Solution Atlas
EverydayUser storyConsultative playbook

We have sensitive content everywhere and no consistent classification

The CISO is preparing for an audit and finds the company has no consistent way of identifying its sensitive content. Merger documents, customer personal data, and HR records sit in SharePoint and OneDrive without labels and without rules to block risky sharing. The CISO has six months to show a defensible classification baseline.

Trigger
Audit preparation; no consistent content classification.
Good outcome
Every document is labelled at the right sensitivity level, automatically where possible. Risky sharing is blocked or warned on, and the auditor sees a working classification programme instead of a list of hopes.
Discovery — signals and questions

Signals validating this story

  • ·Audit preparation in 3–9 months
  • ·No tenant-wide content classification
  • ·Mixed sensitive content (M&A, PII, HR) on default-shared sites
  • ·DLP coverage minimal
  • ·Multiple definitions of "confidential" across teams

Discovery questions

  1. 1.What's your current content classification baseline, if any?

    WhyEstablishes baseline. Most customers have a pilot at best.

    Listen for: “no labels” · “pilot only” · “confidential-only”

  2. 2.What's your audit timeline?

    WhyForcing function shapes the programme cadence.

  3. 3.Who decides what is sensitive — Legal, IT, content owners, or all three?

    WhyOwnership question. Without content-owner engagement, classification fails.

  4. 4.What's your M365 baseline — E3, E5, mix?

    WhyE5 ships P2 (auto-classification); E3 needs the add-on.

  5. 5.What's your DLP coverage today on the surfaces Copilot or business apps will see?

    WhyDLP and labelling work together. Surfaces the joint gap.

  6. 6.Has Legal or Compliance produced a classification taxonomy proposal?

    WhyIf yes, anchor on it. If no, the engagement starts there.

Baseline architectureTarget architecture
Baseline architecture

No tenant-wide sensitivity labels. DLP minimal or pilot. Audit preparation manual and reactive. Sensitive content scattered across SharePoint, OneDrive, Teams without consistent classification.

Typical concerns

  • ·Sensitive content invisible to controls
  • ·M&A artefacts on default-shared sites
  • ·DLP catches a fraction of real leakage paths
  • ·Audit preparation consumes weeks of manual effort
  • ·Copilot or business-app readiness blocked

Capability gaps

  • ·Tenant-wide sensitivity labels
  • ·DLP across SharePoint, OneDrive, Teams
  • ·Automatic classification (P2)
  • ·Audit-defensible posture
  • ·Classification ownership by content owners
Target architecture

3-level sensitivity-label taxonomy (Public / Internal / Confidential) live tenant-wide. DLP policies applied to SharePoint, OneDrive, Teams. Automatic classification piloted on critical surfaces. Conditional Access ensures classified content is accessed under the right risk posture. Audit-defensible classification baseline ready for inspection.

Key capabilities

  • 3-level sensitivity taxonomy
  • DLP on SharePoint, OneDrive, Teams
  • Automatic classification in pilot
  • Conditional Access risk-aware
  • Audit-defensible posture
Architecture decisions
  1. 1.Label taxonomy — 3-level lightweight vs 5+ level full

    3-level lightweight

    Fits whenMid-size org with no prior labelling.

    Trade-offsLess granular for highly regulated content.

    5+ level full

    Fits whenRegulated industry or M&A-heavy; matches existing classifications.

    Trade-offsHarder to roll out; users mis-label without strong CoE.

    Default recommendation3-level lightweight. Add granularity in phase 2 if regulated content demands it.

  2. 2.Auto-classification — pilot vs full rollout

    Pilot first

    Fits whenNo prior labelling experience; need to tune classifiers.

    Trade-offsSlower coverage; manual labelling continues in parallel.

    Full rollout

    Fits whenMature labelling culture; classifiers already tuned.

    Trade-offsRisk of mis-classification at scale.

    Default recommendationPilot on top 5 SharePoint sites; full rollout in phase 2.

  3. 3.Licensing — E3 + Purview pieces vs uplift to E5

    E3 + Purview pieces

    Fits whenTight budget; sensitivity labels are the focus.

    Trade-offsBuying pieces costs more than E5 at scale.

    E5 uplift

    Fits whenDefender XDR or full Purview likely in 12 months.

    Trade-offsHigher per-seat; some features go unused initially.

    Default recommendationE5 if Defender XDR is on the 18-month roadmap; E3 + add-on otherwise.

Low-risk trial — proof of value

45-day Information Protection foundation

~6 weeks

Taxonomy defined and approved by Legal. 3-level labels published. DLP applied to five priority SharePoint sites. Automatic classification pilot on one site. Conditional Access tuned for classified-content access. First audit-readiness report produced.

Success criteria

  • Taxonomy live with Legal approval
  • DLP policies operational on five sites without noise
  • Auto-classification accuracy above 80% on the pilot site
  • Audit-readiness report demonstrates coverage and control

InvestmentPurview IP P1 included in E3; P2 features require add-on or E5. Estimated ~€2–3/user/month uplift for the add-on at trial scale.

Proof metrics

  • ·Classified content above 70% on the trial sites
  • ·DLP policy hit rate (legitimate, not noise) measurable
  • ·Audit-readiness score against control framework
  • ·Mean-time-to-classify new content under 1 day

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Back to Information protection