This article lists frequently asked questions about sensitivity labeling in the Microsoft Purview Data Map, with their answers and links to more information as needed.
Important
Labeling in the Microsoft Purview Data Map is currently in PREVIEW. The Supplemental Terms of Use for Azure Previews include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Licensing and setup
If my organization has multiple Microsoft Purview Data Map accounts within a Microsoft Entra tenant, do I need to manually extend labels to each account separately?
No. When you extend sensitivity labels to the Microsoft Purview Data Map, those labels are extended to all the accounts in your tenant.
My organization already uses sensitivity labels for Office documents and emails. What is the impact of extending these labels to the Microsoft Purview Data Map? Will it affect my existing setup for Microsoft Purview Information Protection?
Extending the labels to the data map doesn't affect your existing setup for Microsoft Purview Information Protection or modify your assets in any way, including files and databases.
- When you extend sensitivity labels to the Microsoft Purview Data Map, your Microsoft Purview Information Protection setup will continue to work in the same way as before.
- Extending the sensitivity labels to the data map allows Microsoft Purview to apply those labels to your Azure and multicloud assets in the Microsoft Purview Data Map. The data map is a metadata store and can be deleted by you at any time, and you can browse it using the Microsoft Purview Data Catalog.
- Sensitivity labels are applied only to the asset metadata in the Microsoft Purview Data Map and aren't applied to the actual files and database columns. These sensitivity labels don't modify your files and databases in any way.
Classifications vs sensitivity labels
What is the difference between classifications and sensitivity labels?
The following table lists the differences between classifications and sensitivity labels:
| Comparison | Classifications | Sensitivity labels |
|---|---|---|
| Definition | Classifications are regular expressions or patterns that can help identify data types that exist inside an asset. | Sensitivity labels are tags that allow organizations to categorize data based on business impact, while abstracting the type of data from the user. |
| Examples | Social Security Number, Drive license number, Bank account number, etc. | Highly confidential, Confidential, General, Public, etc. |
| Scope | The scope of classifications applied to an asset is limited to the Microsoft Purview Data Map where the classifications were applied. If the data moves to an asset managed by another Microsoft Purview Data Map, classifications applied in the original location aren't visible in the new location. | Sensitivity labels applied on an asset travel with the data no matter where the data goes. For example, this means that sensitivity labels applied to a file in Microsoft Purview Information Protection are automatically visible and remain applied to the file, even if it moves to Azure, SharePoint, or Teams. |
| Scan Process | Scanning an asset in the Microsoft Purview Data Map looks for both system-defined and user-defined (custom) classifications in your data. If found, classifications are added in the Microsoft Purview map for the scanned asset. | If you have sensitivity labels extended to the Microsoft Purview Data Map and autolabeling rules defined, scanning an asset in the Microsoft Purview Data Map applies the labels to assets in the catalog based on the classifications found in the scan. |
| Authoring environment | Custom classifications and classification rules can be created in the Microsoft Purview Governance Portal. You can also create custom classifications in Microsoft Purview Information Protection. However, we don't yet support importing them to the Microsoft Purview Data Map. | Manage sensitivity labels using the Microsoft Purview compliance portal. |
| Assignment Limits | Assets can have no classifications, or one or more classifications assigned. | Each asset can have only one sensitivity label. |
| Asset application workflow | You can use the Microsoft Purview Data Catalog to manually add or modify classifications that are assigned to an asset. | In the Microsoft Purview Data Map, sensitivity labels are automatically assigned to assets based on classifications found. Applying labels manually in the Microsoft Purview Data Map isn't currently supported. |
| More Information | Learn more about classifications. | Learn more about sensitivity labels. |
Are classifications and Sensitive Information Types (SITs) the same thing?
While classifications and SITs are fundamentally the same things, classifications are a Microsoft Purview Data Map concept and SITs are a Microsoft Purview Information Protection concept. Both classifications and SITs are used by their respective services to identify the type of data found in an asset.
Access and roles
Who can manage sensitivity labels in the Microsoft Purview compliance portal?
The following built-in admin roles include permissions to manage sensitivity labels in the compliance portal:
- Global Administrator
- Compliance Administrator
For more information, see Permissions required to create and manage sensitivity labels. After you have compliance and global administrators configured, those administrators can give access to individual users.
Who can search and browse assets with sensitivity labels in the Microsoft Purview Data Catalog?
All users with at least data reader access to the Microsoft Purview Data Map have permissions to search and browse assets with sensitivity labels in the data catalog.
Who can view the sensitivity label insights report in Microsoft Purview Data Estate Insights?
All users with the insights reader role and at least data reader permissions on applicable collections will have permissions to view sensitivity label insights reports in Microsoft Purview Data Estate Insights.
Technical details
Does the Microsoft Purview Data Map scan an entire asset when applying automatic labels to the database columns?
The Microsoft Purview scanner samples the data. For more information, see sampling data for classification and autolabeling.
If there are multiple sensitivity labels that meet the classification criteria, which label is applied?
Sensitivity labels have a priority 'order' and the Microsoft Purview Data Map uses this order to assign labels. If there are multiple labels meeting the classification criteria, the Microsoft Purview Data Map selects the label with the highest order.
For more information, see Label priority order matters.
SQL data discovery and classification
Why does Azure support two classification experiences for SQL databases – 'Microsoft Purview' and 'SQL data discovery and classification'?
Microsoft Purview provides a classification and labeling experience for all your Azure assets including SQL databases. Microsoft Purview is intended for organizations that want to manage their entire data estate in a single place with the power of classification, labeling, alerting, and more. Microsoft Purview uses sensitivity labels, which have a global scope and travel with your data no matter where it moves to or what it transforms into.
In contrast, SQL data discovery and classification is built into SQL. SQL data discovery and classification existed before Microsoft Purview as a way to provide basic capabilities for discovering, classifying, labeling, and reporting the sensitive data in your SQL databases. SQL data discovery and classification use local labels that don't have a global scope and don't support sensitivity labels.
For more information, see: