
Why is Information Protection
so important?
Microsoft Information Protection (MIP) is essential for organisations seeking to safeguard their sensitive data in an increasingly digital and threat-laden business environment.
Firstly, MIP facilitates comprehensive data classification and labelling, enabling organisations to categorise information based on sensitivity. This classification helps ensure compliance with various regulations, such as GDPR and HIPAA, by enabling organisations to manage and protect personal and sensitive data appropriately.
Additionally, MIP integrates seamlessly with existing Microsoft 365 tools, offering a unified approach to data protection. This integration allows users to easily apply policies across applications, ensuring that protective measures remain consistent regardless of where the data resides.
In light of the growing threat landscape, including ransomware and phishing attacks, MIP equips organisations with the tools needed to respond effectively to potential security incidents.
Its capabilities extend beyond traditional data protection, encompassing advanced analytics and insights that help organisations understand their data usage patterns and identify vulnerabilities. By leveraging this knowledge, businesses can adapt their safeguarding strategies to enhance resilience against evolving threats.
Microsoft Information Protection is indispensable for modern organisations aiming to navigate the complexities of data governance and protection. Its comprehensive features not only address regulatory compliance and security needs but also enhance organisational agility and resilience in the face of persistent cyber threats. By investing in MIP, organisations position themselves to protect their most valuable asset — their data, while fostering a culture of security awareness and compliance across their workforce.
Microsoft 365 Retention Policy
Retention policies in Microsoft 365 ensure that your organisation is proactively adhering to regulations and retaining content for a required minimum period of time. This time limit may be set by an industry body or regulator within your sector, or be self-imposed by your own internal requirements.
Retention policies in Microsoft 365 help you achieve a number of goals. They reduce your legal exposure if litigation is brought against your organisation, and reduce your risk if you are involved in a security breach. They also help your organisation to share knowledge more effectively and be more agile, by ensuring that your users are working only with information that’s current and relevant to their jobs.
By enforcing the retention of data that you are legally required to retain, and permanently deleting old content that you’re no longer required to keep, retention policies help take the human element out of information management, automating tasks that would otherwise be very difficult for your staff to keep on top of.
Ultimately, retention policies in Microsoft 365 perform two very simple tasks in order to manage your content:
Content is retained by policy, meaning it can’t be deleted before the end of a fixed period.
Content is deleted automatically and permanently once the defined period comes to an end.

Benefits of retention policies
with Microsoft 365
Retention and deletion policies help you keep on top of your data costs, too.
Keeping huge amounts of ‘Redundant, Obsolete and Trivial’ information – also known as ‘ROT’ – can cost your business, in terms of storage, management, compliance, and search and discovery capabilities. By ensuring the correct deletion of information you no longer need, you will not only be protecting your organisation, but saving it money.
What’s the end-state vision of an organisation protected by retention policies? Key benefits of Microsoft 365 Retention Policies include:
Our valuable business data is protected by Microsoft 365.
We are compliant with industry/legal standards.
Information can’t be accidentally or maliciously deleted or lost.
We ensure information we’re required to keep is kept.
We properly dispose of information we are not allowed to keep.
We are efficient and not paying over the odds for data storage.
Creating retention policies in Office 365
Until recently, there was a combined ‘Microsoft 365 Security and Compliance Center’.
However, this has now been split into two separate destinations: the Microsoft 365 Security Center and the Microsoft 365 Compliance Center. Retention labels are available in both; retention policies can only be found in the Compliance Center.
Retention policies and retention labels are not available to everyone in Microsoft 365; you have to be licensed correctly. For a feature like auto-labelling, for instance, all users who can edit a file would require an Microsoft 365 E5 enterprise licence.
How to apply retention in Microsoft 365
There are two main routes to Retention and Deletion of information in Microsoft 365.
They are not designed to be used in isolation – typically, your information protection scheme would make use of both.
Retention labels can do disposition reviews, event-based retention, and more. However, you can only use them to manage SharePoint, OneDrive, Microsoft 365 Groups, and Exchange (email) content.
Retention policies can manage all the content retention labels can. In addition, they can be applied to Microsoft Teams, Skype for Business and Exchange public folder content.
Both of these perform the same actions: retaining content so that it can’t be permanently deleted before the end of the retention period, and deleting content permanently. One of or both actions can be performed by a single policy or a label.
Retain: Ensure information is kept for X years after creation. At the end of that period, do nothing.
Retain & Delete: Ensure information is kept for X years after creation. At the end of that period, delete it.
Delete: When information is created, do nothing. After a period of X years has passed, ensure it is deleted.
Microsoft 365 Sensitivity Labels
Discover Sensitivity Labels in Microsoft 365, which is a powerful way to ensure that your critical organisational information remains secure and well-managed in a world where sharing is the norm, without impacting efficiency.
Part of the Microsoft Information Protection suite, sensitivity labels are available with certain Microsoft 365 licenses.
Sensitivity labels are a key feature in the Microsoft 365 Information Security suite. They mark up content such as documents and emails, in a way that makes users aware of the need to protect the information. They can also be used to encrypt that content, and to monitor it once labelled.
A document or email that has had a Microsoft 365 Sensitivity Label applied may have a ‘watermark’ across it, or a header or footer stating the security level.
Labels are persistent in that they remain attached to your content, meaning you can be sure they are still working even if a document leaves your organisation.
Sensitivity labels form part of the Microsoft Information Protection toolset for Microsoft 365. They are distinct from retention labels – any given document can have one sensitivity label and one retention label.
Applying sensitivity labels in Microsoft 365
When you apply a sensitivity label in Microsoft 365, your content (such as a document or email), will have that label’s security properties applied to it. This could simply be a watermark, a header or a footer, or it could be advanced file encryption.
Sensitivity labels can be applied directly from within Microsoft 365 apps such as Word, PowerPoint, Excel and Outlook. They can also be applied automatically by Microsoft 365 – such as if you save a document in a document library in SharePoint, Microsoft Teams or OneDrive which is set up to apply a particular label. This is also the case for sites and groups across Microsoft 365, which can have a default label applied to any files stored there.
Furthermore, Microsoft 365 can detect sensitive content using artificial intelligence and pattern matching. For example, you could have it set up to automatically apply a label to any document containing passport numbers, UK National Insurance numbers, or credit card numbers.
This proactively prevents users from accidentally sharing personal data with the outside world, or even with different units within your own organisation.
It’s important to note that a label can be created that prevents users from downgrading it to a lower sensitivity level. So if a ‘high sensitivity’ label is applied, it may require the user to provide justification for reducing the sensitivity level, or prevent them from doing so altogether.
Licensing and Microsoft 365
sensitivity labels
Whether you can use this feature is governed by your Microsoft 365 licensing.
In order to use sensitivity labels, you must be paying for the correct licence. Note that you may be able to access the feature even if you are not licensed for it – it is up to you to ensure you are legally compliant. If you use it without licensing, and are subsequently audited, you could find yourself being billed for unexpected costs (or worse).
If you have concerns about your Microsoft 365 licensing, the team at Core is happy to help. We know it is one of the trickiest areas to navigate; our licensing experts have not only helped our customers understand and optimise their licensing, but have saved businesses significant amounts of money on licenses they did not need.
FAQs
Retention policies are a tool to help you comply with industry regulations and internal policies that require content to be retained for a minimum period of time. They reduce risk in the event of litigation or a security breach and ensure users work with content relevant to them.
When content is subject to a retention policy, people can continue to edit and work with the content as if nothing has changed, because the content is retained in its original location. But when someone edits or deletes content that’s subject to the policy, a separate copy is automatically saved to a secure location, known as the ‘Preservation Hold Library’, where it is retained while the policy is in effect.
Shortly after the retention period comes to an end (usually about a week later). any copies of the document are automatically and permanently deleted. If no deletion policy is in place, the file will remain in place, but users can now delete it permanently without a preservation copy being made.
The precedence of retention and deletion policies in Microsoft 365 is as follows: retention always wins over deletion; the longest retention policy wins; explicit inclusion wins over implicit inclusion, and finally the shortest deletion period wins.
In practical terms, this means if a document is in a position where two policies are applied to it – “retain for 5 years” and “delete after 3 months”, it will be retained for 5 years. If it is subject only to “delete after 3 months” and “delete after 5 years”, it will be deleted after 3 months.
Sensitivity labels are a tool to help protect emails or documents which contain restricted content. They can add watermarks, headers or footers to content, encrypt content and enable its monitoring. In Microsoft 365, they often appear as tags on documents and emails.
It’s a simple fact that users in your organisation need to collaborate with others, both internally and externally. Furthermore, collaboration technology has made it easier than ever to share information. But not all information should be shared.
Protecting your critical business information should be a priority, but relying on people not to share information is not the best approach. Whether by accident, through ignorance, or through malicious intent, sensitive information has a habit of getting shared. Microsoft 365 Sensitivity Labels are a software solution to this challenge which let you manage your corporate information with ease.
Best of all, sensitivity labels are designed not to get in the way of your work, ensuring you can protect your information without any impact on productivity.
Sensitivity labels in Microsoft 365 are created and managed from the Microsoft 365 Compliance Center or the Microsoft 365 Security Center.
Setting up sensitivity labels is simply a matter of entering a name for your label, choosing who it will apply to, what kind of content marking you wish to apply, and what restrictions the label will impose. You can then publish the label, and it will become available for use to colleagues across your organisation, or to the subset of users you specified.
If you delete a sensitivity label altogether, it will not be removed from documents where it has already been applied. Microsoft 365 will enforce any existing sensitivity labels that have been applied to documents, even if the label is no longer available for marking new documents.
Some more advanced actions around sensitivity labels, such as implementing Microsoft Azure Information Protection (AIP) Scanner can only be done from Microsoft Azure. There are also instances where creating sensitivity labels using Microsoft Azure can result in improved performance. Core's subject matter experts are happy to advise customers on which approach will be most effective for their organisation’s requirements.

Why choose Core?
Core are the leading experts in Microsoft 365 and we would be happy to guide you through your journey with Microsoft Information Protection.
The Core team has more than 30 years’ experience of creating Microsoft digital workplaces that really work. At Core, we have delivered results for customers including Scottish Water, Mencap, Tesco Bank, Diabetes UK, International Beverage Holdings, Greater London Authority and many more.
Ready to get set up with Microsoft Information Protection?
Our team is ready to discuss how we can support your journey, tailor solutions to your needs, and help you leverage Microsoft technologies effectively. Don't hesitate to reach out today!
What our customers say about us


Core have been outstanding to work with. They really listened to what we were trying to do, talked through all of their ideas, and fully explained the pros and cons involved while taking into account our long-term business goals.
Over the years, Core and the University of Law have built a strong relationship based on trust, expertise and knowledge. Core has always listened to and addressed our specific needs, before tailoring a specific and precise solution, whether that be delivering a successful SharePoint Online project, or when approached for some guidance or advice around Dynamics 365 licensing. We very much look forward to collaborating on future projects with Core.
It was apparent from day one that Core had a depth of knowledge in Microsoft 365, which we simply hadn’t found anywhere else.
With pre-purposed training modules and the ability to tailor training to our specific needs, Core ticks all the boxes. What may have taken weeks to prepare by way of training materials, instead took only days.
Core have helped us with various projects, from initiation to delivery for web development to app deployments, and they have always shown a high level of expertise and creativity. Core is not just a solution provider, they are also a trusted advisor who take time to understand our needs and goals to ensure our investment delivers value to the business. In an age where supplier engagement can be painful, it has been a pleasure working with Core since the outset!
Let's talk
For more information about Core or to discuss your project, contact our friendly experts today.