Sign In
In this module

AD4 — Data Protection Fundamentals

5-6 hours · Module 4 · Free

Data Protection Fundamentals

Identity is secured. Email is protected. Devices are compliant. The fourth layer is the data itself.

Your users create, share, and store sensitive data every day — client contracts in SharePoint, financial spreadsheets in OneDrive, HR documents attached to emails, engineering designs shared via Teams. Without data protection controls, any user with access can share any document with anyone — internally or externally — with no classification, no restrictions, and no audit trail. A single accidental share of a client contract to the wrong external address becomes a data breach. A departing employee downloads the entire client list to a USB drive. A user forwards an internal financial report to their personal email "to read at home."

Sensitivity labels solve this by classifying documents and emails with a visible label — Public, Internal, Confidential, Highly Confidential — that carries protection settings with it. A document labeled "Confidential" gets encrypted, watermarked, and restricted from external sharing. A document labeled "Internal" gets a visual marker but no encryption — appropriate for internal distribution but flagged if someone tries to share it externally.

DLP (Data Loss Prevention) policies add automated guardrails: if a user tries to email a document containing credit card numbers or national insurance numbers to an external recipient, DLP blocks the send and shows the user a policy tip explaining why. If someone tries to share a SharePoint folder externally that contains files labeled "Confidential," DLP blocks the share.

Your E3 license includes manual sensitivity labeling in Office apps and basic DLP for Exchange Online, SharePoint, and OneDrive. This module deploys both — giving your organization data classification, visual marking, encryption for sensitive content, and automated prevention of data loss through email and file sharing.

What you will learn

  • Why data protection is the fourth priority (after identity, email, and devices)
  • Designing a sensitivity label taxonomy that users actually adopt (not a 15-label nightmare)
  • Creating and publishing sensitivity labels in the Microsoft Purview portal
  • Configuring label protection: encryption, watermarks, headers, and content marking
  • Default labeling: ensuring every new document starts with a label
  • SharePoint external sharing controls that prevent oversharing
  • Building your first DLP policies for email and SharePoint (audit-first deployment)
  • DLP policy tips: educating users at the moment they almost make a mistake
  • Monitoring label adoption and DLP policy matches
  • Reporting data protection to management

Subsections

AD4.1 Why Data Protection Is the Fourth Priority · AD4.2 Designing Your Sensitivity Label Taxonomy · AD4.3 Creating and Publishing Sensitivity Labels · AD4.4 Label Protection: Encryption, Marking, and Restrictions · AD4.5 Default Labels and Mandatory Labelling · AD4.6 SharePoint External Sharing Controls · AD4.7 Building Your First DLP Policies · AD4.8 DLP Policy Tips and User Education · AD4.9 Monitoring Labels and DLP · AD4.10 Reporting Data Protection to Management · AD4.11 Interactive Lab: Data Protection Deployment · AD4.12 Module Summary · AD4.13 Check My Knowledge

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →