How to Identify Sensitive Information Types in Office 365

Post Date: 10/28/2020
feature image

Learn more about data security with our free webinar “Protecting Sensitive Data in Office 365 at the Team and Data Levels.


Less than a year ago most organizations I spoke with had a plan to tackle compliance at some point or another but very few of them were fast-tracking these projects. Unfortunately, the research and time required to understand then develop compliance policies for how each business unit of an organization sources information, creates information, manages the life cycle of that information, and handles the subsequent end of life process for that information is not something most organizations have planned for.

As the calendar year closes out in roughly two months, the number of organizations reaching out for compliance conversations has aggressively spiked. Many organizations are finding it difficult to know how or where to even start, and adding the rapid deployment of a primarily remote workforce on top of everything else that has transpired this year layers on complexity most business units are not familiar with.

microsoft 365

Thankfully, Microsoft has made it easy to lay the foundation for any organization to begin discovering where their sensitive data resides through the Office 365 Security and Compliance Center.

What is a Sensitive Information Type?

sensitive information type is defined by a pattern that can be identified by a regular expression or a function. Corroborative evidence such as keywords and checksums can be used to identify a sensitive information type. Confidence level and proximity are also used in the evaluation process.

What does this mean for your organization? This means that even the smallest IT teams can begin surfacing sensitive information across many services in Microsoft 365.

Have questions about identifying sensitive data in O365? Check out this post: Click To Tweet

How to Get Started

The first step is to identify which regulations or information privacy frameworks the organization needs to comply with. Next, you’ll want to focus on determining which sensitive data types you want to scan for. Some organizations simply need to look for Payment Card Information or Personal Identifying Information across one service like SharePoint Online, while others need to scan for multiple sensitive information types such as US Social Security Numbers, U.S. Driver’s License Number, US Bank Account Numbers, and US Passport Numbers across several supported services.

Let’s look at several predefined sensitive info types already available in the Office 365 Security and Compliance Center, along with creating a custom sensitive information type to scan for keywords and phrases.

1. Where is the Office Security and Compliance Center:

microsoft 365

2. What’s already provided:

microsoft 365

3. Create a custom sensitive information type:

microsoft 365

4. Let’s create a custom sensitive type to scan for keywords and phrases. You can use a wordlist, regex, or dictionary:

microsoft 365

5. Click Finish:

6. Test:

7. Upload a simple document with a few known pieces of sensitive information for quick results:

8. Confirm the hits:

Now that we have explored how approachable defining sensitive information is, there should be nothing stopping you from being a compliance champion. From using the predefined sensitive information types to quickly defining keywords or phrases. There are many types of sensitive information and it is up to you to determine what is most important for your organization to focus on.


For more on security in Office 365 be sure to subscribe to our blog!

Share this blog

Subscribe to our blog