Explore how Phase 2 of Microsoft Purview’s Secure by Default framework introduces managed auto-labeling, insider risk controls, and DLP enforcement to advance enterprise data protection.
In my previous articles, I outlined Microsoft’s Secure by Default framework for Microsoft Purview and walked through the initial Foundational phase. Today, we’ll explore Phase 2: Managed, which builds on those early protections with stronger automation and broader enforcement.
This phase assumes familiarity with sensitivity labels, Data Loss Prevention (DLP) policies, and a pilot group deployment model for controlled testing before scaling.

Overview of Phase 2 Actions & Outcomes
1. Apply Default Labels to High-Risk SharePoint & Teams Libraries
Action:
- Identify document libraries used by departments like HR, Finance, or Executive leadership.
- Assign stricter default sensitivity labels to these libraries using insights from Purview’s Data Explorer and department data owners.
Outcome:
- All files (existing and new) in these libraries are automatically labeled and protected.
- Users must manually relabel files to share them externally—building on habits introduced in Phase 1.
2. Auto-Label Login Credentials Across Microsoft 365 Services
Action:
- Create an auto-labeling policy targeting login credentials using Microsoft’s Sensitive Information Types (SITs).
- Apply encryption and configure DLP to block internal and external sharing across Exchange, SharePoint, Teams, and OneDrive.
Outcome:
- All stored credentials are automatically encrypted and shielded from sharing.
- Communicate this update clearly to avoid confusion and reinforce internal policies against credential sharing.
3. Block External Sharing of Unlabeled Files & Emails
Action:
- Use the “Content Not Labeled” trigger in DLP policies for Devices and Exchange.
- Require users to apply a sensitivity label before sharing any file or message externally.
Outcome:
- Forces intentional labeling of older files and emails that predate Phase 1 protections.
- May cause friction—over-communicate expectations and monitor impacts closely.
4. Leverage Insider Risk Adaptive Protection in DLP (If Licensed)
Action:
- Use Insider Risk Management risk levels to dynamically adjust DLP policies.
- Restrict external sharing capabilities for high-risk users or limit them to only “Public”-labeled files.
Outcome:
- Automatically applies stricter controls for users flagged as higher risk.
- Requires tuning for accuracy. Prepare for end-user questions about restrictions they may not understand.

Maintaining Communication & Flexibility
As Phase 2 expands protections and enforcement:
- Encourage users to flag label-related issues early so processes can be adjusted.
- Actively solicit feedback from your pilot users.
- Quickly resolve disruptions to business workflows or exclude groups temporarily if necessary.
Phase 2 Normalization & What’s Next
Before scaling Phase 2 to more users, or advancing to Phase 3:
- Monitor activity using Purview’s Activity Explorer for trends and anomalies.
- Allow time for stabilization, retraining, and cross-functional feedback.
Stay tuned for the next blog in this series, where we’ll examine Phase 3 – Optimized, including automation and broader label expansion.


Need Support with Microsoft Purview?
If you’re planning to scale your Secure by Default rollout or need help tuning policies, reach out to eGroup for expert guidance on configuring Microsoft Purview for your organization.