Exploring a built-in Sensitive Info Types in Microsoft Purview – Part 8 – Cloud Build

Reading Time: 5 minutes

Thank you for continuing to follow along with the Microsoft Purview blog post series. If you missed any of the previous posts, you can find them listed below:

Part 1: Introduction to Microsoft Purview
Part 2: Microsoft Purview Portal
Part 3: Microsoft Purview Roles and Scopes
Part 4: Turn on audit logs in Microsoft Purview
Part 5: Microsoft Purview Device Onboarding
Part 6: Enable Insider Risk Analytics in Microsoft Purview
Part 7: Microsoft Purview Information Protection

Continuing from Part 7, where I provided an overview of Sensitive Information Types (SITs), in this blog post I explore the built-in Sensitive Info Types available in Microsoft Purview. In Part 9, I’ll demonstrate how to create a custom type from scratch.

1. Access the Microsoft Purview portal at purview.microsoft.com
2. Click Solutions from the left pane and then click Information Protection

3. From the left pane expand classifiers and click Sensitive info types

4. As explained in the previous post, Microsoft Purview offers a wide range of built-in Sensitive Information Types (SITs) that organisations can use to detect various kinds of sensitive data, such as financial information, personal identifiers, health records, and contact details. (Click the image to enlarge)

5. Explore a few of the built-in Sensitive Information Types (SITs). In this example, I’ve searched for and selected the Credit Card SIT.

6. Click on the Credit Card SIT to open its details.

7. This Credit Card SIT (Sensitive Info Type) displays a few details, which are read-only and cannot be edited.

Click the image below for a visual explanation.

8. As mentioned above, built-in SITs cannot be edited or fully viewed, their internal configuration is locked. To explore how they work, I’ll copy the Credit Card SIT and inspect the cloned version.

Click ‘Copy’ to clone the SIT.

Note: Click once and wait. Cloning may take up to 30 seconds. You’ll receive a notification once the process has completed.

9. Click ‘Yes’ to begin editing the cloned Sensitive Information Type.

10. Click Next

11. The two patterns identified in step 7 earlier should now be clearer.

Pattern 1 includes a primary element, the credit card number, and supporting elements such as CVC number, credit card name, and expiry date. When these elements are detected together, the likelihood of identifying a valid credit card is significantly higher.

Pattern 2 has a low confidence level because it only detects a credit card number on its own.

12. I’ll expand Pattern 1 to explore its configuration, then click the edit icon to view or modify its details. A reminder that this is the cloned SIT I created in step 8 earlier.

13. Click the image below to enlarge it and read the explanations I’ve provided directly on the image.

14. I’ll now edit the keyword lists and the function process to explore these supporting elements. Click the edit button for Keyword list: Keyword_cc_verification

15. Editing the Keyword List:
The Keyword_cc_verification entry allows me to view the keyword list created by Microsoft.

16. The Keyword List: Keyword_cc_name contains a predefined list of credit card names.

17. Finally, the Function App can be opened for viewing, but its configuration cannot be modified.

You can’t edit the internal logic of functions like Func_expiration_date and other functions because they’re Microsoft managed components. These functions are locked to preserve accuracy and compliance, so even when you clone a Sensitive Information Type (SIT), the underlying function remains read‑only. What you can do is:

• Combine it with other patterns or keywords to refine detection.
• Adjust how the function is used in your custom SIT e.g., change confidence levels (low, medium or high), supporting elements, or proximity rules. However, you can’t edit the actual function itself.

18. You can test a Sensitive Information Type (SIT) by uploading a document.
For example, upload a Word document containing a list of demo credit card numbers. Then, click Test as shown in the image below.

Note: This procedure only supports unencrypted files. It’s recommended to use two test files, one that contains matching content and one that does not.

The account you use to test sensitive information type performance must be a member of one of the following role groups:

• Compliance Administrator
• Compliance Data Administrator
• Security Administrator
• Communication Compliance Admins
• Information Protection Admins
• Information Protection Investigators
• Organization Management

19. Click Upload file

20. I have a sample Word document containing demo data, including credit card numbers, as shown below.

Here is the result after uploading the document to the test tool and clicking the Test button: all possible matches have been identified, including those with high confidence

The same credit card numbers appear under low, medium, and high confidence levels because the test tool evaluates each confidence level independently. When a match satisfies all criteria, pattern match, Luhn validation, and supporting evidence, it is listed under each category to show how broadly it qualifies.

Thank you for following along with this blog post series.

Join me in Part 9 where I’ll show you how to create a Sensitive Information Type (SIT) from scratch.

Don’t forget to subscribe to new posts so you’re notified by email when the next one is published.