Solved

Detecting Microsoft Purview Information Protection Sensitivity Labels

  • 19 October 2022
  • 5 replies
  • 182 views

Badge +5

I was looking through the DLP profiles and did not find any support for triggering on Microsoft Purview Information Protection (formerly Azure Information Protection / MIP / AIP ) sensitivity labels for real-time protection policies. My goal is to coach/block users from uploading documents with certain labels to unapproved cloud storage. 

 

I can extract the labels from the office documents metadata, but there doesn't seem to be a way for Netskope to detect the labels even with custom dictionaries or EDM.  Has anyone gotten sensitivity label detection working in real-time protection DLP policies? 

icon

Best answer by ryans 20 October 2022, 20:25

View original

5 replies

Badge +15

In previous versions of "Compliance Center" you could simply put the friendly name of the label in your DLP entity. I'm not sure when this changed -- likely with the rebrand to Purview -- MS no longer writes the friendly name to the metadata. Instead, they write the GUID. Take this GUID and create a case insensitive entity as follows:

MSIP_Label_GUID_Enabled

Use this entity in your Rule, assign the Rule to a custom Profile, and use the Profile in your Policy.

Userlevel 4
Badge +17

Hi @BrianThomas , Hope you're doing well. If @ryans answers helps you on what you're looking. Please feel free to click the  comment  "Accept as Solution". 🙂

Badge +15

@Rohit_Bhaskar - I've been working with Brian and in all fairness, he did most of the work here, I just validated it a few more times 🙂

Badge +5

to add on to this, the DLP engine should be looking for the data in the headers, not the body of the file. 

Further info for others on this path. In your Purview tenant ( https://compliance.microsoft.com ) you MAY be able to see the GUID for each Purview label, but its not a given. If you cant see the data in the GUI, you can extract the GUID via Powershell but you will need to install the PowerShell commandlets for the compliance dashboard.  Here are the docs on how to connect: Connect to Security & Compliance PowerShell | Microsoft Learn

 

Alternatively you can set a label on a file (word, excel, powerpoint, etc), change the extension to .zip and then search for the text "MSIP_Label_" in the folder. You will then have the guid. Set the lable on the file to the other label types you want to target and perform the same zip -> search action to find the other GUID's. It's tedious mut maybe less so than PowerShell online which can be very fiddly. 

 

 

Badge +5

@Rohit_Bhaskar , I've flagged it as accepted. thanks to @ryans  for being the good citizen and following up with the details. 

Reply