What is data classification?
Also known as
Definition
Data classification is the practice of organizing content into categories based on its sensitivity, business value, or regulatory requirements. That way, you know which content needs stronger protection, longer retention, tighter access, or special handling before a migration or a Copilot rollout.
Classification starts with a decision about categories: what makes something public, internal, confidential, or highly confidential at your organization? Once that's defined, you can manage content according to its actual value and risk level instead of applying the same controls to everything. Over-restrict and users route around you. Under-restrict and sensitive data ends up where it shouldn't. Classification is what lets you tell the difference.
tip
A classification scheme your users can't apply consistently is worse than no scheme at all. Microsoft's own model uses just four levels: Public, General, Confidential, and Highly Confidential. Start there before building something more complex.
Why it matters
Without classification, you're stuck choosing between over-restricting everything and blocking legitimate work, or under-restricting and leaving sensitive content exposed. Here's where that matters.
- AI readiness: Unclassified sensitive content has no protection layer. Copilot doesn't know what's sensitive unless your governance does. Classification is what makes AI outputs trustworthy.
- Governance & security: You can't protect what you haven't identified. Without classification, sensitive content gets the same controls as everything else or none at all.
- Migration: Sensitive content needs special handling before it moves. Without classification, you don't know what that is and it carries over with the wrong protections or none.
Commonly confused with: Sensitivity labels
Classification is the decision: this content is confidential.
A sensitivity label is how you act on that decision: applying encryption, restricting sharing, or enforcing DLP.
You can classify content without applying a label, but a label without a classification scheme behind it is just a sticker.
What we see out there
No standards. No process. Copilot exposed it.
Organizations describe having no standards or process around labeling and classifying data. Copilot made that visible fast. What was a backlog item became an urgent project the moment AI started surfacing content based on whatever permissions existed.
Starting too complex.
Classification schemes that started with good intentions get too granular too fast. When users can't tell the difference between Confidential and Highly Confidential in their day-to-day work, they stop classifying. Or they classify everything the same way.
Frequently asked questions
How many classification levels should we use?
As few as possible while still covering your actual risk. Microsoft's own classification model uses four: Public, General, Confidential, and Highly Confidential. That's a good baseline for most organizations. Every level you add is another decision point that slows adoption. And over-restricting is a risk too. When users can't work within the classification scheme, they route around it and use unapproved tools instead. The goal is a scheme your users can apply consistently without asking IT every time.
Who classifies content?
IT defines the classification scheme and the policies. Users apply labels when creating or sharing content. Auto-labeling policies apply labels automatically when Purview detects sensitive information types, like a credit card number in a document. The more you automate labeling, the more consistently your classification scheme gets applied across the environment.
How does classification affect Copilot?
Classification doesn't directly control what Copilot can surface—permissions and sensitivity labels do. But classification is what drives those decisions. If you know which content is confidential, you can apply the right label with encryption, and Copilot will enforce it: users need both VIEW and EXTRACT usage rights to interact with encrypted content. If content was never classified, it probably has no label and no extra protection. Copilot surfaces what users can access. Unclassified, broadly accessible content is exactly what creates unexpected exposure.
What changes during a migration?
Most organizations discover during a migration that large amounts of content have never been classified. Files in inactive sites, old project folders, shared drives that nobody manages—none of it has been reviewed or categorized. A migration is the forcing function that makes that visible. It's also the best moment to fix it, before unclassified content lands in the target tenant and the problem starts over.


