10.1 Data Classification Foundations
Key Takeaways
- Data classification is a Microsoft Purview topic in the SC-900 compliance solutions domain.
- Classification helps an organization reason about what data it has before it applies governance controls.
- Classification is different from labeling, DLP, retention, eDiscovery, and audit, even though those controls can use data awareness.
- SC-900 classification questions usually ask for recognition, not detailed rule configuration.
Why Classification Comes First
Data classification is the Microsoft Purview topic that deals with identifying and organizing data by type, sensitivity, or business meaning. It matters for SC-900 because many compliance tasks start with a basic question: what data does the organization have? Before a team can label, protect, retain, discover, or audit information, it needs visibility into the data landscape.
Classification is not the same as every downstream control. A data loss prevention policy may use knowledge about sensitive data, but the policy goal is prevention. A sensitivity label may classify and protect content, but the label is the applied governance marker. Retention tells the organization how long information should be kept or managed. eDiscovery and audit support investigation and discovery scenarios. Classification is the awareness layer that helps those choices make sense.
| Purview topic | Main SC-900 idea | Common exam clue |
|---|---|---|
| Data classification | Identify or organize data by category or sensitivity | Understand what data exists |
| Sensitivity labels | Apply a label for information protection and governance | Mark content as confidential or sensitive |
| Data loss prevention | Help prevent inappropriate sharing or exposure | Stop sensitive information from leaving |
| Retention | Manage how long information should be kept | Keep or manage records over time |
The exam will not expect a candidate to design a complete data taxonomy. It is more likely to ask which Microsoft Purview capability fits a need to classify data or identify sensitive information. If the scenario says the organization first needs to discover where sensitive content exists, classification language is a strong clue. If it says the organization must block sharing, move to data loss prevention. If it says the organization must keep records, move to retention and records management.
Classification also helps prevent a common wrong answer: choosing a threat detection product for a data governance problem. Microsoft Defender products are important for security protection and detection, but a prompt about discovering, classifying, labeling, retaining, or auditing information belongs in Microsoft Purview. Microsoft Sentinel is also a poor fit unless the scenario is about SIEM, SOAR, analytics, incidents, hunting, or automation.
Use this reading sequence:
- Identify whether the question is about data visibility, data protection, data lifecycle, or investigation.
- Choose data classification when the need is to understand or categorize data.
- Choose labels when the need is to apply a visible or policy-based classification marker.
- Choose DLP when the need is to reduce risky sharing or movement of sensitive information.
- Choose eDiscovery or audit when the need is to search, review, or investigate.
A classification question is often the beginning of a governance workflow. The organization learns what data it has, then decides whether labels, DLP policies, retention controls, or investigation tools are needed. Keeping that workflow in order makes Purview questions easier.
A company wants to identify and organize sensitive data before choosing protection controls. Which Microsoft Purview topic best fits?
Which need most directly points to data classification rather than data loss prevention?
Why is Microsoft Purview the right family for data classification questions?