2.4.4. Sensitivity Labels and Endorsement
💡 First Principle: Sensitivity labels and endorsement provide metadata-level governance—like classification stamps on documents. They inform users but don't technically enforce access. Think of them as warning signs: "CONFIDENTIAL" on a folder doesn't lock the folder, but it tells people to handle it carefully.
Scenario: A lakehouse contains both public marketing data and confidential M&A information. Sensitivity labels help users understand data classification; endorsement certifies which datasets are approved for business use.
Sensitivity Labels
- Source: Microsoft Purview Information Protection
- Levels: Public, Internal, Confidential, Highly Confidential
- Purpose: Classify data by sensitivity
- Behavior: Labels can flow downstream (e.g., from lakehouse to report)
Endorsement
| Level | Meaning | Who Can Apply |
|---|---|---|
| Promoted | Recommended for wider use | Item owner |
| Certified | Officially approved as authoritative | Designated certifiers |
| No endorsement | Default state | N/A |
Label Inheritance and Downstream Flow
Sensitivity labels can automatically propagate to downstream items:
Lakehouse (Confidential) → Dataflow → Semantic Model → Report
└── Label flows downstream automatically ──────────┘
| Source Item | Derived Item | Label Behavior |
|---|---|---|
| Lakehouse | Report built on it | Inherits label |
| Semantic Model | Dashboard | Inherits label |
| Multiple sources | Combined report | Highest sensitivity wins |
When to Use Sensitivity Labels vs. Endorsement:
| Goal | Use This | Why |
|---|---|---|
| Classify data sensitivity | Sensitivity Label | Indicates handling requirements |
| Mark data as production-ready | Certified endorsement | Indicates data quality/approval |
| Recommend a dataset for use | Promoted endorsement | Guides users to preferred sources |
| Enforce access restrictions | RLS/CLS/Workspace roles | Labels don't enforce—they inform |
⚠️ Exam Trap: Sensitivity labels are informational—they rely on users respecting the classification. Technical enforcement requires RLS, CLS, or workspace permissions. Don't confuse labels with access control.
⚠️ Common Pitfall: Assuming "Certified" means "secure." Certification indicates data quality and approval, not security classification. A dataset can be Certified but still Public, or Confidential but not yet Certified.
