Solution Atlas
EverydayUser storyConsultative playbook

We have sensitive content everywhere and no consistent classification

A CISO is preparing for an audit and discovers the organisation has no consistent way of identifying its sensitive content. M&A documents, customer PII, and HR records live in SharePoint and OneDrive with no labels and no DLP coverage. The CISO has six months to demonstrate a defensible classification baseline.

Trigger
Audit prep; no consistent content classification.
Good outcome
Sensitivity label taxonomy live, DLP policies on key surfaces, automatic classification in pilot.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Audit preparation in 3–9 months
  • ·No tenant-wide content classification
  • ·Mixed sensitive content (M&A, PII, HR) on default-shared sites
  • ·DLP coverage minimal
  • ·Multiple definitions of "confidential" across teams

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.What's your current content classification baseline, if any?

    WhyEstablishes baseline. Most customers have a pilot at best.

    Listen for: “no labels” · “pilot only” · “confidential-only”

  2. 2.What's your audit timeline?

    WhyForcing function shapes the programme cadence.

  3. 3.Who decides what is sensitive — Legal, IT, content owners, or all three?

    WhyOwnership question. Without content-owner engagement, classification fails.

  4. 4.What's your M365 baseline — E3, E5, mix?

    WhyE5 ships P2 (auto-classification); E3 needs the add-on.

  5. 5.What's your DLP coverage today on the surfaces Copilot or business apps will see?

    WhyDLP and labelling work together. Surfaces the joint gap.

  6. 6.Has Legal or Compliance produced a classification taxonomy proposal?

    WhyIf yes, anchor on it. If no, the engagement starts there.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

No tenant-wide sensitivity labels. DLP minimal or pilot. Audit preparation manual and reactive. Sensitive content scattered across SharePoint, OneDrive, Teams without consistent classification.

Typical concerns

  • ·Sensitive content invisible to controls
  • ·M&A artefacts on default-shared sites
  • ·DLP catches a fraction of real leakage paths
  • ·Audit preparation consumes weeks of manual effort
  • ·Copilot or business-app readiness blocked

Capability gaps

  • ·Tenant-wide sensitivity labels
  • ·DLP across SharePoint, OneDrive, Teams
  • ·Automatic classification (P2)
  • ·Audit-defensible posture
  • ·Classification ownership by content owners
Target architecture

3-level sensitivity-label taxonomy (Public / Internal / Confidential) live tenant-wide. DLP policies applied to SharePoint, OneDrive, Teams. Automatic classification piloted on critical surfaces. Conditional Access ensures classified content is accessed under the right risk posture. Audit-defensible classification baseline ready for inspection.

Key capabilities

  • 3-level sensitivity taxonomy
  • DLP on SharePoint, OneDrive, Teams
  • Automatic classification in pilot
  • Conditional Access risk-aware
  • Audit-defensible posture

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.Label taxonomy — 3-level lightweight vs 5+ level full

    3-level lightweight

    When it fitsMid-size org with no prior labelling.

    Trade-offsLess granular for highly regulated content.

    5+ level full

    When it fitsRegulated industry or M&A-heavy; matches existing classifications.

    Trade-offsHarder to roll out; users mis-label without strong CoE.

    Default recommendation3-level lightweight. Add granularity in phase 2 if regulated content demands it.

  2. Decision 2.Auto-classification — pilot vs full rollout

    Pilot first

    When it fitsNo prior labelling experience; need to tune classifiers.

    Trade-offsSlower coverage; manual labelling continues in parallel.

    Full rollout

    When it fitsMature labelling culture; classifiers already tuned.

    Trade-offsRisk of mis-classification at scale.

    Default recommendationPilot on top 5 SharePoint sites; full rollout in phase 2.

  3. Decision 3.Licensing — E3 + Purview pieces vs uplift to E5

    E3 + Purview pieces

    When it fitsTight budget; sensitivity labels are the focus.

    Trade-offsBuying pieces costs more than E5 at scale.

    E5 uplift

    When it fitsDefender XDR or full Purview likely in 12 months.

    Trade-offsHigher per-seat; some features go unused initially.

    Default recommendationE5 if Defender XDR is on the 18-month roadmap; E3 + add-on otherwise.

Low-risk trial — proof of value

45-day Information Protection foundation

6 weeks

Taxonomy defined and approved by Legal. 3-level labels published. DLP applied to five priority SharePoint sites. Automatic classification pilot on one site. Conditional Access tuned for classified-content access. First audit-readiness report produced.

Success criteria

  • Taxonomy live with Legal approval
  • DLP policies operational on five sites without noise
  • Auto-classification accuracy above 80% on the pilot site
  • Audit-readiness report demonstrates coverage and control

InvestmentPurview IP P1 included in E3; P2 features require add-on or E5. Estimated ~€2–3/user/month uplift for the add-on at trial scale.

Proof metrics

  • ·Classified content above 70% on the trial sites
  • ·DLP policy hit rate (legitimate, not noise) measurable
  • ·Audit-readiness score against control framework
  • ·Mean-time-to-classify new content under 1 day

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

The classification and DLP plane. Sensitivity labels are the foundation auditors expect; without them, downstream controls are theatre.

Why for this story

The licensing baseline. E5 includes Purview IP P2 (auto-classification); E3 needs the add-on.

Why for this story

Conditional Access ensures classified content is accessed under the right risk posture.

Back to Information protection