This post is a part of the DP-700: Implementing Data Engineering Solutions Using Microsoft Fabric Exam Prep Hub.
This topic falls under these sections:
Implement and manage an analytics solution (30–35%)
   --> Configure security and governance
      --> Apply sensitivity labels to items

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 2 practice tests with 60 questions each available from the hub's main page below the exam topics section.

Introduction

Data is one of an organization’s most valuable assets, and not all data carries the same level of sensitivity. Some information can be shared broadly across the organization, while other information must be protected due to regulatory, legal, contractual, or business requirements.

Examples include:

• Financial reports
• Employee records
• Customer information
• Healthcare data
• Intellectual property
• Confidential business plans

Microsoft Fabric integrates with Microsoft Information Protection (MIP) and Microsoft Purview sensitivity labels, enabling organizations to classify and protect data assets throughout their lifecycle.

Sensitivity labels help users understand the importance of data, enforce governance policies, and support compliance initiatives. They can be applied to many Fabric items, including reports, semantic models, dashboards, and other assets.

For the DP-700 exam, it is important to understand what sensitivity labels are, how they work, how they are applied, and how they differ from other security mechanisms such as Row-Level Security (RLS), Object-Level Security (OLS), and workspace permissions.

What Are Sensitivity Labels?

A sensitivity label is a classification tag that identifies the sensitivity level of data or content.

Examples include:

Organizations can create custom sensitivity labels to align with their governance policies.

Purpose of Sensitivity Labels

Sensitivity labels help organizations:

• Classify data consistently
• Protect sensitive information
• Improve data governance
• Support regulatory compliance
• Enable data discovery
• Increase user awareness
• Reduce accidental data exposure

Sensitivity labels serve as both a classification mechanism and, in some scenarios, a protection mechanism.

Sensitivity Labels in Microsoft Fabric

Microsoft Fabric integrates with Microsoft Purview Information Protection.

This integration allows labels to be applied to Fabric assets and propagated through data workflows.

Examples of Fabric items that can support sensitivity labels include:

• Reports
• Semantic Models
• Dashboards
• Data Warehouses
• Lakehouses
• Notebooks
• Dataflows
• Other supported Fabric artifacts

How Sensitivity Labels Work

A sensitivity label is associated with an item.

Example:

Executive Financial Report
Label: Highly Confidential

Users accessing the item can immediately identify its classification level.

The label travels with the item and may also propagate to downstream artifacts depending on organizational policies and supported scenarios.

Common Sensitivity Label Classifications

Public

Data intended for unrestricted access.

Examples:

• Public website content
• Marketing brochures
• Published documentation

General

Data intended for internal use.

Examples:

• Departmental reports
• Internal project tracking

Confidential

Data requiring controlled access.

Examples:

• Financial reports
• Customer information
• Internal analytics

Highly Confidential

Data requiring strict protection.

Examples:

• Payroll information
• Acquisition plans
• Executive strategy documents

Restricted

Data requiring maximum protection.

Examples:

• Legal investigations
• Security credentials
• Highly regulated information

Applying Sensitivity Labels

Sensitivity labels can be applied manually or automatically depending on organizational configurations.

Manual Labeling

Users select the appropriate label.

Example:

Report
 ↓
Apply Label
 ↓
Confidential

Manual labeling is commonly used when users understand the business context of the data.

Automatic Labeling

Organizations may configure policies that automatically apply labels based on:

• Sensitive information types
• Data patterns
• Business rules
• Compliance requirements

Example:

Contains Credit Card Data
           ↓
Apply Highly Confidential

Label Inheritance and Propagation

One of the most important DP-700 exam topics related to sensitivity labels is inheritance.

Labels may propagate from source items to downstream artifacts.

Example:

Lakehouse
(Confidential)
      ↓
Semantic Model
      ↓
Report

The downstream item may inherit the sensitivity label from its source.

This helps maintain governance consistency throughout the analytics lifecycle.

Benefits of Label Propagation

Without propagation:

Sensitive Data
       ↓
Unlabeled Report

Risk:

Users may unknowingly share sensitive information.

With propagation:

Sensitive Data
       ↓
Confidential Report

Users are immediately aware of the sensitivity level.

Sensitivity Labels vs Security Permissions

This distinction is frequently tested on certification exams.

Example:

A report may be labeled:

Highly Confidential

But unless appropriate permissions exist, the label alone does not automatically prevent access.

Sensitivity Labels vs Row-Level Security

Example:

RLS:

East Manager
↓
East Region Rows Only

Sensitivity Label:

Confidential Report

Both can be used together.

Sensitivity Labels vs Dynamic Data Masking

Example:

Label:

Highly Confidential

Masking:

XXXX-XXXX-1234

Sensitivity Labels and Compliance

Sensitivity labels play an important role in compliance initiatives such as:

• GDPR
• HIPAA
• PCI DSS
• SOX
• Internal governance programs

They help organizations:

• Identify sensitive assets
• Demonstrate governance controls
• Improve audit readiness

Sensitivity Labels and Microsoft Purview

Microsoft Purview provides centralized governance capabilities.

Organizations can use Purview to:

• Define sensitivity labels
• Publish labels
• Manage classification policies
• Track protected content
• Support compliance reporting

Fabric integrates with these governance capabilities.

Real-World Scenarios

Scenario 1

A finance report contains quarterly earnings information.

Solution:

Apply a Confidential sensitivity label.

Scenario 2

A payroll dataset contains salary and compensation data.

Solution:

Apply a Highly Confidential sensitivity label.

Scenario 3

A public product catalog is intended for external customers.

Solution:

Apply a Public label.

Scenario 4

A report inherits data from a Confidential semantic model.

Result:

The report may inherit the Confidential label through label propagation.

Best Practices

Establish a Clear Classification Framework

Create standardized labels such as:

• Public
• General
• Confidential
• Highly Confidential

Use Consistent Labeling

Apply labels consistently across Fabric assets.

Leverage Label Propagation

Allow downstream artifacts to inherit labels when appropriate.

Train Users

Ensure users understand:

• Label meanings
• Sharing responsibilities
• Governance requirements

Combine Labels with Security Controls

Use labels alongside:

• Workspace permissions
• Item permissions
• Row-Level Security
• Object-Level Security
• Dynamic Data Masking

Review Labels Regularly

Data classifications may change over time.

DP-700 Exam Focus Areas

You should understand:

✓ Sensitivity label concepts

✓ Microsoft Purview integration

✓ Classification levels

✓ Manual labeling

✓ Automatic labeling

✓ Label inheritance

✓ Label propagation

✓ Governance benefits

✓ Compliance scenarios

✓ Sensitivity labels versus security permissions

✓ Sensitivity labels versus RLS

✓ Sensitivity labels versus Dynamic Data Masking

Practice Exam Questions

Question 1

What is the primary purpose of a sensitivity label in Microsoft Fabric?

A. To classify and identify the sensitivity level of data

B. To encrypt data at rest

C. To filter rows of data

D. To assign workspace roles

Answer: A

Explanation

Sensitivity labels classify data according to its sensitivity and governance requirements. They are primarily used for data classification and protection awareness.

Question 2

Which Microsoft service provides the sensitivity labeling framework used by Microsoft Fabric?

A. Microsoft Purview

B. Microsoft Defender

C. Microsoft Sentinel

D. Azure Key Vault

Answer: A

Explanation

Microsoft Fabric integrates with Microsoft Purview Information Protection to provide sensitivity labeling capabilities.

Question 3

A company wants reports containing payroll information to be clearly identified as highly sensitive.

Which feature should be used?

A. Dynamic Data Masking

B. Row-Level Security

C. Sensitivity Labels

D. Deployment Pipelines

Answer: C

Explanation

Sensitivity labels classify and identify the sensitivity level of data assets such as payroll reports.

Question 4

What is label propagation?

A. Automatic workspace creation

B. Automatic dataset refresh

C. Automatic role assignment

D. Automatic inheritance of sensitivity labels to downstream items

Answer: D

Explanation

Label propagation helps maintain consistent governance by carrying sensitivity classifications to derived artifacts.

Question 5

Which statement best describes the relationship between sensitivity labels and security permissions?

A. Sensitivity labels replace security permissions.

B. Security permissions automatically create labels.

C. Sensitivity labels classify data, while permissions control access.

D. Sensitivity labels filter rows of data.

Answer: C

Explanation

Labels provide classification and governance context, while permissions determine who can access resources.

Question 6

A report inherits data from a semantic model labeled Confidential.

What may happen if label propagation is enabled?

A. The report may inherit the Confidential label.

B. The report becomes encrypted automatically.

C. The report is deleted after publication.

D. Workspace permissions are removed.

Answer: A

Explanation

Label propagation can automatically apply inherited classifications to downstream assets.

Question 7

Which classification would generally represent the highest level of protection?

A. Public

B. General

C. Confidential

D. Highly Confidential

Answer: D

Explanation

Highly Confidential labels are typically used for the most sensitive business information.

Question 8

Which statement about sensitivity labels is correct?

A. They filter records based on user identity.

B. They hide columns from users.

C. They help classify and govern data assets.

D. They assign workspace roles.

Answer: C

Explanation

Sensitivity labels primarily support classification, governance, and compliance initiatives.

Question 9

A company wants to automatically classify files containing credit card information.

Which capability supports this requirement?

A. Automatic sensitivity labeling

B. Dynamic Data Masking

C. Workspace Viewer permissions

D. Object-Level Security

Answer: A

Explanation

Automatic labeling policies can identify sensitive information patterns and apply appropriate labels.

Question 10

Why should sensitivity labels be combined with security controls?

A. Labels automatically replace encryption.

B. Labels alone do not control access to data.

C. Labels remove the need for governance policies.

D. Labels prevent all data leakage scenarios.

Answer: B

Explanation

Sensitivity labels provide classification and governance information, but access controls such as permissions, RLS, and masking are still required to secure data.

Exam Tip

A common DP-700 exam challenge is distinguishing classification technologies from access control technologies.

Remember:

If the question focuses on identifying, classifying, labeling, governing, or tracking sensitive data, the correct answer is often Sensitivity Labels rather than a traditional security control.

Go to the DP-700 Exam Prep Hub main page.