Azure Information Protection and Cloud App Security integration: Extend control over your data to the cloud
Published Sep 08 2018 09:27 AM 6,500 Views
First published on CloudBlogs on Nov 07, 2016
At Ignite, we showcased the integration between Cloud App Security and Azure Information Protection in the Cloud App Security session and Azure Information Protection session . Today, we’re excited to share more about this integration and demonstrate how it helps in extending security for your data as it travels to the cloud. With the digital transformation that organizations are going through, data is traveling to more locations than ever before, increasing users’ productivity and ability to access data and collaborate with others. With Azure Information Protection , we’re focused on providing our customers an innovative information protection solution which is adapted to the mobile and cloud-first world and can protect company data wherever it is. One of the key challenges for information protection solutions today is the lack of visibility and control for data as it is moves to cloud applications. Cloud applications pose a huge challenge for legacy information protection solutions which are not adapted to the cloud. They also create new challenges such as the need to monitor and control sharing of sensitive data with external parties. Cloud App Security provides a holistic solution to discover, monitor, control and protect activities and data in cloud applications. With this integration, the service can leverage the classification labels set by Azure Information Protection natively and enforce automatic governance actions such as file quarantine and remove sharing based on classification and sharing level of the file. With this integration, Azure Information Protection helps extend control over your data throughout the complete data lifecycle - from creation to storage on-premises and in cloud services to sharing internally or externally to monitoring the distribution of files and finally responding to unexpected activities. This integration provides following key capabilities:

Visibility into data sharing

When data is created, it is classified and labeled based on its sensitivity, either automatically or manually using Azure Information Protection. This process of classification adds a label to the data, that will persist throughout its entire lifecycle. Users can upload such files to cloud applications and attempt sharing with people inside or outside of their organization. Cloud App Security identifies the sensitivity level of these files, based on their labels set by Azure Information Protection and help you monitor and control such activities. Ex. Admins can query for all Confidential files that are shared publicly over DropBox, Box, SharePoint Online and other cloud services, and take an action upon these activities, such as log, alert, notify the end-user, or even prevent from such files from being shared. In below example, a user is working on a file that’s labeled Confidential. He now uploads this file to an internal folder in Box. He then shares this file, sending the link to the shared file to a colleague at another company. This file now can be accessed freely by any user that has this link. Such an action can put sensitive organizational data at risk and expose business information. The security admin in the user’s organization wants to analyze the use of cloud applications employees are using. He logs in to the Cloud App Security console and gets details of all the files that are shared by employees publicly. He sees that the user uploaded a Confidential file into a shared folder in Box. The admin can view all previous access event to this file, and immediately remediate by removing its collaboration rights.

Policies to control sharing

Admins can use the Cloud App Security console to set policies for files sharing – based on their level of sensitivity to the business as set by Azure Information Protection. In case of unexpected sharing of sensitive files, one of the following actions can occur automatically to prevent data loss –
  • Files can be put in quarantine
  • Sharing can be restricted for the files
  • Notification can be sent to users who shared the files
Ex. A policy can be created that looks for classified files that are externally shared and automatically quarantine these files.

Alerts for anomalous behavior

Alerts can be setup to notify admins in case sensitive files are shared unexpectedly. Activities such as sensitive files being shared externally, sensitive files being downloaded from unrecognized locations, or anything that’s considered abnormal in your environment can fire alerts to help admins with proactive investigation.


Cloud App Security and Azure Information Protection together help you gain deeper visibility and control over your data as it travels to the cloud, extending protection for your data throughout the entire data lifecycle. And this is achieved while maintaining user productivity and collaboration. These capabilities are available today. You can use the Enterprise Mobility + Security E5 trial to try it out. We also encourage you to watch the two Ignite sessions we linked at the beginning of this post to see a demo of the integration. If you have any feedback or suggestions, you can engage with us on Yammer . Thank you! Information Protection and Cloud App Security team
Version history
Last update:
‎Sep 08 2018 09:27 AM