This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections:
Maintain a data analytics solution
--> Implement security and governance
--> Apply sensitivity labels to items
To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric
Sensitivity labels are a data protection and governance feature in Microsoft Fabric that help organizations classify, protect, and control the handling of sensitive data. They integrate with Microsoft Purview Information Protection and extend data protection consistently across Fabric, Power BI, and Microsoft 365.
For the DP-600 exam, you should understand what sensitivity labels are, how they are applied, what they affect, and how they differ from access controls.
What Are Sensitivity Labels?
Sensitivity labels:
- Classify data based on confidentiality and business impact
- Travel with the data across supported services
- Can trigger protection behaviors, such as encryption or usage restrictions
Common label examples include:
- Public
- Internal
- Confidential
- Highly Confidential
Labels are organizationally defined and managed centrally.
Where Sensitivity Labels Come From
Sensitivity labels in Fabric are:
- Created and managed in Microsoft Purview
- Defined at the tenant level by security or compliance administrators
- Made available to Fabric and Power BI through tenant settings
Fabric users apply labels, but typically do not define them.
Items That Can Be Labeled in Microsoft Fabric
Sensitivity labels can be applied to many Fabric items, including:
- Semantic models (datasets)
- Reports
- Dashboards
- Dataflows
- Lakehouses and Warehouses (where supported)
- Exported artifacts (Excel, PowerPoint, PDF)
This makes labeling a cross-workload governance mechanism.
How Sensitivity Labels Are Applied
Labels can be applied:
- Manually by item owners or authorized users
- Automatically through inherited labeling
- Programmatically via APIs (advanced scenarios)
Label Inheritance
In many cases:
- Reports inherit the label from their underlying semantic model
- Dashboards inherit labels from pinned tiles
- Exported files inherit the label of the source item
This inheritance model is frequently tested in exam scenarios.
What Sensitivity Labels Do (and Do Not Do)
What they do:
- Classify data for compliance and governance
- Enable protection such as:
- Encryption
- Watermarking
- Usage restrictions (e.g., block external sharing)
- Travel with data when exported or shared
What they do NOT do:
- Grant or restrict user access
- Replace workspace, item-level, or data-level security
- Filter rows or columns
Key exam distinction:
Sensitivity labels protect data after access is granted.
Sensitivity Labels vs Endorsements
These two concepts are often confused on exams.
| Feature | Sensitivity Labels | Endorsements |
| Purpose | Data protection | Trust and quality |
| Enforced | Yes | No |
| Affects behavior | Yes (encryption, sharing rules) | No |
| Security-related | Yes | Governance guidance |
Governance and Compliance Benefits
Sensitivity labels support:
- Regulatory compliance (e.g., GDPR, HIPAA)
- Data loss prevention (DLP)
- Auditing and reporting
- Consistent handling of sensitive data across platforms
They are especially important in environments with:
- Self-service analytics
- Data exports to Excel or PowerPoint
- External sharing scenarios
Common Exam Scenarios
You may see questions such as:
- A report exported to Excel must remain encrypted → sensitivity label
- Data should be classified as confidential but still shared internally → labeling, not access restriction
- Users can view data but cannot share externally → label-driven protection
- A report automatically inherits its dataset’s classification → label inheritance
Best Practices to Remember
- Apply labels at the semantic model level to ensure inheritance
- Use sensitivity labels alongside:
- Workspace and item-level access controls
- RLS and CLS
- Endorsements
- Review labeling regularly to ensure accuracy
- Educate users on selecting the correct label
Key Exam Takeaways
- Sensitivity labels classify and protect data
- They are defined in Microsoft Purview
- Labels can enforce encryption and sharing restrictions
- Labels do not control access
- Inheritance behavior is important for DP-600 questions
Exam Tips
- If a question focuses on classifying, protecting, or controlling how data is shared after access, think sensitivity labels.
- If it focuses on who can see the data, think security roles or permissions.
- Expect scenario questions involving:
- PII, financial data, or confidential data
- Export restrictions
- Label inheritance
- Know the difference between:
- Security (RLS, OLS, item access)
- Governance & compliance (sensitivity labels)
- Always associate sensitivity labels with Microsoft Purview
Practice Questions
Question 1 (Single choice)
What is the PRIMARY purpose of applying sensitivity labels to items in Microsoft Fabric?
A. Improve query performance
B. Control row-level data access
C. Classify and protect data based on sensitivity
D. Grant workspace permissions
Correct Answer: C
Explanation:
Sensitivity labels are used for data classification, protection, and governance, not for performance or access control.
Question 2 (Scenario-based)
Your organization requires that all reports containing customer PII automatically display a watermark and restrict external sharing. What feature enables this?
A. Row-level security
B. Sensitivity labels with protection settings
C. Item-level access controls
D. Conditional access policies
Correct Answer: B
Explanation:
Sensitivity labels can apply visual markings, encryption, and sharing restrictions when integrated with Microsoft Purview.
Question 3 (Multi-select)
Which Fabric items can have sensitivity labels applied? (Select all that apply.)
A. Power BI reports
B. Semantic models
C. Lakehouses and warehouses
D. Notebooks
Correct Answers: A, B, C, D
Explanation:
Sensitivity labels can be applied to most Fabric artifacts, enabling consistent governance across analytics assets.
Question 4 (Scenario-based)
A semantic model inherits a sensitivity label from its underlying data source. What does this behavior represent?
A. Manual labeling
B. Label inheritance
C. Workspace-level labeling
D. Object-level security
Correct Answer: B
Explanation:
Label inheritance ensures that downstream artifacts maintain appropriate sensitivity classifications automatically.
Question 5 (Single choice)
Which service must be configured to define and manage sensitivity labels used in Microsoft Fabric?
A. Azure Active Directory
B. Microsoft Defender
C. Microsoft Purview
D. Power BI Admin portal
Correct Answer: C
Explanation:
Sensitivity labels are defined and managed in Microsoft Purview, then applied across Microsoft Fabric and Power BI.
Question 6 (Scenario-based)
A report is labeled Highly Confidential, but a user attempts to export its data to Excel. What is the expected behavior?
A. Export always succeeds
B. Export is blocked or encrypted based on label policy
C. Export ignores sensitivity labels
D. Only row-level security applies
Correct Answer: B
Explanation:
Sensitivity labels can restrict exports, apply encryption, or enforce protection based on policy.
Question 7 (Multi-select)
Which actions can sensitivity labels enforce? (Select all that apply.)
A. Data encryption
B. Watermarks and headers
C. External sharing restrictions
D. Row-level filtering
Correct Answers: A, B, C
Explanation:
Sensitivity labels control protection and compliance, not data filtering.
Question 8 (Scenario-based)
You apply a sensitivity label to a lakehouse. Which downstream artifact is MOST likely to automatically inherit the label?
A. A Power BI report built on the semantic model
B. A notebook in a different workspace
C. An external CSV export
D. An Azure SQL Database
Correct Answer: A
Explanation:
Label inheritance flows through Fabric analytics artifacts, especially semantic models and reports.
Question 9 (Single choice)
Who is typically allowed to apply or change sensitivity labels on Fabric items?
A. Any workspace Viewer
B. Only Microsoft admins
C. Users with sufficient item permissions
D. External users
Correct Answer: C
Explanation:
Users must have appropriate permissions (Contributor/Owner or item-level rights) to apply labels.
Question 10 (Scenario-based)
Your compliance team wants visibility into how sensitive data is used across Fabric. Which feature supports this requirement?
A. Query caching
B. Audit logs
C. Sensitivity labels with Purview reporting
D. Direct Lake mode
Correct Answer: C
Explanation:
Sensitivity labels integrate with Microsoft Purview reporting and auditing for compliance and governance tracking.
The Data Community 
One thought on “Apply sensitivity labels to items in Microsoft Fabric”