing block (simulation mode)[Name]
V-6Downgrade a labeled document from the highest sensitivity label to PublicJustification prompt appears; downgrade is recorded in Activity Explorer and Unified Audit Log[Name]
V-7Verify labels appear in Office clients (Word, Outlook) for a test user accountLabels visible in the sensitivity label picker with correct display names and tooltips[Name]
V-8Open Activity Explorer in Purview and confirm test events from V-1 through V-6 are visibleAll test events appear with user, workload, label, and justification data[Name]

30-Day Post-Deployment Review

Within 30 days of implementation:

  1. Review DLP Alerts dashboard for false-positive alert volume on credential policies.
  2. Review Teams simulation log (Priority 3) — if false-positive rate is acceptable, promote to Enforced and submit a minor change request.
  3. Export Activity Explorer data to confirm label adoption rates are trending upward.
  4. Present findings to the CAB sponsor before the Phase 2 submission.

Rollback Plan

Labels and DLP policies can be reversed without service interruption.

ScenarioRollback ProcedureEstimated Time
Label policy causes user disruption (help desk volume spike)Set mandatory labeling to Off in the label policy settings; this removes the forced prompt while leaving labels available5 minutes
DLP policy causes legitimate mail to be blockedSet the affected policy to Simulation mode or disable the specific rule; does not require deleting the policy5 minutes
Labels need to be removed entirelyUnpublish the label policy first; wait 24 hours for client propagation to clear; then delete labels. Labels cannot be deleted while active in a policy.24+ hours
Container label sync causes Groups configuration issueRevert EnableMIPLabels to False via the Entra directory settings PowerShell commands10 minutes
Label deletion is permanent

Sensitivity labels that have been applied to files cannot be removed by deleting the label definition — the label metadata persists in the file. Rollback of the label policy only affects new labeling behavior, not already-labeled content. Do not delete label definitions unless directed by Microsoft support.

Risk Register

RiskLikelihoodImpactMitigation
Mandatory labeling generates help desk volume in the first weekHighLowPre-deployment communication with brief user guidance; set a 5-business-day support buffer
Credential DLP blocks a legitimate automated process (service account, pipeline)LowHighAudit Exchange transport rules and known automation accounts before deployment; add sender exclusions for identified service accounts
CUI — Specified encryption prevents a user from opening a file on a non-corporate deviceMediumMediumScope CUI — Specified label permissions to a security group; add authorized external devices to the group before deployment
External partner blocks due to Allowed Domains list being incompleteMediumMediumConfirm the approved partner domain list with the security team before deployment; test with a known partner tenant before go-live
Labels do not appear in Office clients within expected timeframeLowLowPolicy propagation can take up to 24 hours; inform users not to expect immediate availability; verify via test account

Communication Plan

AudienceMessageTimingDelivered By
All Microsoft 365 usersNew sensitivity labels are being added to Office applications. You will be asked to select a label when saving documents or sending email. A brief guide is available at [link].5 business days before go-live[Name / Communication channel]
IT Help DeskSensitivity label training brief: expected user questions, where labels appear, how to reset a label, and escalation path for legitimate DLP blocks3 business days before go-live[Name]
Security / Compliance teamDLP incident report mailbox is live as of [date]. Review the alert dashboard at [Purview portal link] within 48 hours of go-live. Escalation path for enforcement disputes: [Name/ticketing queue].Day of go-live[Name]
CAB SponsorPost-implementation summary within 5 business days of go-live confirming validation results and help desk ticket volumeWithin 5 business days[Name]

Change Record

FieldValue
Submitted by[Name]
Submission date[Date]
CAB review date[Date]
CAB decision[ ] Approved [ ] Approved with conditions [ ] Deferred [ ] Rejected
Conditions / Notes
Approved by[Name, title]
Implementation date (actual)
Closed by[Name]
Closure date

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.