An auto-labeling policy is the correct choice because it is designed to automatically apply a sensitivity label to content that matches specific conditions. In this scenario, the condition is the presence of a credit card number (a sensitive information type). You would first create a sensitivity label configured to apply encryption. Then, you create an auto-labeling policy that uses this label and targets content containing the "Credit Card Number" sensitive information type. When a document with a credit card number is added to SharePoint, OneDrive, or Exchange, the policy automatically detects it and applies the encryption-enabled label.

A. a retention policy: Retention policies are used to manage the data lifecycle (retaining or deleting content) and do not apply encryption based on content.

B. a retention label policy: While retention labels can be auto-applied based on sensitive information, their primary function is to manage retention and disposition, not to apply encryption.

D. an insider risk policy: Insider risk policies are designed to detect and manage risky user activities to prevent data leakage or theft, not to automatically encrypt files upon creation.

1. Microsoft Learn. (2024). Automatically apply a sensitivity label to content in Microsoft 365.

Section: "How auto-labeling policies for files and emails work"

Quote/Paraphrase: "Auto-labeling policies can automatically apply sensitivity labels to files and emails when they match conditions that you specify. One of the key conditions is when content contains specific types of sensitive information

such as credit card numbers. The sensitivity label itself is what carries the protection setting

such as encryption."

2. Microsoft Learn. (2024). Use sensitivity labels to apply encryption.

Section: "How encryption works"

Quote/Paraphrase: "When you apply encryption for a sensitivity label

the protection settings are embedded in the content... You can use auto-labeling policies to find content with sensitive information and automatically apply a label that's configured for encryption."

3. Microsoft Learn. (2024). Learn about retention policies and retention labels.

Section: "Comparing retention policies and retention labels"

Quote/Paraphrase: This document clarifies that the purpose of retention policies and labels is to "retain content so that it can't be permanently deleted before the end of the retention period" and to "delete content permanently at the end of the retention period." This confirms their function is not encryption.