Business Intelligence, Data Governance, Data Security, Microsoft Certification, PL-300, Power BI

Apply Sensitivity Labels (PL-300 Exam Prep)

 
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Apply sensitivity labels

Note that there are 10 practice questions (with answers and explanations) for each topic of the exam.
There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.

Overview

Applying sensitivity labels is an important governance capability within Power BI and a tested topic in the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. Sensitivity labels help organizations classify, protect, and control the handling of data across Power BI content and the broader Microsoft ecosystem.

For the exam, you should understand what sensitivity labels are, where they come from, how and where they are applied, what they do (and do not) enforce, and how they support data governance and compliance.

What Are Sensitivity Labels?

Sensitivity labels are metadata tags used to classify data based on its level of sensitivity, such as:

  • Public
  • Internal
  • Confidential
  • Highly Confidential

They are part of Microsoft Purview Information Protection (formerly Microsoft Information Protection) and are used consistently across Microsoft services, including:

  • Power BI
  • Microsoft Excel, Word, and PowerPoint
  • SharePoint and OneDrive

Key Concept: Sensitivity labels are about data classification and protection, not row-level filtering.

Purpose of Sensitivity Labels in Power BI

Sensitivity labels help organizations:

  • Identify sensitive or regulated data
  • Apply consistent data classification standards
  • Enforce downstream protections (e.g., encryption, restrictions)
  • Improve visibility and compliance reporting
  • Reduce the risk of data leakage

From an exam perspective, labels support governance, not access control.

Where Sensitivity Labels Come From

Sensitivity labels are:

  • Defined centrally in Microsoft Purview (via the Microsoft 365 compliance portal)
  • Created and managed by security or compliance administrators
  • Made available to Power BI through tenant settings

Power BI does not create labels—it only consumes and applies them.

Power BI Items That Can Be Labeled

Sensitivity labels can be applied to:

  • Semantic models
  • Reports
  • Dashboards
  • Dataflows
  • Excel files connected to Power BI datasets

Exam Tip: Labels are applied to items, not to individual columns or rows.

How Sensitivity Labels Are Applied

Manual Application

Users can manually apply sensitivity labels:

  • In Power BI Desktop
  • In the Power BI Service

Typically:

  • A label dropdown is available
  • Users select the appropriate classification
  • The label is saved as metadata on the item

Automatic / Default Labeling (Awareness Level)

Organizations may configure:

  • Default labels for new content
  • Mandatory labeling, requiring a label before saving or publishing

These configurations are handled outside Power BI but affect user behavior inside it.

Inheritance and Propagation

Sensitivity labels can inherit and propagate across Power BI content.

Examples:

  • A report inherits the label from its semantic model
  • Exported data (e.g., to Excel) retains the sensitivity label
  • Downstream files carry the classification

Exam Focus: Labels help maintain data classification beyond Power BI.

What Sensitivity Labels Do NOT Do

This distinction is frequently tested.

Sensitivity labels:

  • ❌ Do not filter rows (that’s RLS)
  • ❌ Do not control who can open reports
  • ❌ Do not replace workspace roles or permissions

Sensitivity labels:

  • ✅ Classify content
  • ✅ Enable downstream protection
  • ✅ Support compliance and governance

Sensitivity Labels vs Other Security Features

FeaturePurpose
Workspace rolesControl who can access content
RLSRestrict which rows users can see
Object-Level SecurityHide tables or columns
Sensitivity labelsClassify and protect data

PL-300 Focus: Understand how sensitivity labels complement, not replace, other security features.

Enforcement and Protection (Conceptual Awareness)

Depending on configuration, sensitivity labels may enforce:

  • Encryption of exported files
  • Restrictions on sharing
  • Watermarking or headers in documents
  • Limited access outside the organization

In Power BI, enforcement is typically indirect, affecting data after it leaves the service.

Applying Labels in Power BI Desktop vs Service

Power BI Desktop

  • Labels can be applied during report or model development
  • Labels are published with the content

Power BI Service

  • Labels can be applied or updated after publishing
  • Admins may enforce labeling policies

Governance Best Practices

  • Use sensitivity labels consistently across content
  • Align labels with organizational data policies
  • Apply labels at the semantic model level where possible
  • Educate users on correct label usage
  • Combine labels with RLS and permissions for layered security

Common Exam Scenarios

You may be asked to determine:

  • How to classify confidential data in Power BI
  • What happens when data is exported from a labeled report
  • Whether labels restrict user access
  • Which feature supports data classification and compliance

Key Takeaways for the PL-300 Exam

  • Sensitivity labels classify data by sensitivity level
  • Labels are created in Microsoft Purview, not Power BI
  • Power BI supports applying labels to multiple item types
  • Labels propagate to downstream content
  • Sensitivity labels support governance, not row-level filtering
  • Labels complement RLS, permissions, and workspace roles

Practice Questions

Go to the Practice Questions for this topic.

Leave a comment