How Data Sensitivity Labels Enhance Security in Microsoft Fabric
You must keep your analytics environment safe. Data Sensitivity Labels in Microsoft Fabric help you sort and protect sensitive information. Only the right people can see it. When you use these labels, you get strong tools to follow rules like GDPR and HIPAA. With Microsoft Purview, you can:
Put labels on datasets, reports, and dashboards.
Make automatic rules for personal, financial, or secret data.
Block sharing by people who should not share with data loss prevention.
These steps help you lower risks and keep your data safe every day.
Key Takeaways
Data Sensitivity Labels help keep important data safe. They control who can see, share, or change data in Microsoft Fabric.
These labels add strong security like encryption. They stop people from sharing data if they should not. The labels keep data safe even when you export it.
You can put on labels by hand or use automatic rules. This helps protect sensitive information without extra work.
Microsoft Purview works with sensitivity labels. It tracks how data is used and enforces rules. It also helps follow laws.
Labels stay with your data as it moves. Admins can manage and watch the labels. This helps stop leaks and mistakes.
Data Sensitivity Labels Overview
What Are Sensitivity Labels
You use sensitivity labels to help keep important data safe in Microsoft Fabric. These labels are like digital stickers that show how to treat different information. When you add a sensitivity label, you decide who can see, share, or change the data.
Tip: Sensitivity labels do more than just mark data. They help you control who gets in, add encryption, and set limits on use.
Here is how sensitivity labels are not the same as other ways to sort data in Microsoft Fabric:
Sensitivity labels do more. They let you set rules, like adding encryption or stopping sharing.
You can use sensitivity labels on many kinds of data, like Office files, emails, Power BI datasets, and Azure Data Lake Storage.
Sensitivity labels can be added automatically if the content matches certain rules.
Classifications help you find and report data, but sensitivity labels help you protect and control it.
For example, if you label a column as Confidential, you can encrypt it and choose who can see it. Classifications only tag the type of data but do not protect it.
Core Security Benefits
When you use Data Sensitivity Labels, you get strong security for your data in Microsoft Fabric. These labels help you:
Decide who can see, share, or export data, both inside and outside your group.
Protect data with encryption and stop actions like copying, printing, or sending.
Make sure sensitive data stays safe as it moves through different places and files.
Help you follow rules by showing how private the data is.
Stop data loss or leaks by blocking people who should not get in or share.
Give admins a clear way to watch and control data with Microsoft Purview, so it is easier to check and track data use.
You can add these labels by hand or set up rules to do it for you. This way, you make sure sensitive data always gets the right protection.
Security Benefits
Access Control
Data Sensitivity Labels help you control who can use your data. You add a label to set rules for who gets in. Only people with the right permissions can open or export reports. This keeps private information safe from people who should not see it.
Sensitivity labels stop sharing with people outside your group.
You can make rules so only certain users or devices get access.
Labels can go on data like financial records or social security numbers by themselves.
You can ask for approval before anyone shares sensitive data outside your team.
Audit trails show who tries to use or share labeled data, so you can spot problems.
These controls make sure only trusted people work with your sensitive data. This lowers the chance of leaks or mistakes.
Encryption and Protection
Sensitivity labels use strong encryption to keep your data safe. Encryption protects your data when it is stored or sent to others.
Microsoft Fabric encrypts all data in OneLake by default.
You can add more encryption with your own keys in Azure Key Vault.
Data moving in Microsoft Fabric is always encrypted on Microsoft’s networks.
Sensitivity labels add encryption to files, emails, and meeting invites with Azure Rights Management.
Labels also put watermarks and stop copying or forwarding sensitive content.
If you label a Power BI file, the protection stays with the file. Your data stays safe, even if someone tries to share it outside your group.
Note: A super user feature lets special staff check and recover encrypted data if needed. This helps you stay in control, even in special cases.
Compliance Support
Data Sensitivity Labels help you follow rules for data protection. Microsoft Fabric supports security frameworks like zero-trust, audit trails, and detailed permissions. These features help you show you follow laws like GDPR, SOX, and HIPAA.
Real-world use shows up to 43% fewer sensitive data problems after using sensitivity labels.
Microsoft Purview helps automate labeling and makes audits easier.
You get tracking and policy checks, so you can fix risks fast.
Audit logs and activity checks help with compliance and investigations.
Microsoft Fabric supports many certifications, but sensitivity labels mostly help you protect data and show you follow best practices. These tools make compliance easier and help you avoid mistakes.
Implementation Steps
Enabling Sensitivity Labels
You must set up your system before using sensitivity labels in Microsoft Fabric. First, check if your admin has turned on sensitivity labels in the Fabric admin portal. Here is how you can begin:
Ask your tenant admin to open the Fabric admin portal.
In the portal, look for the Information protection area.
Switch on the setting that lets users use sensitivity labels.
Make sure your Purview account links to Microsoft Information Protection. This lets Purview use and read labels.
Check if you have the right licenses. You need an Azure Information Protection Premium P1 or P2 license. If you want to label Power BI or Fabric items, you also need a Power BI Pro or Premium Per User license.
Tip: If you cannot find the option for sensitivity labels, your admin might need to turn on Microsoft Information Protection integration in Purview.
Applying Data Sensitivity Labels
After setup, you can start putting labels on your data. You can do this in two ways: by hand or automatically.
Go to your workspace or the OneLake data hub.
Find the item you want to label, like a report or dataset.
Click the three dots (⋯) next to the item.
Choose Settings or Sensitivity.
Pick a label from the list.
Click Apply to save.
You can also open a report, go to File > Settings, and pick a sensitivity label there.
Automatic Labeling:
Admins can make auto-labeling rules in Microsoft Purview. These rules look for sensitive things, like credit card numbers, and add the right label for you. Auto-labeling works in Microsoft 365 services, like SharePoint, OneDrive, and Teams. In Fabric, you can also use label inheritance, so new items get the same label.
Note: If a label is added automatically, workspace admins can change it if needed. This keeps your labels flexible.
Supported Items
You can use sensitivity labels on many things in Microsoft Fabric. Here are the items that support labels:
Dashboards
Semantic models (datasets)
Dataflows
Notebooks
Lakehouses
Warehouses
Paginated reports
.pbix files
The OneLake catalog shows the sensitivity label for each item. This helps you know which data is protected. Using Data Sensitivity Labels helps stop leaks and keeps your data safe, even when you export it.
Tip: Microsoft Purview lets you watch and manage all your sensitivity labels. You can see audit logs and check how labels are used in your group.
Management and Enforcement
Label Propagation
When you use Data Sensitivity Labels in Microsoft Fabric, the labels stay with your data. If you mark a dataset as "Confidential," the label goes with it to Power BI or Excel. The label and its rules follow the data everywhere. This helps you keep control over your data.
New datasets made with Direct Lake or import modes get labels by themselves.
You can see labels in Microsoft Purview to track and manage them.
Note: Label propagation has some limits. Downstream inheritance works for only 80 items. Labels do not move to classic workspaces or through live connections. Only My Workspace and V2 workspaces let you use full label inheritance.
Enforcement Policies
You can make enforcement policies to control who sees or changes labeled data. These rules help protect sensitive information and meet compliance needs.
Protection policies pick which users or groups can read or edit labeled items.
If someone is not on the list, they cannot get to the data. The person who set the label always keeps access.
You can let only your company see "Confidential" items or let just the finance team edit financial data.
Purview security teams make these policies. You need the right Microsoft 365 licenses and admin roles.
Each policy can have up to 100 users or groups, and you can make up to 50 policies.
Tip: Policies may take up to 30 minutes to start working. Guest users cannot use mandatory labeling.
Integration with Purview
Microsoft Purview helps you manage and enforce sensitivity labels for your data. You can see all labeled items, track changes, and get alerts if someone tries to break the rules.
Purview works with Microsoft Defender for Cloud to give you alerts and tips.
You can put data into different lakehouses. This makes it easier to use and manage labels at the lakehouse level.
Putting data in different lakehouses also helps you control who can use it and how much you can store.
Using Purview with Data Sensitivity Labels gives you a strong way to protect and manage your data at scale.
You can make your data safer in Microsoft Fabric with sensitivity labels. These labels help you choose who can see or use your data. They also add encryption and let you watch how data is used. Microsoft Purview helps you see and protect sensitive information automatically. In real life, this means fewer audit problems and quicker checks for rules. To get the best results, work with your teams, make clear rules, and change your plan when you need to.
FAQ
How do you remove a sensitivity label from a dataset?
Find your dataset in Microsoft Fabric. Click the three dots (⋯) next to it. Pick Sensitivity from the menu. Choose None or the default label. Click Apply to finish. Only people with permission can do this.
Can you apply sensitivity labels to existing reports?
Yes, you can add a label to an old report. Open your report and go to File > Settings. Pick a sensitivity label from the list. Click Apply to protect your report right away.
What happens if you export labeled data?
If you export labeled data, the sensitivity label stays with the file. For example, if you export to Excel, the label goes with it. This keeps your data safe even outside Microsoft Fabric.
Do sensitivity labels slow down your reports?
No, sensitivity labels do not make your reports slower. They add security but do not change how fast your data loads or updates.
Who can see or change sensitivity labels?
Only people with the right permissions can see or change sensitivity labels. Usually, admins or data owners manage the labels. Regular users can see labels but cannot change them unless they get access.