Configure Data Sensitivity

Implementation Effort: Medium
Configuring data sensitivity requires collaboration between security teams and data governance teams to align Microsoft Information Protection (MIP) labels and sensitivity thresholds.

User Impact: Low
This configuration is handled by administrators and security teams; no action is required from end users.

Overview

Microsoft Defender for APIs integrates with Microsoft Defender for Cloud to classify and monitor APIs for sensitive data exposure. Once APIs are onboarded, Defender for APIs automatically scans them for sensitive information using either your organization's Microsoft Information Protection (MIP) labels or a default classification rule set if MIP is not configured 1.

To configure data sensitivity:

1. Go to Microsoft Defender for Cloud > Environment settings in the Azure portal.
2. Select Data sensitivity.
3. Adjust the minimum sensitivity threshold to define which labels should be treated as sensitive.
4. Apply and save the configuration 2.

You can also create or update sensitivity settings programmatically using the Defender for Cloud REST API 3.

With Defender CSPM enabled, you can:

• View API attack paths involving sensitive data.
• Filter APIs by sensitivity labels or information types.
• Prioritize alerts involving sensitive data exposure 1.

Failing to configure data sensitivity properly may result in missed detections of sensitive data exposure, increasing the risk of data leaks. This capability supports the Zero Trust principle of "Assume breach" by enabling visibility into sensitive data flows and prioritizing high-risk exposures.

Reference

• Classify APIs with sensitive data exposure
• Customize data sensitivity settings
• Sensitivity Settings - Create or Update (REST API)
• Protect APIs in API Management with Defender for APIs