Microsoft 365 allows users and administrators to classify and protect documents stored in OneDrive, SharePoint, or locally, as well as email messages, using the Azure Information Protection (AIP) service.

Administrators create classification labels and configure the actions available to users of the label. For example, a label can be configured to allow or deny the ability to take screenshots, copy content, or print it. Labels can be used to prevent people from modifying the recipients of a message or forwarding it to others. 

Once the labels have been configured and published, users can apply them to protect documents, files, and email.

Administrators can also audit and control how classification and encryption technologies are used across the organization. Content can be classified using a number of methods, including the following:

• Outlook
• Office applications such as Word or Excel
• Exchange Online transport rules, which modify specific message properties throughout its transport
• Security & Compliance Center Data Loss Prevention rules
• Windows Explorer using the Azure Information Protection unified labeling client

After classification has been applied, the email message or document will display its tag and users, if authorized to open the file, will be able to review what actions they are allowed to take on that information, as shown in the following screenshot:

AIP is part of both Microsoft 365 E3 and Microsoft 365 E5. In Microsoft 365 E3, users must perform data classification manually. With Microsoft 365 E5, administrators can configure classification so that it happens automatically, such as when an application detects sensitive content such as credit card or social security numbers.

Next, we'll turn to security and compliance concepts for networking.