Reading width
Wide uses the full column for everything, text, diagrams, code, and exercises. Narrow keeps the standard reading width.
Text size
Scales the body text. Headings and code blocks keep their size.
In this section
How This Course Is Structured: Phases, Modules, and Being Asked to Decide
You met something unusual in 0.1 and it is worth explaining, because it is the thing that makes this course different from the documentation and from most training built on top of it.
Scenario
Why you get asked before you get told
That gap is the reason this course is built the way it is. Documentation explains what a setting does. It does not, and cannot, tell you what it costs you to choose wrong, because that depends on your organization, and it has never met your organization.
So at the point in each section where the real decision sits, you are asked to commit to an answer before you are given one. Then you are told what the option you chose costs, rather than what the option we wanted you to choose would have earned. That is a deliberate inversion. Reading the right answer teaches you the right answer. Choosing the wrong one and being shown the bill teaches you the shape of the problem, and the shape is what transfers to a decision this course never anticipated.
Some of those decisions have a correct answer and the course will tell you plainly. Some of them do not. The block in 0.1 was one of the second kind: all four moves were defensible, all four are what somebody actually does, and the honest thing was to price them rather than rank them. When you meet one of those, the failure is not picking the wrong option. It is refusing to pick, or picking without noticing what you paid.
You can skip them. Nothing is graded, nothing is reported to anybody, and the reveal is one click away whether you commit or not. But the block is the only part of a section that can tell you whether you understood it, because the prose can be nodded along to and a decision cannot.
The left box is what every vendor page gives you, and it is why people who have read everything still freeze at the dropdown.
The nine shapes a decision comes in
The block in 0.1 was one of nine, and they are not decoration on a quiz engine. Each one exists because a different kind of judgment failed differently in the field, and knowing which you are looking at tells you what is being asked.
Some are deterministic and have a right answer. Precedence asks which rule wins when several apply. Assemble hands you a requirement and a pile of components and asks you to build the thing. Troubleshoot gives you a control that is misbehaving and asks what is wrong. Blast radius asks what a change actually reaches, and its answer is usually the thing it does not reach. Failure mode gives you a control whose dependency has died. Run order gives you a list of correct steps and asks for the sequence. Diff shows two versions of a configuration and asks which change matters, which is rarely the one that looks biggest.
Some have no right answer at all. Trade-off hands you options that are each correct for a different fear, and prices them. Judgment Call gives you evidence that does not resolve, asks you to commit anyway, and then asks you to score your own reasoning against criteria rather than against an answer key, because there is not one.
Which mode a section uses is decided by what it teaches rather than by variety, so you meet some often and one or two once. The mode is always labelled, so you always know whether you are being asked for a fact or a judgment, and that distinction is the point: the failure in this discipline is rarely not knowing a fact. It is not noticing that a judgment was required.
The order is not negotiable
Thirteen modules, six phases, and the sequence is the argument.
Phase 1, know your data, is two modules and roughly a fifth of the course. Module 1 draws the boundary and sets the licensing baseline. Module 2 is classification, and it is the heaviest module here by a distance. That ratio is deliberate: every control in every later phase fires because a classifier matched, so a course that rushed classification to reach the interesting features would be teaching you to build on a foundation you cannot measure.
Phase 2, mark your data. Labels are the decision made durable: it travels with the file, out of the library, out of the mailbox, out of the tenant. Taxonomy first, because the most common labelling failure is organizational rather than technical.
Phase 3, stop it leaving. DLP, then endpoint DLP, because the cloud services are where the policy model is learned and the device is where the real channels are.
Phase 4, keep and dispose. Retention, which is where the security team and the privacy team meet and occasionally disagree.
Phase 5, watch and investigate. Insider risk, then audit and investigation, because most data loss is not an attacker.
Phase 6, AI and capstone. Data security for AI is last because it is not a new discipline. It is a discovery engine pointed at everything the first five phases did or did not do. Then a capstone against a requirement set you have not seen.
You can read out of order. You will not get the same course, because Module 6 assumes you can measure a classifier and Module 11 assumes you have a label taxonomy, and neither of them will stop you.
Northgate Engineering, and why it is not a bank
Every scenario in this course happens at one fictional company, and the choice of company is doing more work than it looks.
Northgate Engineering is 810 people on Microsoft 365 E5. It designs and delivers infrastructure: water treatment, structural, civil. It is not a bank, it does not process cardholder data at scale, and it has no regulator breathing on it beyond the ordinary ones. That is deliberate, because the interesting data security problems are not the regulated ones.
A bank's crown jewels are the data types every vendor already ships a classifier for: card numbers, account numbers, national identifiers, all with formats, checksums, published patterns and a compliance regime that says what to do about them. Northgate's crown jewels are its client contracts and its technical proposals, and no vendor on earth ships a pattern for the thing that makes an engineering firm money. Nobody is going to fine Northgate for losing a proposal. They will just lose the next three bids and never know why.
That is the harder problem and the more common one. Most organizations' worst day is not a regulated breach. It is a commercially catastrophic disclosure of something nobody had a control for, because the controls were built around the data somebody else said to care about.
You will meet the same four people throughout. Rachel Okafor, the CISO, who makes promises to clients that you then have to be able to keep. Elena Petrova in GRC, who owns the definitions and will not hand you a copy of the contract register just because you asked. Marcus Webb, the security architect, whose classifier returned 4,318 matches nobody can explain. Phil Greaves, the IT Director, who wants to know what the meter costs before you switch it on. Their disagreements are the course, because none of the real decisions in this discipline are technical.
What a module looks like inside
Every module opens with a problem somebody at Northgate has, not with a definition. The teaching then goes deeper than the click path, because the click path moves and the mechanism does not, and if you know the mechanism you can find the button.
Every section shows you the thing rather than describing it: the actual portal location, the actual command, the actual artifact. Where a diagram can carry an idea better than a paragraph, there is a diagram, and they are drawn to show something rather than to decorate a list.
Each module closes with a summary and eight scenario questions. The questions test whether you can make a decision, not whether you remember a menu path, and every wrong answer explains why it is wrong rather than just marking it.
And it is written on the assumption that you are an intelligent adult given a hard job and not much help, which is the actual situation of most people in this role.
How long it takes, and how to read it
Thirty-six to forty hours if you work through it properly, which is roughly three hours a module and rather more for Module 2. That number assumes you stop at the decisions rather than clicking past them, and it is the number the CPE credits are based on.
There are two honest ways to use this course.
Studying it means reading in order, committing to the decisions before revealing them, and building at least Module 2's classifier in a tenant of your own. It costs the forty hours and produces someone who can walk into an unconfigured tenant and do the job.
Raiding it means going to the module you need this week. That works better here than in most courses, because each section states its own dependencies and the reference modules at the end consolidate the commands. Module 6 will assume you can measure a classifier and will tell you so rather than quietly failing you. If you have a DLP rollout on Thursday, read Module 6 on Wednesday and come back for the rest.
What does not work is skimming it for the settings. Those are in Microsoft's documentation, free, maintained by people with better access than us. If a page of this course could be replaced by a Learn page, that page has failed.
What this course does not do
It does not prepare you for an exam. It is aligned to the SC-401 skills measured, because that certification describes this job reasonably well, but it teaches the job and the exam is a side effect.
It does not have a lab you must build. Nothing here requires a tenant, and 0.6 covers your options if you want one.
And it does not pretend the product is better than it is. Where Purview cannot do something, the course says so, which is the next section.