2.3 Sensitivity Labels & Endorsement
Key Takeaways
- Sensitivity labels come from Microsoft Purview Information Protection and classify items (e.g., Confidential), they do not by themselves restrict who can open an item.
- Sensitivity labels can persist with exported data (Excel, PDF) and can enforce downstream protection like encryption, but access is still controlled by RLS/CLS/OLS and permissions.
- Endorsement is a trust signal: Promoted means a creator recommends the item; Certified means a designated reviewer has formally validated it.
- Only authorized users (set by an admin) can apply the Certified endorsement; any contributor can Promote.
- Endorsement and labels are governance metadata — they do not deploy content or grant permissions.
Classification Is Not Access Control
Quick Answer: A sensitivity label (from Microsoft Purview Information Protection) classifies an item — for example, marks a semantic model as Confidential — and can enforce protections like encryption on exported data. It does not decide who can open the item; that is still done by permissions and RLS/CLS/OLS. Endorsement marks trust level: Promoted = recommended by a creator; Certified = formally reviewed and approved.
The common exam trap is treating a sensitivity label as a security boundary. It is governance metadata with optional protection, not a replacement for permissions.
Sensitivity Labels (Microsoft Purview)
- Defined centrally in Microsoft Purview; applied to Fabric items such as semantic models, reports, lakehouses, and notebooks.
- Travels with the data: when a labeled report's data is exported to Excel or PDF, the label (and any associated encryption) goes with the file.
- Can enforce protection (encryption, usage restrictions) through the label policy, but access to the Fabric item itself is still governed by workspace/item permissions and data-level security.
- Supports inheritance and downstream flow so derived items can keep the source classification.
Endorsement: Promoted vs Certified
Endorsement helps consumers find trustworthy content in a workspace full of items.
| Endorsement | Meaning | Who Can Apply |
|---|---|---|
| (None) | No trust signal | n/a |
| Promoted | A creator recommends this item as ready to use | Any user with write/Contributor access to the item |
| Certified | The item has been formally reviewed and validated against organizational standards | Only users authorized by a Fabric admin (a controlled list) |
Key distinctions tested on the exam:
- Certified is gated. Not everyone can certify; an administrator defines who may apply the Certified endorsement. Promotion is open to item authors.
- Endorsement is not deployment. Endorsing an item does not move it between workspaces — that is a deployment pipeline's job.
- Endorsement is not security. A Certified model is still subject to RLS/CLS/OLS and permissions; certification just signals quality and trust.
Putting It Together
A mature governance posture often combines all three: a Certified enterprise semantic model, labeled Confidential via Purview, and protected by RLS so each region sees only its rows. Each layer answers a different question — Is it trustworthy? (endorsement), How sensitive is it? (label), Who sees which data? (RLS/CLS/OLS and permissions).
An organization wants consumers to immediately recognize the single authoritative finance semantic model among dozens in a workspace, and wants assurance it was formally reviewed by the data governance team before it carries that status. Which action achieves this?