Understanding the Microsoft.Extensions.Compliance.Classification namespace in .NET 8

With .NET 8, Microsoft introduced some interesting pieces around data compliance and telemetry. One of these is the Microsoft.Extensions.Compliance.Classification namespace, which provides a way to classify data flowing through your application. This is useful if you want to be intentional about what you log, how you log it, and what kind of data should be protected.

The basic idea is that you attach classification attributes to your data types or properties, so that logging and telemetry components can make decisions based on those classifications. For example, some fields may contain personal data and should never be written to logs in clear text.

A simple example might look like this:

using Microsoft.Extensions.Compliance.Classification;

public class Customer
{
    [PrivateData]
    public string Name { get; set; } = string.Empty;

    [PrivateData]
    public string Email { get; set; } = string.Empty;

    public string CountryCode { get; set; } = string.Empty;
}

Once your data is classified, a compliant logging or telemetry pipeline can use these attributes to mask, redact or skip sensitive fields. The idea is that classification lives close to the data model, instead of being an afterthought scattered across logging calls.

This is not something you will use in every small project, but if you work in an environment with stricter compliance requirements (PII, GDPR, audits), having a standard way to express "this is sensitive" in code is very helpful.

The namespace has several attribute types and interfaces, so you can define custom classifications as needed. It's a good example of .NET gradually adding support for more operational concerns directly into the platform.