--- name: Data Classification and Sensitive Info Type Coverage description: Assess Microsoft Purview sensitive information type and trainable-classifier match coverage across your data estate for DLP and compliance. --- # Data Classification and Sensitive Info Type Coverage > **TL;DR:** This skill reads how often Microsoft Purview sensitive information types and trainable classifiers match content across your data estate, then produces a coverage and risk report so you can see where sensitive data is unprotected. ## What Microsoft Purview data classification inspects Microsoft Purview data classification scans content in Exchange Online, SharePoint, OneDrive and Microsoft Teams and tags it when it matches a sensitive information type (SIT) or a trainable classifier. These match signals feed Microsoft Purview Data Loss Prevention (DLP), sensitivity labels and insider risk policies, so weak classifier coverage directly weakens every control that depends on it. This skill analyses where matches concentrate and where sensitive data is likely going undetected. ## When should you run this skill? - "Which sensitive information types are actually matching content in our tenant?" - "Are our trainable classifiers covering the locations where sensitive data lives?" - "Show me where sensitive data exists but no DLP or label policy is protecting it." - "We are onboarding Microsoft 365 Copilot and need to confirm classification coverage first." - "Prepare classification evidence for our next compliance or privacy audit." - "Which workloads have the lowest sensitive information type coverage?" - "Has classification coverage changed since we last reviewed it?" ## How this skill works, step by step 1. Authenticate read-only to Microsoft Purview using a least-privilege account with Compliance Data Administrator or equivalent reviewer access. 2. Enumerate the active sensitive information types and trainable classifiers configured in the tenant. 3. Read classification match counts and content explorer summaries per workload: Exchange Online, SharePoint, OneDrive and Microsoft Teams. 4. Map each match-producing SIT and classifier to the DLP, sensitivity label and retention policies that consume it. 5. Identify locations where sensitive content is detected but no protective policy applies, and SITs that produce zero matches. 6. Compare coverage across workloads to highlight gaps where classification is sparse or absent. 7. Derive a per-workload risk score from match volume, protective-policy coverage and the count of unprotected high-confidence matches. 8. Compile findings into a prioritised coverage and risk report with remediation guidance. ## Output format The skill produces a per-workload coverage table followed by a summary. | Workload | Top matching SIT or classifier | Protective policy in place | Coverage | Risk | | --- | --- | --- | --- | --- | | SharePoint Online | Credit Card Number | DLP policy applied | Partial | Medium | | OneDrive | Australia Tax File Number | None detected | Low | High | - Total active sensitive information types and trainable classifiers, and how many produce matches. - Workloads with sensitive content but no protective DLP or sensitivity label policy. - Sensitive information types producing zero matches, which may be misconfigured or unused. - Prioritised remediation actions ordered by risk score. ## Scope and safety This skill is read-only by default and makes no changes to your tenant, policies or content. It inspects classification and configuration metadata only and never modifies, moves or deletes data. This skill does NOT: - Create, edit or delete sensitive information types, classifiers, DLP or label policies. - Read or export the body content of any matched file or message. - Apply, remove or change sensitivity labels on any item. - Make any write call to Microsoft Purview or Microsoft 365. ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Data classification and sensitive information types | Microsoft 365 E3 (or E1 with the Purview entitlement) | | Content Explorer match counts and trainable classifiers | Microsoft 365 E5 or E5 Compliance (Information Protection and Governance) | ### Least-privilege roles - Global Reader, for read-only visibility of classification configuration. - Content Explorer List viewer or Content Explorer Content viewer (Purview), for the match counts this skill reads. - Compliance Data Administrator, where a single reviewer role across Purview is preferred. ### Microsoft Graph permissions (read-only) - This skill reads Content Explorer and trainable-classifier coverage, which is administered through the Microsoft Purview portal and the Security and Compliance PowerShell module (for example `Export-ContentExplorerData` and `Get-DlpSensitiveInformationType`), not Microsoft Graph. - `InformationProtectionPolicy.Read` applies only where you additionally need to read published sensitivity label and label policy definitions via Microsoft Graph. ## Sources and compliance - [Learn about data classification](https://learn.microsoft.com/en-us/purview/data-classification-overview) - [Learn about sensitive information types](https://learn.microsoft.com/en-us/purview/sensitive-information-type-learn-about) - Supports the data protection intent behind the [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model), reinforcing controls that depend on accurate classification. - Aligns with ISM guidance on identifying and protecting sensitive and classified information across the data estate. - Output in Australian English.