1.4.4. Sensitivity Labels and Endorsement
💡 First Principle: Sensitivity labels and endorsement provide metadata-level governance—like classification stamps on documents. They inform users but don't technically enforce access. Think of them as warning signs: "CONFIDENTIAL" on a folder doesn't lock the folder, but it tells people to handle it carefully.
Scenario: A lakehouse contains both public marketing data and confidential M&A information. Sensitivity labels help users understand data classification; endorsement certifies which datasets are approved for business use.
Sensitivity Labels
- Source: Microsoft Purview Information Protection
- Levels: Public, Internal, Confidential, Highly Confidential
- Purpose: Classify data by sensitivity
- Behavior: Labels can flow downstream (e.g., from lakehouse to report)
Endorsement
| Level | Meaning | Who Can Apply |
|---|---|---|
| Promoted | Recommended for wider use | Item owner |
| Certified | Officially approved as authoritative | Designated certifiers |
| No endorsement | Default state | N/A |
⚠️ Exam Trap: Sensitivity labels are informational—they rely on users respecting the classification. Technical enforcement requires RLS, CLS, or workspace permissions. Don't confuse labels with access control.
