Reading width
Wide uses the full column for everything, text, diagrams, code, and exercises. Narrow keeps the standard reading width.
Text size
Scales the body text. Headings and code blocks keep their size.
In this section
Following Along: Tenant, Licence and Access for This Course
You can complete this course without touching a tenant. Everything is shown rather than described, so nothing here depends on you having somewhere to click. But you will learn it better if you build some of it, and this section is about doing that without creating a problem for yourself.
Scenario
Do not use production
Start here, because it is the only advice in this section that is not a preference.
Purview's controls are unusual in that several of them are difficult to un-ring. A retention label that declares content a record makes it immutable, and immutable means you cannot delete it either. An auto-labelling policy applied at scale relabels documents across the estate, and there is no undo button that walks it back. A DLP rule you enable in block mode stops real people from doing real work, immediately, and the first you hear about it is a service desk queue.
None of that is a reason to be frightened of the product. It is a reason not to learn it on the tenant your company runs on, because the way you learn is by getting it wrong, and getting it wrong here has a blast radius that includes people who did not sign up for your education.
There is a subtler version of the same problem. Even in read-only, the explorers in this course will show you the contents of your colleagues' files, and 2.8 covers why that access supersedes the permissions everybody else relies on. Doing that in production, out of curiosity, without a reason anybody agreed to, is a thing you can do and should not.
The exception, and how to take it
There is one honest case for touching production, and it is the opposite of building.
Looking is not the same as changing. The single most valuable exercise in this entire course costs nothing, breaks nothing, and takes an afternoon: open the explorers in your real tenant, filter to a built-in classifier that is already running, and look at where it fires. You are not deploying anything. Data classification scans your content before any policy exists, which Microsoft calls zero change management, so the number is already there whether you look or not.
What you will find is the reason to do it. Most people discover, in about twenty minutes, that their organization's sensitive data is somewhere nobody expected, in volumes nobody predicted, and that no policy has ever been near it. That finding is real, it is yours, and it is a better argument for the next twelve modules than anything this course can tell you.
Do it with the access you already have and a reason you can state. Do not go looking at colleagues' documents because the tool lets you, and read 2.8 before you decide what "looking" means, because the permission model there is sharper than it appears.
Your three options
Nothing at all. Read the course, commit to the decisions, and build none of it. This works better than it sounds, because the decisions are the part that transfers and the click paths are the part that moves. If you are here to be able to think about this properly rather than to configure it next week, this is a legitimate choice and you should not feel short-changed by it.
A Microsoft 365 E5 trial. Thirty days, full feature set, no cost. It is the fastest route to a tenant that can do everything in this course, and its weakness is the clock: thirty days is not enough to work through forty hours of material at a sane pace, and several things here need waiting rather than doing. Classification counts take up to seven days to update, and fourteen for SharePoint files. A trial that expires in the middle of a measurement is a bad way to learn what measurement feels like.
A Microsoft 365 developer tenant. The better option if you can get one. It renews while you are using it, it comes pre-populated with users and content, and it survives long enough to watch something change. The catch is availability: eligibility has been narrowed over the years and is tied to developer program status, so this may or may not be open to you depending on when you read this and where you are.
What you can reach on what
The trial's limit is time rather than capability, which matters because several things in this course can only be learned by waiting.
What E3 will and will not reach
If your own tenant is E3 and you want to follow along there, most of this course is open to you. Sensitive information types, sensitivity labels, DLP for the cloud services, retention: all E3.
Four things are not, and it is worth knowing which before you plan around them. Exact Data Match, trainable classifiers, endpoint DLP and the advanced insider risk indicators need E5 or the Information Protection and Governance add-on, and optical character recognition needs an Azure subscription with pay-as-you-go billing rather than any licence at all.
The portal will not stop you. This is the fact worth carrying out of this section and Module 1 states it properly: Microsoft licenses capabilities rather than gating features, so on an E3 tenant the controls for several E5 capabilities are clickable, the configuration saves, and the policies run. There is no warning banner. You can build an unlicensed control, watch it work, and be in breach the entire time, and the first anybody hears about it is a true-up.
Which is why this course states the licence boundary at every point where it bites, rather than once at the start. Not because licensing is interesting. Because the product will let you cross it without comment.
What to build, if you build anything
If you have a tenant and limited time, the returns are wildly uneven and it is worth spending the time where it teaches.
Build one custom classifier and test it against content you did not choose. That is Module 2, it is the single most transferable hour in the course, and it will surprise you. Everything else in this discipline is downstream of the skill, and the surprise is the point: a classifier you wrote and believed in, matching something you did not intend, is a lesson that does not arrive from reading.
Run one DLP policy in simulation. Not audit, not block. Simulation, in Module 6, because it is the only mode that shows you the blast radius of a policy without any of the consequences, and watching a rule you were confident about light up across half the estate is the fastest cure for confidence there is.
And open the explorers after each of those, because the loop of build, measure, be surprised is the whole discipline in miniature, and nothing else you do in a lab reproduces it.
What is not worth your lab time is the configuration walkthroughs. Building a label policy in a tenant with four users teaches you the click path and nothing about the thing that makes labels hard, which is people. Read those, do not rehearse them.
The roles you will need
You do not need Global Administrator, and if somebody offers it to you for this, decline.
The compliance role groups are more granular and Module 1 covers them properly. For following along, you need enough to create classifiers and policies, which is usually Compliance Administrator or Compliance Data Administrator, and separately you need to be added to a role group before you can read content in the explorers, because that access is deliberately not included in any administrative role.
The reason to care in a lab is that you will care in production. A data security function that runs on one person's global admin account is the first anti-pattern in this discipline, and building your own habits on it teaches you the wrong shape.
One thing a lab cannot give you
Worth saying plainly before you spend a weekend on a tenant, because it changes what you expect from it.
A lab has no Elena. It has no Legal team who will not hand over the register, no Marcus with 4,318 matches and a deadline, no Rachel who has already promised something to a client. It has no fifteen years of scanned contracts, and no engineers photographing whiteboards at the end of a design review. Every hard thing in this discipline is a fact about an organization, and a tenant with four test users has none of them.
So the lab teaches you the mechanism, and this course teaches you the mechanism plus the argument, and the argument is the part that decides whether your programme works. That is not a reason to skip the lab. It is a reason not to mistake a working tenant for a working programme, which is a mistake with a long history in this field and a specific tell: a deployment that looks complete, took six months, and cannot answer a single question anybody asks it.
Section 0.7 closes the module, and then Module 1 begins the course proper.