Purview Information Protection
Key Takeaways
- Microsoft Purview Information Protection uses sensitivity labels to classify and protect email, documents, and Teams messages with encryption, watermarking, and access restrictions.
- Microsoft 365 Copilot honors sensitivity label permissions — it will not surface or summarize content above the requesting user's authorization level.
- Label policies publish labels to users; auto-labeling policies apply classification based on sensitive information types or trainable classifiers without manual effort.
- Purview Audit (Premium) retains Copilot prompt and response events for one year by default (180 days for Standard) and supports forensic investigation.
- Information Protection is the foundation for every other AB-900 governance control — DLP, retention, and Copilot exposure all depend on accurate classification.
Quick Answer: Microsoft Purview Information Protection classifies content with sensitivity labels that enforce encryption, watermarking, and access restrictions. Microsoft 365 Copilot honors those labels and will not surface content the signed-in user is not authorized to access.
Why This Domain Dominates AB-900
Data Protection and Governance for Microsoft 365 and Copilot is the largest AB-900 domain at 35–40% of scored content. Within it, Microsoft Purview Information Protection is the classification layer every other control builds on. If labels are missing or permissions are too broad, Data Loss Prevention (DLP), retention, and Copilot grounding all inherit the same exposure risk.
The AB-900 exam tests whether you understand what sensitivity labels do, how they publish to users, and — critically — how Copilot interacts with labeled content retrieved through Microsoft Graph and the semantic index.
Microsoft Purview as the Governance Hub
Microsoft Purview is the unified compliance and data governance platform for Microsoft 365. For AB-900, focus on the Information Protection workload:
| Capability | Purpose | Copilot relevance |
|---|---|---|
| Sensitivity labels | Classify and protect content | Copilot respects label-based access controls |
| Label policies | Publish labels to users and groups | Ensures consistent classification before AI rollout |
| Auto-labeling policies | Apply labels based on content | Scales protection without relying on user discipline |
| Encryption & rights management | Protect content wherever it travels | Limits who can open files Copilot might reference |
| Watermarking | Visual deterrence on sensitive docs | Discourages casual screenshot sharing of AI output |
On the Exam: Information Protection is about classification and access control, not retention duration. Retention labels live in Data Lifecycle Management — a different Purview workload tested in its own section.
Sensitivity Labels Explained
A sensitivity label is a classification tag applied to emails, documents, Teams messages, and meeting artifacts. Labels can be purely descriptive (for example, Internal) or enforce protection settings:
- Encryption — only authorized users or groups can open the content, even after download.
- Access restrictions — block external sharing or limit editing.
- Watermarking — overlay a visible mark such as Confidential – Contoso.
- Header/footer markings — remind recipients of handling requirements.
- Protection for containers — apply default labels to SharePoint sites, Teams, or groups.
Organizations typically define a label hierarchy such as Public → Internal → Confidential → Highly Confidential. The AB-900 scenario pattern is straightforward: a user asks Copilot to summarize a document labeled above their clearance. Copilot will not surface or summarize that content because label permissions are enforced at retrieval time.
Label Policies vs Auto-Labeling
Two publishing mechanisms appear frequently on the exam:
| Mechanism | Who acts | When labels apply |
|---|---|---|
| Label policy | User chooses from published labels | Manual classification at save/send time |
| Auto-labeling policy | Purview scans content | Automatic when sensitive info types or classifiers match |
Label policies make labels visible in Office apps, Outlook, SharePoint, and Teams so users can classify consistently. Auto-labeling policies scale governance by detecting patterns such as credit card numbers, health records, or custom trainable classifiers trained on sample documents.
For Copilot readiness, auto-labeling is high leverage: unlabeled overshared files are a primary source of unintended AI exposure. Labeling them before broad Copilot rollout reduces the blast radius.
How Copilot Respects Information Protection
Microsoft 365 Copilot retrieves organizational content through Microsoft Graph using the signed-in user's existing permissions. It does not bypass SharePoint, OneDrive, or Exchange access controls. Sensitivity labels add a second gate:
- User submits a prompt in Word, Teams, or Copilot Chat.
- Copilot queries the semantic index for conceptually relevant content.
- Graph returns only items the user can already access.
- If a matched item carries a label the user is not authorized to use, Copilot excludes it from the response.
This is why AB-900 stresses permissions plus labels together. A file might be technically accessible through a broken inheritance link and carry a Highly Confidential label — Copilot should still refuse to summarize it for unauthorized users.
Common Trap: Sensitivity labels do not make Copilot faster, translate content, or automatically write DLP rules. They govern access and protection. DLP is a separate Purview policy type.
Prompt Logging and Purview Audit
Governance also requires visibility. Prompt logging means capturing user prompts and Copilot responses in Microsoft Purview unified audit logs for compliance investigation — not the personal chat history a user sees in the Copilot interface.
| Audit tier | Default retention | Copilot-specific value |
|---|---|---|
| Audit (Standard) | 180 days | Basic activity events |
| Audit (Premium) | 1 year (10-year add-on available) | High-value Copilot interaction events and intelligent insights |
Compliance administrators search these logs in the Purview portal to investigate policy violations, respond to regulatory inquiries, and support eDiscovery holds. AB-900 may ask you to distinguish Viva Insights Copilot Dashboard (adoption metrics) from Purview Audit (forensic prompt capture).
Worked Scenario: Pre-Rollout Labeling
A healthcare tenant plans to enable Copilot for 2,000 clinicians. Compliance discovers thousands of SharePoint files containing patient identifiers with no classification. The correct sequence for an AB-900 mindset:
- Define sensitivity labels with encryption for PHI (Protected Health Information).
- Deploy auto-labeling detecting medical record sensitive information types.
- Run Data Access Governance reports to find overshared libraries.
- Enable Audit (Premium) so Copilot interactions are retained for investigations.
- Pilot Copilot with a labeled, permission-hardened subset before tenant-wide rollout.
Skipping step 1–3 and licensing Copilot immediately is the wrong answer — Copilot respects permissions, so overshared PHI becomes easier to discover through natural-language queries.
Study Checklist
- Explain sensitivity label protection scope and how Copilot honors label permissions.
- Differentiate Audit Standard vs Premium retention and Copilot event coverage.
How do Microsoft Purview sensitivity labels affect what Microsoft 365 Copilot can surface to a user?
What do sensitivity labels primarily control in Microsoft Purview Information Protection?
How does Microsoft Purview Audit (Premium) differ from Audit (Standard) for Copilot administrators?