When “By Design” Creates Risk: A Case Study on CSV File Classification Limitations in Microsoft Azure Information Protection

Data classification and labeling form the foundation of enterprise information security. They enable technologies such as Data Loss Prevention (DLP), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) to distinguish between sensitive and non-sensitive data. This case study examines a critical limitation in Microsoft Azure Information Protection (AIP), where Comma-Separated Values (CSV) files cannot retain sensitivity labels. Through a responsible disclosure to the Microsoft Security Response Center (MSRC), we document the issue, analyze its implications, and argue why the “by design” response is inadequate for regulated sectors such as banking and payments. We present reproduction steps, discuss the broader risk of unclassified data flows, and recommend remedial actions for vendors and organizations.