The challenge
In today’s data-driven world, ensuring the safety and privacy of sensitive information is more critical than ever. As organisations grapple with increasing volumes of data and evolving regulatory requirements, tools like Microsoft Purview’s Auto-Labelling feature play a vital role in maintaining compliance and safeguarding information.
Many organisations have valid concerns about data privacy during auto-labelling, particularly regarding the content inspection process. Questions like “Is my data being accessed by unauthorised entities?” or “Is a copy stored outside its original location?” are common across all levels. These concerns highlight the need for transparency and trust in solutions like Microsoft Purview.
When Microsoft Purview’s auto-labelling service scans data at rest—such as files stored in SharePoint Online or OneDrive for Business—the underlying process is carefully designed to maintain data security and compliance. The following outlines how and where the data is processed, as well as its residency during the analysis phase.
Where does the data go after retrieval? Where is it parsed?
The data is retrieved and parsed entirely within Microsoft 365’s cloud infrastructure, in the same Microsoft datacentre region where your tenant’s data resides. It never leaves Microsoft’s secured cloud boundary.
Here’s the step-by-step breakdown
- Content retrieval happens within Microsoft 365’s internal service boundary — the scanning service (part of Microsoft Purview Information Protection) accesses the files directly via SharePoint Online’s or OneDrive for Business’s APIs.
- Once the file is retrieved, the file content is passed in-memory (not persisted externally) to the Microsoft Information Protection (MIP) classification engine, which is a cloud-based service running within Microsoft’s compliance infrastructure.
- Parsing (text extraction) and content analysis both happen within Microsoft’s cloud compute environment, inside Microsoft’s compliance service tier that’s designed to process and classify tenant data. The content is not exported or copied to an external scanning environment.
- The analysed data is held transiently in system memory or encrypted storage containers scoped to the analysis process — it is never written to long-term storage outside of the original document unless labelling metadata or encryption is to be applied directly into the file.
In short: the data never leaves the Microsoft 365 environment or moves to a different physical or logical storage location outside Microsoft 365’s compliance boundary. It is scanned “in place” (logically), but processed by a cloud-based service operating against a copy pulled at read time from SharePoint/OneDrive storage into the compliance service for analysis. The file itself remains stored in its original repository (SharePoint Online or OneDrive for Business document library). There’s no separate, external database of parsed content.
What about data residency & compliance?
Importantly:
- All scanning, parsing, and classification processes occur within the Microsoft 365 compliance boundary for your tenant’s region.
- Data is not moved across geographic regions or into external services.
- The services performing this analysis are governed by the same compliance, privacy, and data protection guarantees as the rest of Microsoft 365.
Analogy
It’s similar to how Microsoft Search indexes files: the system retrieves a file from SharePoint/OneDrive storage into a cloud-based indexer running in the same service boundary, parses it in memory, builds the necessary metadata or classification insights, and then disposes of the working copy. The file stays in its repository; the scan process is a transient, internal operation.
Key takeaway
Parsing and analysis are conducted entirely within Microsoft’s cloud-based compliance services, operating strictly within the same tenant region and compliance boundary. The process uses transient, in-memory working copies retrieved at runtime from the original file repositories—such as SharePoint or OneDrive. These temporary copies exist only within the processing space of the Microsoft Information Protection (MIP) scanning engine, ensuring that data remains secure and contained throughout the inspection process.
Feel free to contact us at contact@infotechtion.com if you need any help configuring similar scenarios.
