Read Microsoft Purview/MIP sensitivity labels at M365 ingest + a client-side DLP egress gate (Layer 1 — honor the client's existing classification)

task-purview-sensitivity-label-ingest-gate

task confidence inferred status backlog 2026-06-19 owner ingestion-engineer
source log-auditor — surfaced recording 0059-untrusted-by-default-ingestion-serve-boundary (research §4, the Layer-1 client-edge/M365 controls). Board globbed before filing — no open task covered M365/Purview sensitivity-label ingest or a client-side DLP egress gate (the Microsoft365Connector is a reserved stub per DEC-0013; this is its security/classification layer).

Purview/MIP sensitivity-label read at M365 ingest + client-side DLP egress gate

Layer-1 of the DEC-0059 boundary: honor the client's existing classification at the M365 source, gating egress before bytes leave their environment.

The capability

  • Read labels at ingest — Graph extractSensitivityLabels (GA; needs only Files.Read.All; returns sensitivityLabelId/assignmentMethod/tenantId); resolve the taxonomy via GET .../sensitivityLabels + extractLabel/extractContentLabel.
  • Detect without the MIP SDK where possible — labels persist as clear-text MSIP_Label_{GUID}_* metadata (MSIP_Label_GUID_Enabled = true is the canonical "is-classified" signal) — but only for unencrypted, non-co-authored files; RMS/IRM-encrypted files need the MIP SDK.
  • Incremental sync — Graph delta query (deltaLink/nextLink; 7-day token expiry; 410 → full resync).
  • Client-side DLP egress block — a Purview DLP rule using a sensitivity label as a condition can enforce block, not just warn.

The load-bearing caveat — L1 cannot stand alone

Microsoft itself states "DLP's ability to detect sensitivity labels in SharePoint and OneDrive is limited" (pre-enablement labels, DKE/password-protected, >12 MB encrypted Office, images, zip contents). So Layer 1 requires the Layer-2 detector backstop (Detector ensemble at the ingestion boundary with a MEASURED F2/recall target (Presidio recall-tuned + custom "P2" recognizers + cloud DLP) — measure detection, don't trust it) — an unlabeled or undetectable file still hits Dossier's own detection.

Why a task, not a fix-in-place

The Microsoft365Connector is a reserved stub (Ingestion connector seam — assemble, don't build, and ingestion owns the input contract); this is its classification/security layer — real Graph integration + a DLP gate, owner judgment + code. Detail + citations: research/2026-06-18-sensitive-data-and-injection-defense.md §4. confidence: inferred (agent-filed from DEC-0059).