Integration documentation: Purview Sensitivity Labels

When Datamapper scans files in OneDrive and detects GDPR-sensitive information, it can automatically apply a Microsoft Purview Sensitivity Label directly to the file in its original location — making risk files visible and actionable without any manual effort.

Prerequisites

Two Sensitivity Labels must be created and published in your Microsoft Purview tenant, and assigned to each relevant OneDrive and Outlook accounts, and SharePoint sites::

Datamapper-risk

Applied to files where Datamapper has identified sensitive personal data as defined by GDPR Article 9 (e.g. health data, biometric data, racial or ethnic origin) or Article 10 (criminal convictions and offenses).


Datamapper-highrisk Applied to files where Datamapper has identified risk numbers such as passport numbers and personal identity numbers, which require urgent attention.

Once created, you can view label status in Datamapper under:

•       Locations → OneDrive and Locations → Outlook — status shown per account

•       Locations → SharePoint — status shown per site

◦       Note: for SharePoint, all Microsoft user accounts with Datamapper sensitivity labels enabled will be able to see the labels set by Datamapper, regardless of which site they access.


If a label is not available for an account, Datamapper will show additional information about why.

See the Microsoft Purview documentation for guidance on creating labels and publishing them via a label policy.


Setting up labels in Microsoft Purview

Labels are created and published in two steps in the Microsoft Purview portal: first create the label, then publish it via a label policy so it becomes available to the relevant accounts and sites.


1.    Sign in to the Microsoft Purview portal and go to Solutions → Information Protection → Sensitivity labels.

2.    Select + Create a label. Give it the exact name Datamapper-risk or Datamapper-highrisk, and set the scope to Files & other data assets (and Emails, if labeling Outlook content).

3.    Repeat to create the second label. Both labels must exist before Datamapper can apply them.

4.    Go to Publishing policies and select Publish label. Add both labels to the policy and assign it to the relevant Microsoft accounts (or groups).

5.    Allow up to 24 hours for the labels to propagate before they appear as available in Datamapper.


Label names must match exactly.  Datamapper looks for labels named Datamapper-risk and Datamapper-highrisk. Labels with different names or casing will not be recognized.


↗  Microsoft documentation: Create and configure sensitivity labels

Supported file types

Microsoft Purview supports automatically setting sensitivity labels on the following file types:

.docx   .docm   .xlsx   .xlsm   .xlsb   .pptx   .ppsx   .pdf

Files in other formats will still be classified in Datamapper, but no sensitivity label will be applied in OneDrive.

How it works

1.    Datamapper scans files from the configured OneDrive and Outlook account and Sharepoint sites.

2.    Files classified as risk or high-risk are checked against the available Purview labels for that account.

3.    If the matching label exists, Datamapper applies it to the file or email in its original location. No file is moved or copied.

4.    If a label is missing at the time of scanning, the file is still classified in Datamapper — but no label is applied until setup is completed for the account or site.

Datamapper scans new files daily and updates labels overnight. Once setup is completed, risk files and emails will be labeled automatically across OneDrive, Outlook and Sharepoint.


If you have any questions, do not hesitate to reach out to our Customer Success team via support@safeonline.dk 👋🏻

Still need help? Contact Us Contact Us