Deployment Guides
Step-by-step deployment for the full Microsoft 365 security stack
Product guides
MDE · MDO · MDI · Intune · more
Checklist steps
Interactive progress tracking
Pitfalls documented
With fixes for each
Validation checks
Post-deployment testing
Pillar guide · Data Security
Data Security
Deployment Best Practices
Overview
Establish foundational protection with Business Premium by creating sensitivity labels, setting defaults, applying basic DLP policies, and enabling audit logging — typically achievable within 1-2 weeks. Expand protection to endpoints and automate classification with Purview Suite. The guide follows a Good → Better → Best progression across three priority levels.
Audience: IT administrators in SMBs with less than 300 employees, and managed service providers deploying security baselines
Deployment phases
Baseline visibility & readiness
Activities
Enable audit logging and baseline data discovery
Role
Global Administrator (or Compliance Administrator if audit already enabled)
Purpose
Establishes visibility into user and admin activity before enforcement
Policy enforcement (DLP & retention)
Activities
Deploy DLP policies (Exchange, SharePoint, OneDrive, Teams, Endpoint); configure retention policies
Role
Compliance Administrator (Compliance Data Administrator for retention)
Purpose
Prevents data leakage and enforces governance requirements
Automation & scale
Activities
Configure client-side and service-side auto-labeling; create custom SITs (optional)
Role
Compliance Administrator
Purpose
Reduces reliance on users and scales protection automatically
Advanced risk-based protection
Activities
Enable DSPM
Role
Compliance Administrator + Insider Risk Admin + Conditional Access Administrator
Purpose
Identifies risky behavior and dynamically increases protection
Recommended label taxonomy
Starting-point Purview sensitivity labels. Tune auto-labeling, permissions, and DLP limits to match the client’s data classification policy.
Public
Unrestricted data meant for public consumption
Manual labelingGeneral
Business data not meant for public consumption
Manual labelingConfidential / All Employees
Sensitive business data, limited distribution
Auto labelingConfidential / Specific People
Sensitive data shared with named recipients
Manual labelingConfidential / Internal Exception
Allows users to lower severity and share externally — leverage DLP/IRM to manage deviations
Manual labelingHighly Confidential / All Employees
Most critical data, auto-labeling defines what constitutes highly confidential
Optional labelingHighly Confidential / Specific People
DLP for Copilot label candidate — auto-labeled by SIT
Auto labelingHighly Confidential / Internal Exception
DLP for Copilot label candidate
Manual labelingReferences & Microsoft Learn
Enable unified audit log
Label creation, publishing, and priority
Out-of-the-box labels
Classic to Modern label scheme migration
Label use cases
Co-authoring encrypted documents
Container labels for Teams, Groups, SharePoint sites
DLP policy design guidance
DLP policy creation for all workloads
Copilot-specific DLP policies
Data lifecycle management
Retention policy configuration
Client-side and service-side auto-labeling
Label-based encryption
Custom SIT creation
Data Security Posture Management deployment
Securing generative AI apps
Role requirements for Purview portal
Interactive walkthrough
Video overview
Partner data security resources