Skip to main content

Sensitivity Labels & Data Classification

Noxys integrates with Microsoft Purview (formerly Microsoft Information Protection) to enforce policies based on sensitivity labels, enabling seamless data governance across your organization.

Overview

What it does:

  • Reads Microsoft 365 sensitivity labels from documents and email
  • Detects label metadata in clipboard, file properties, and document content
  • Enforces policies based on label level (Public, Internal, Confidential, Highly Confidential)
  • Prevents labeled data from reaching unauthorized AI services

When to use:

  • Organizations using Microsoft 365 and Purview
  • Regulated industries (Finance, Healthcare, Legal) with classification workflows
  • Need to enforce data governance across AI usage

Prerequisites

  • Microsoft 365 subscription with Purview enabled
  • Sensitivity labels configured in Microsoft Purview
  • Noxys backend version 0.1.2+
  • Admin role in Noxys console

Setup

Step 1: Enable Purview Integration

  1. Go to SettingsData ClassificationPurview Integration
  2. Click Enable
  3. You'll be redirected to Microsoft login
  4. Grant Noxys permission to read sensitivity labels:
    • "Read and modify sensitivity labels"
    • "Access Information Protection data"
  5. Confirm and return to Noxys

Step 2: Configure Label Mapping

After enabling, map Purview labels to Noxys enforcement levels:

  1. Go to SettingsData ClassificationLabel Mapping

  2. You'll see your organization's labels:

    • Public
    • Internal
    • Confidential
    • Highly Confidential
    • (custom labels)

  3. For each label, set the Enforcement Level:

    • Allow: No restrictions
    • Coach: Show warning
    • Block: Prevent sharing
    • Require Auth: Require user to confirm

Example configuration:

LabelEnforcementApplies To
PublicAllowGeneral information
InternalCoachInternal documents
ConfidentialBlockFinancial data, IP
Highly ConfidentialBlockM&A, legal strategy, source code
  1. Click Save

Step 3: Configure Detection Method

In Settings → Data Classification → Detection Method:

  1. Enable Clipboard Monitoring (optional):

    • Detects when user copies labeled document content
    • Intercepts before pasting into AI service
    • Privacy: Only metadata read, not content

  2. Enable File Property Reading (optional):

    • Reads sensitivity labels from file metadata
    • Applies when user mentions filename or pastes file content
    • Works with Word, Excel, PowerPoint files on Desktop

  3. Enable Email Headers (optional):

    • Detects classification in Outlook emails
    • Applies when forwarding to AI or discussing in chat

  4. Sync Frequency:

    • How often to refresh labels from Purview (default: hourly)
    • Options: every 15 min, 30 min, hourly, daily

  5. Click Save

How It Works

Detection Flow

1. User copies content from a document labeled "Confidential"

2. Extension monitors clipboard

3. Reads Purview metadata: label = "Confidential"

4. Looks up enforcement level: "Block"

5. User attempts to paste into ChatGPT

6. Extension blocks paste / shows warning

7. Backend logs: "Confidential document attempt blocked"

Integration Points

Document Level:

  • Word documents (.docx)
  • Excel spreadsheets (.xlsx)
  • PowerPoint presentations (.pptx)
  • PDF (if labeled in Purview)

Content Level:

  • Email content (Outlook)
  • Clipboard text (any labeled document)
  • File mentions ("I have a file called Quarterly_Results_2026.xlsx")

Metadata Level:

  • Document properties (sensitivity field)
  • Purview audit trail (all labeled data access)
  • Classification timestamp

Policy Integration

Create Label-Based Policies

Combine sensitivity labels with other conditions:

Example 1: Block Confidential Documents

Policy Name: Prevent Confidential on Public AI
Description: Ensure classified documents stay internal
Enabled: Yes
Priority: 5
Action: Block

Conditions:
  - purview_label eq "Confidential"
  - platform_id in ["chatgpt", "gemini", "grok"]

Example 2: Coach on Internal Documents

Policy Name: Coach on Internal Documents
Description: Remind users before sharing internal docs
Enabled: Yes
Priority: 20
Action: Coach

Conditions:
  - purview_label eq "Internal"

Example 3: Allow Labeled Data on EU Services Only

Policy Name: Confidential - EU Services Only
Description: Classified data restricted to EU-based services
Enabled: Yes
Priority: 10
Action: Block

Conditions:
  - purview_label in ["Confidential", "Highly Confidential"]
  - data_region neq "EU"

Example 4: Department-Specific Rules

Policy Name: Finance Highly Confidential Only
Description: Finance team cannot share confidential data on non-EU services
Enabled: Yes
Priority: 8
Action: Block

Conditions:
  - department eq "Finance"
  - purview_label eq "Highly Confidential"
  - data_region neq "EU"

Available Conditions

Field: purview_label Operators: eq, neq, in, nin, contains Values: Label name (String)

Examples:

purview_label eq "Confidential"
purview_label in ["Confidential", "Highly Confidential"]
purview_label neq "Public"

Field: purview_sublabel (if your organization uses sub-labels) Operators: eq, neq Values: Sub-label name

Examples:

purview_sublabel eq "Legal - Contracts"

User Experience

When User Tries to Share Labeled Content

Scenario: Alice opens a "Confidential" document and tries to paste it into ChatGPT.

Step 1: Clipboard Detection

User: Ctrl+C (copies from Word document marked "Confidential")
Extension: Detects clipboard change, reads Purview label

Step 2: Policy Evaluation

Backend: Evaluates "Prevent Confidential on Public AI" policy
Conditions check:
  - purview_label = "Confidential" ✓
  - platform_id = "chatgpt" ✓
Result: MATCH → Block

Step 3: User Sees Block

Red banner in ChatGPT:
"This document is marked Confidential.
 Sharing to public AI services is blocked by policy.
 Approved services: Claude (EU), Mistral, HuggingChat"

Step 4: User Options

  • Edit: Remove classified content, keep general ideas
  • Use Approved Service: Switch to Claude (EU-based)
  • Request Exception: (if enabled) Email admin for one-time access
  • Cancel: Abandon the sharing

When User Can Share

Scenario: Bob copies "Internal" document and tries to share on HuggingChat (EU-based).

Result: Yellow warning appears

"This document is marked Internal.
 You're sharing to an EU-based service, which is allowed.
 Remember: Only share what's necessary."

User can: Proceed with the sharing

Audit & Compliance

In Audit Log

Every labeled document interaction is logged:

Timestamp: 2026-03-20T14:32:00Z
User: alice@acme.fr
Action: purview_label_blocked
Resource: "Quarterly_Results_2026.xlsx" (Confidential)
Platform: chatgpt
Policy: "Prevent Confidential on Public AI"
Details: {
  "label": "Confidential",
  "file": "Quarterly_Results_2026.xlsx",
  "action": "block"
}

Compliance Reports

In Settings → Compliance → Purview Integration:

  1. Label Usage Report:

    • How many interactions involved each label?
    • Which services are receiving labeled data?
    • Which departments access classified content?

  2. Control Effectiveness:

    • How many attempts were blocked?
    • False positive rate?
    • Policy impact on user productivity

  3. Audit Trail Export:

    • All labeled content interactions
    • User, timestamp, label, platform
    • Export as CSV for compliance audit

Troubleshooting

Sensitivity Labels Not Detected

Problem: User has labeled document, but extension doesn't recognize the label.

Diagnosis:

  1. Confirm Purview integration is Enabled (Settings → Data Classification)
  2. Verify label sync completed (should see all labels in Label Mapping)
  3. Check document actually has Purview label (right-click document → Info → check "Sensitivity")
  4. Confirm detection method enabled:
    • Clipboard: Works with clipboard.read permission
    • File properties: Works with Windows/Mac file metadata
    • Email: Works with Outlook

Solution:

  • If label is new, sync may take up to 1 hour
  • Click Sync Labels manually in Settings → Data Classification
  • Verify document was actually labeled in Outlook/Teams
  • For offline documents, save to OneDrive so Purview can read metadata

Labels Keep Disappearing from Policy

Problem: Created policy with label condition, but label not showing in dropdown.

Diagnosis:

  1. Purview integration may have been disabled/re-enabled
  2. Label may have been deleted in Purview admin center

Solution:

  • Go to Settings → Data Classification → Label Mapping
  • Click Sync Labels to refresh from Purview
  • Reapply label condition to policy

False Positives (Blocking When Shouldn't)

Problem: User can't share "Internal" document on approved EU service.

Diagnosis:

  1. Check policy conditions: Is label correctly set?
  2. Check enforcement level: Is label mapped to "Block" instead of "Coach"?
  3. Check platform detection: Is HuggingChat correctly identified as EU?

Solution:

  • Review policy conditions (Settings → Policies)
  • Adjust enforcement level (Settings → Data Classification → Label Mapping)
  • Verify service residency (Settings → AI Services → Check EU flag)
  • If specific case, create exception policy with lower priority

Extension Permissions Error

Problem: "Clipboard read denied" error when detecting labels.

Diagnosis:

  • Browser may have denied clipboard access permission
  • Extension may not have permission to read clipboard

Solution:

  1. Go to chrome://extensions/ → Noxys → Details
  2. Under Permissions, confirm "Read clipboard"
  3. If missing, uninstall and reinstall extension
  4. If permission still denied, check browser security settings

Best Practices

1. Align Labels with AI Policy Risk

Map labels to enforcement:

  • Public → Allow (no restrictions)
  • Internal → Coach (nudge, but allow)
  • Confidential → Block on US services only
  • Highly Confidential → Block on all non-EU services

This aligns data governance with AI risk profile.

2. Use Sub-Labels for Granularity

Example: Create sub-labels under "Confidential"

  • Confidential → Finance
  • Confidential → Legal
  • Confidential → Product

Then create policies per sub-label:

Finance - Confidential on EU Services Only
  Condition: purview_sublabel eq "Finance"

3. Educate Users on Labels

Most users don't understand Purview labels. Create a quick reference:

"How Noxys uses your document labels":

  • Public: Share freely, no restrictions
  • Internal: Share with team, not public AI
  • Confidential: Share only with Mistral/EU services
  • Highly Confidential: Keep off AI entirely

4. Audit Quarterly

In Compliance → Purview Integration:

  • Generate monthly label usage report
  • Review which policies are most effective
  • Adjust labels/policies based on trends

5. Pilot Before Broad Rollout

  1. Week 1: Enable detection in "Coach" mode
  2. Week 2: Review user feedback and false positives
  3. Week 3: Adjust policies based on insights
  4. Week 4: Promote to "Block" if needed

Known Limitations

Tier 1 Detection

Sensitivity labels are NOT detected by regex (Tier 1 PII detection).

  • Extension looks at document metadata, not content
  • If user manually retyps content from labeled document, label is lost
  • Mitigation: Educate users to not retype sensitive data

Offline Documents

Purview labels require Azure connectivity:

  • Offline documents (not synced to OneDrive) may not have labels detected
  • Mitigation: Encourage OneDrive/SharePoint storage for labeled documents

Legacy File Formats

Older file formats (.doc, .xls, .ppt) may not have Purview labels:

  • Modern .docx, .xlsx, .pptx formats recommended
  • PDF labels require recent Office 365 update

Integration Roadmap

Planned Features (v0.2)

  • Sensitivity label detection from Teams messages
  • DLP rule integration (prevent labeled data on non-approved services)
  • Custom label workflow (approval required for sharing)
  • Label auto-detection in screenshots (OCR-based)

Customer Requests

Have a feature request? Email support@noxys.eu with:

  • Use case description
  • Current workaround
  • Expected impact

Next Steps

Need help?

  • Email: support@noxys.eu
  • Label Setup: Contact your Microsoft 365 admin to create Purview labels
  • Integration Support: Available during business hours for setup assistance