M365 Information protection: Understanding Sensitivity labels vs sensitive information types

Sensitivity label

Sensitivity labels are part of Microsoft Information Protection solution. They allow you to classify and protect your organization's data, by applying appropriate permissions and restrictions on content. At the same time, the granularity of the solution ensures that only the necessary restrictions are in place and gives more flexibility than classic permissions management. 

Sensitive Information Type (SIT)

Sensitive information types are pattern-based classifiers. They detect sensitive information like account keys, passwords, addresses, or bank account numbers to identify sensitive items. SITs (sensitive information types) can be either provided by Microsoft or created on your own. You can also use Microsoft-provided SITs as templates for your own SITs. Below an example of German Identity Card Number. 

<!-- Germany Identity Card Number -->
<Entity id="e577372f-c42e-47a0-9d85-bebed1c237d4" patternsProximity="300" recommendedConfidence="75"> 
  <Pattern confidenceLevel="75">
   <IdMatch idRef="Regex_germany_id_card" /> 
   <Match idRef="Keyword_germany_id_card" /> 
  </Pattern>
  <Version minEngineVersion="15.20.4545.000"> 
    <Pattern confidenceLevel="85">
     <IdMatch idRef="Func_german_id_card_with_check" />
      <Match idRef="Keyword_germany_id_card" /> 
    </Pattern> 
    <Pattern confidenceLevel="65">
     <IdMatch idRef="Func_german_id_card_with_check" /> 
    </Pattern> 
  </Version>
</Entity>

The difference

Sensitivity labels may leverage sensitive information types for auto-labelling. Based on SITs you can decide if the content should be labelled as a specific label.

Scenario

Imagine you created 2 labels:  HRDocumentation and ITInfo. In order to apply these labels you leverage several SITs provided OOTB. If a document meets the criteria for Australia medical account number or Canada passport number, it will be labelled as HRDocumentation. If the document meets the criteria for Azure storage account key or a connection string it will be classified as ITInfo.

Image: Creating new sensitivity label using sensitive information type

See Also

• Full list of all Microsoft-provided definitions for sensitive information types