Understanding Information Governance
Information governance is the set of policies and controls that determine how content is classified, protected, retained, and eventually disposed of across its lifecycle. In SharePoint and the broader Microsoft 365 ecosystem, governance is largely implemented through the Microsoft Purview compliance portal, using sensitivity labels to classify and protect content, retention labels and policies to control how long content must (or can) be kept, and Data Loss Prevention (DLP) policies to stop sensitive information from leaving controlled boundaries. Rather than relying on individual users to remember rules, these controls are applied centrally and travel with the content, so a document is governed the same way whether it lives in a SharePoint library, a Teams channel, or an email attachment.
Cricket analogy: It's like the ICC's anti-corruption and code-of-conduct framework travelling with every player regardless of which tournament they're in—an IPL match and a World Cup match are governed by the same core rules, rather than relying on each individual player to remember what's allowed.
Sensitivity Labels and Classification
Sensitivity labels (configured in Microsoft Purview and published to users through label policies) classify content such as 'Public,' 'Internal,' 'Confidential,' or 'Highly Confidential – Restricted.' A label can be applied manually by the user in the ribbon, automatically based on detected sensitive information types (like credit card numbers or a custom pattern for employee IDs), or recommended to the user with a prompt. Beyond classification, labels can enforce protection: encrypting the file, applying a visual watermark or header/footer, restricting who can open, edit, print, or forward it, and even blocking external sharing entirely for the most restrictive label. Because the label is embedded in the file itself, protection persists even if the document is downloaded and emailed outside SharePoint.
Cricket analogy: A sensitivity label is like the classification of a match itself—an intra-squad practice game is 'Internal,' a bilateral series is 'Confidential' with limited broadcast rights, and an ICC final carries the tightest restrictions on who can film or distribute footage, with those rules holding even if footage leaves the stadium.
Data Loss Prevention Policies
DLP policies scan content in SharePoint, OneDrive, Teams, and Exchange for sensitive information types—patterns like credit card numbers, national ID numbers, or custom keyword lists—and take an action when a match is found: warn the user with a policy tip, block external sharing while allowing internal access, or block access entirely pending an override justification. Unlike sensitivity labels, which a user (or an automatic rule) applies at the point of creation or edit, DLP policies run continuously in the background, scanning existing content at rest as well as content in motion, which means a file uploaded before a DLP policy existed will still get caught the next time the policy scan runs.
Cricket analogy: DLP is like the stadium's continuous pitch-monitoring system that checks for tampering not just when the pitch is prepared but throughout the match, flagging an issue even if it wasn't there at the start, unlike a one-time pitch inspection before play begins.
Sensitivity labels and DLP policies solve different problems and are often needed together. A label alone doesn't stop someone from emailing a 'Confidential' file to a personal address unless the label's protection settings explicitly restrict that, or a DLP policy separately blocks it. Relying on labels for classification but assuming DLP will automatically enforce behavior (or vice versa) is a common governance gap—always test the end-to-end scenario, not just the individual control.
Governance also extends to who can create sites and what they look like structurally, through site provisioning policies, and to naming and metadata consistency through managed metadata and content types defined in the Content Type Hub. A mature governance program typically pairs technical controls (labels, DLP, retention) with a documented policy—who owns which site, what the default sharing posture is, how long inactive sites are reviewed before archival—because technology alone can't decide business intent; it can only enforce a decision that's already been made.
Cricket analogy: It's like a cricket board pairing the technical anti-corruption monitoring system with an actual documented code of conduct that spells out what counts as a violation—the monitoring tech can only flag what the policy has already defined as out of bounds.
# Apply a sensitivity label to files in a document library and check retention label assignment using PnP + Purview cmdlets
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/FinanceHub" -Interactive
# List available sensitivity labels published to the tenant
Get-Label | Select-Object Name, DisplayName, Priority
# Apply a retention label to a document library so items are auto-flagged for review after 7 years
Set-PnPRetentionLabel -List "Contracts" -Label "7-Year-Retention"
# Query which files currently carry a specific retention label, useful for a governance audit
Get-PnPListItem -List "Contracts" -Query "<View><Query><Where><Eq><FieldRef Name='_ComplianceTag'/><Value Type='Text'>7-Year-Retention</Value></Eq></Where></Query></View>"- Information governance covers how content is classified, protected, retained, and disposed of across its lifecycle.
- Sensitivity labels classify content and can enforce protection (encryption, sharing restrictions) that travels with the file.
- DLP policies continuously scan content for sensitive information types and act on matches, at rest and in motion.
- Labels and DLP solve different problems and often need to be configured together to close governance gaps.
- Site provisioning policies and managed metadata extend governance to structural and taxonomy consistency.
- Technical controls enforce decisions; a documented governance policy is what actually defines those decisions.
- Purview's compliance portal is the central place most Microsoft 365 governance controls are configured and monitored.
Practice what you learned
1. What is a key difference between how sensitivity labels and DLP policies are applied to content?
2. Why might a document leak despite having a 'Confidential' sensitivity label applied?
3. Where are sensitivity labels, DLP policies, and retention labels primarily configured in Microsoft 365?
4. What does it mean that DLP scans content 'at rest' in addition to 'in motion'?
5. Why do mature governance programs pair technical controls like labels and DLP with a documented organizational policy?
Was this page helpful?
You May Also Like
Retention and Compliance
How retention labels, retention policies, and eDiscovery work in SharePoint to keep content for as long as required and defensibly dispose of it afterward.
Permission Levels and Groups
How SharePoint controls who can do what on a site through permission levels, SharePoint groups, and inheritance.
Site Provisioning
How new SharePoint sites get created, templated, and governed at scale, from self-service creation to automated provisioning pipelines.
Related Reading
Related Study Notes in Programming
Browse all study notesApache Spark Study Notes
Programming · 30 topics
ProgrammingApache Flink Study Notes
Programming · 30 topics
ProgrammingHadoop Study Notes
Programming · 30 topics
ProgrammingSnowflake Study Notes
Programming · 30 topics
ProgrammingApache Airflow Study Notes
Programming · 30 topics
Programmingdbt (Data Build Tool) Study Notes
Programming · 30 topics