In today's digital landscape, protecting sensitive information is paramount for organizations. Microsoft Purview Information Protection provides robust tools for classifying, labelling, and protecting files across endpoints. This includes sensitivity labels that help enforce data loss prevention (DLP) policies on devices like laptops and desktops. Endpoint DLP integrates with these classifications to monitor, audit, and block unauthorized actions, such as copying sensitive data to external drives or sharing via email.
This article explores key aspects of file classifications, supported file types for labelling and encryption, exclusions, and best practices for implementation using the Microsoft Purview Information Protection client and file labeller.
What is File Classification in Microsoft Purview?
File classification involves applying sensitivity labels to documents and files based on their content, such as "Confidential," "Internal," or "Public." These labels can trigger automatic protections like encryption, access restrictions, or visual markings (e.g., watermarks or headers). On endpoints, this is enforced through the Information Protection client, which scans and applies labels in real-time or via scheduled tasks.
Endpoint DLP extends this by preventing data exfiltration. For instance, if a file labeled "Highly Confidential" is attempted to be uploaded to an unapproved cloud service, DLP policies can block the action and notify administrators. This integration is crucial for compliance with regulations like GDPR, HIPAA, or CCPA.
Supported File Types for Labeling Without Encryption
The Information Protection client allows labeling certain file types without applying encryption. This is useful for scenarios where visibility and auditing are prioritized over full protection. Supported formats include:
Adobe Portable Document Format: .pdf
Microsoft Project: .mpp, .mpt
Microsoft Publisher: .pub
Microsoft XPS: .xps, .oxps
Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi, .png, .tif, .tiff
Autodesk Design Review 2013: .dwfx
Adobe Photoshop: .psd
Digital Negative: .dng
Microsoft Office Files (including 97-2003 formats and Office Open XML):
![Picture111]()
These formats can be labeled directly, enabling DLP policies without altering the file's usability for authorized users.
Encryption Levels and Supported File Types
The client supports encryption at two levels: native encryption (integrated with the file format) and generic encryption (applied to any file, changing the extension to .pfile). Generic encryption renames the file extension to .pfiletype (e.g., .docx becomes .pdocx), which may require reconfiguring firewalls, proxies, or security software to recognize these new extensions.
Supported File Types for Native Encryption
Native encryption is seamless for the following formats, preserving compatibility where possible:
![Picture112]()
When encryption is applied, files remain editable in supported applications, but access is restricted based on the label's permissions.
Excluded File Types for Classification and Labeling
Not all files can be classified or labeled by the client. The following extensions are explicitly excluded to avoid conflicts or instability:
![Picture113]()
These are typically system, executable, or temporary files where labeling could interfere with operations.
Special Considerations for Protection
Ex: When you apply password protection for a classified document, it takes as an Unclassified Document because a classified Word file should already have access control, so adding password protection may not be necessary unless the labeled document is left unprotected by label access controls.
File Extension Changes : When protection alters the extension (e.g., "capture.png" becomes "capture.ppng"), the original file is replaced in File Explorer with a new one displaying a lock icon. This visual cue helps users identify protected content.
Microsoft Purview Information Protection File Labeler
The File Labeler is a powerful tool for bulk operations, supporting protection for Office documents, PDFs, images, text files, and more. When labeling a folder, all files and subfolders are automatically selected for the configured options. However, future files in those folders won't inherit the settings automatically—a manual or policy-based application is needed.
Key notes
Protection may change file extensions, as mentioned earlier.
To remove protection, you must be the file owner or have Export or Full Control permissions in Rights Management.
This labeler integrates seamlessly with endpoint DLP, allowing admins to enforce policies like blocking USB transfers of labeled files.
When configuring Endpoint DLP, it is essential to ensure that the correct DLP settings are applied. You can choose to either allow service domains or block service domains based on your requirements. However, the recommended approach is to allow Microsoft service domains along with any other required service domains. This ensures that all other service domains will automatically be blocked.
Without any classification
1) PDF
![Picture114]()
2) TXT
![Picture115]()
Install Microsoft Purview Information Protection Client
![Picture116]()
Download the Microsoft Purview Information Protection client from the Official Microsoft Download Center
![Picture117]()
![Picture118]()
Note: All the published labels will be visible in Labeller.
With Sensitivity Label
1) PDF
![Picture119]()
Note: TXT files can only be labeled with permissions (Access Controls).
![Picture120]()
Common Endpoint DLP Scenarios of Banks
When configuring Endpoint DLP, it is essential to ensure that the correct DLP settings are applied. You can choose to either allow service domains or block service domains based on your requirements. However, the recommended approach is to allow Microsoft service domains along with any other required service domains. This ensures that all other service domains will automatically be blocked.
DLP Settings
Advanced classification scanning and protection – On
Browser and domain restrictions to sensitive data
![Picture121]()
![Picture122]()
Note: If you need to restrict this to only your environment, change these service domains accordingly.
If you are planning to block all the service domains when it is needed, you need to create a Sensitive service domain groups and add all service domains you added in the allowed list.
Ex: Block Unclassified documents to any
Note: If you need to allow IP addresses and customized http/HTTPS URLs, use sensitivity service domain groups. You can add as follows.
*. 10.12.1.42/abc /
Most Common Endpoint DLP Policies
1) Block Unclassified Document uploading
From this policy, uploading any unclassified document will be restricted to all service domains.
2) Block Classified Document uploading
From this policy, Uploading Classified documents will be restricted to all third-party service domains except the allowed domains.
3) Block Sensitive Data, including Document uploading
From this policy, uploading sensitive information (Credit card numbers) documents will be restricted to all service domains.
You can define any SIT for the policy.
To share documents containing sensitive information, you can use password-protected ZIP files. To configure this, you must exclude password-protected documents and the ZIP file extension from the Unclassified Blocking Endpoint DLP policy.
At the same time, if you have an Exchange DLP rule that blocks unclassified documents, you should also exclude password-protected documents and the ZIP file extension from that rule.
In addition, we recently discovered that images in email signatures are often classified as unclassified. Therefore, it is advisable to exclude images as well.
In parallel, if you have an Exchange DLP rule that blocks unclassified documents, you should also exclude password-protected documents and ZIP file extensions from that rule.
Additionally, we recently discovered that images in email signatures are detected as unclassified. Therefore, it is recommended to exclude images as well.
Best Practices for Endpoint DLP Implementation
Policy Configuration : Define clear sensitivity labels and DLP rules in the Microsoft Purview compliance portal. Test on pilot groups to avoid disruptions.
User Education : Train employees on recognizing labeled files and understanding DLP alerts to foster a security-conscious culture.
Monitoring and Auditing : Use Purview's activity explorer to track labeling and DLP events, identifying potential risks.
Integration with Other Tools : Combine with Microsoft Defender for Endpoint for advanced threat detection alongside DLP.
Note
For endpoints: when an item matches multiple DLP rules, DLP uses a complex algorithm to decide which actions to apply. Endpoint DLP applies the aggregate or sum of the most restrictive actions.
Policy priority order: when an item matches multiple policies with identical actions, the actions from the highest priority policy are applied.
Rule priority order: when an item matches multiple rules in a policy with identical actions, the actions from the highest priority rule are applied (therefore the least severe rules should be at the top).
Limitations
Alerts are generated differently for emails compared to SharePoint or OneDrive items. In SharePoint and OneDrive, DLP scans both existing and new items, generating an alert whenever a match is found. In Exchange, only new email messages are scanned, and an alert is generated if there's a policy match. DLP doesn't scan or match previously existing email items stored in a mailbox or archive.
Max size of a DLP policy: 100 KB;
Policy name length limit: 64 characters.-Description length limit: 1,024 characters.
Policy rule length limit: 64 characters.
Max number of DLP rules: In a policy: Limited by the size of the policy; In a tenant: 600.
Max size of an individual DLP rule: 100 KB (102,400 characters).
Comment length limit: 1,024 characters.
Max size of an individual DLP rule: 100 KB (102,400 characters).
Max size of text that can be extracted from a file for scanning: The first 2 MB of extractable text.
Regex size limit for all matches predicted: 20 KB.
Endpoint DLP can't detect the label from another tenant in a document.
You can't monitor 'copy to clipboard' and enforce Endpoint DLP on Azure Virtual Desktop environments via browsers. However, the same egress operation will be monitored by Endpoint DLP for actions via Remote Desktop Session (RDP).
USB storage devices in virtualised environments are treated as network shares. You need to include the Copy to network share activity to monitor Copy to a USB device. All activity explorer events for virtual devices and incident alerts show the Copy to a network share activity for all copy to USB events.
References
FAQs
1) Un-classified txt file (without Sensitive info) - blocking
This is expected since the policy doesn't cover any SIT, To block sensitivity info you need to a SIT to policy.
2) Classified txt file (without Sensitive info) - blocking
This is expected since the policy doesn't cover Labels; in fact, it says content that is not labeled
3) Un-classified txt file (with Sensitive info)
This is expected behaviour for a device where you try to upload to unallowed apps/urls. (Check the DLP settings under Unallowed browser and domains ) or App restrictions. To refine which file types you can add, the condition file extensions are
4) Classified txt file (with Sensitive info) - blocking
This is expected behaviour for a device where you try to upload to unallowed apps/urls.
Image files require OCR to be enabled for PNG files. Please check the additional requirement. You need Microsoft Azure Syntex services for the same. Learn about optical character recognition in Microsoft Purview | Microsoft Learn
Conclusion
File classifications and endpoint DLP in Microsoft Purview empower organizations to safeguard data without hindering productivity. By supporting a wide array of file types for labeling and encryption while excluding risky ones, these features provide flexible, robust protection. As threats evolve, regularly reviewing and updating policies ensures compliance and security. For the latest updates, consult the Microsoft Purview documentation.