Azure Information Protection labels are designed to apply a classification, and (optionally) mark and encrypt the document based on the level of sensitive information it contains. Customers who mainly rely on cloud file repositories can leverage Azure Information Protection labels with Microsoft Cloud App Security integration in several major use cases:
- Using File Policies to enable classification:
- Automatic classification based on custom conditions including file content, location, access level and more.
- Perform governance actions based on the file classification.
- Using Session Control to protect once downloaded or block downloading, based on file content, current classification label, end-user location, device compliant status and more.
- Using Files management from MCAS portal to apply and remove AIP labels manually.
In this article, we will cover the mentioned capabilities step by step with complete instructions on how to deploy them in your organization.
- Azure Information protection already deployed in your tenant with labels configured in the policy.
- Microsoft Cloud App Security (accessible from https://portal.cloudappsecurity.com).
- To configure “File policies” you should verify the relevant cloud app is connected to MCAS (Official documentation: https://docs.microsoft.com/cloud-app-security/enable-instant-visibility-protection-and-governance-ac...)
- Azure Information Protection integration enabled in MCAS in order to scan protected and unprotected files for labels and content (will be covered later in this blog).
- Configure “Session Control”:
- For non-Microsoft cloud application – configure it with AAD SSO (as described at: https://docs.microsoft.com/azure/active-directory/manage-apps/configure-single-sign-on-portal) and as mentioned in step 4b.
- Once the application is configured with AAD SSO (Microsoft apps are already configured) you should deploy Conditional Access App Control for Azure AD App (as described at: https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
- Licensing requirement:
- Azure Information Protection: AIP P1 / EMS E3
- Microsoft Cloud App Security: MCAS Standalone / EMS E5
- To enable “Session control” – AAD P1 (In case you own MCAS Standalone)
We recommend to review our blog “Cataloging your Sensitive Data with AIP, Even Before Configuring Labels!” in order to easily deploy AIP Scanner to be aware of the current Sensitive Data that is relevant for your company. Once you have this information, the same sensitive types should be configured in MCAS policy to detect and label documents that contains this sensitive data. We recommend that discovery for Sensitive Data should be the first step in taking control of your information.
Enable Azure Information Protection integration in Microsoft Cloud App Security.
AIP integration with MCAS should be enabled in advanced before configuring polices based on labels. In addition, MCAS can perform content inspection on AIP protected files. To enable this, we must grant MCAS permissions to do so. For this, please browse to: https://portal.cloudappsecurity.com/#/settings/?section=securityConnectors
- Check the 1st option to enable AIP labels scanning by MCAS.
- Check the 2nd option if you wish to allow MCAS to scan AIP labeled and protected files only for your tenant. Not checking this option will allow scanning of labeled files from other tenants stored in your cloud applications (for example: file that has been received from external partner and stored in your tenant’s SharePoint after a recipient from your tenant decided to store it). Please note that MCAS has content inspection rights only for AIP protected files that are protected by your tenant.
- The option mentioned in the 3rd box is required to allow content inspection of AIP protected content from your tenant. For example, if protected document is stored in SharePoint and contains PII, then MCAS will be able to trigger a file policy off that. Click the Grant permissions button to allow this functionality. An additional consent box will require approval.
File policies capabilities with Azure Information Protection labels
File Policies allow you to enforce a wide range of automated processes using the cloud provider’s APIs. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and many more use cases. Cloud App Security can monitor any file type based on more than 20 metadata filters (for example, access level or file type). The supported file types that support applying and inspecting Azure Information Protection labels are:
- Word: docm, docx, dotm, dotx
- Excel: xlam, xlsm, xlsx, xltx
- PowerPoint: potm, potx, ppsx, ppsm, pptm, pptx
- PDF – Adobe ISO format (requires unified labeling)
We will now review the options of what we can achieve by configuring file polices.
- On the Control tab, click Policies.
- Click on Create policy button and select File policy.
- Call the policy File policy test with labels
- Enter a description.
- Set a policy severity and category.
- Under Create a filter for the files this policy will act on, we have several options to select
- You can select the app that is in used to store the documents, for our example we use OneDrive and SharePoint. Not selecting an app will include all the connected apps to Cloud App Security.
- You can scope the policy to scan only files that are already labeled. For example, we can configure to perform actions only on files labeled as Confidential and Highly Confidential. For this we will click the (+) icon, select Classification label, Azure Information Protection, Equals and select the relevant label(s).
- An additional use case can be achieved with scoping the detection to a specific file location. This can be done with the Apply to: all files section, available options are:
- Selected folders (common use case: to apply default label on specific SP folder).
- All files excluding selected folders (common use case: exclude a folder that is not allowed to be scanned due to a regulation or privacy restriction). If you would like to apply AIP labels on all the documents that are stored in a specific folder you can skip to step 11 after this step is configured.
- Like the behavior when using the AIP client, you can perform automatic classification based on file content as part of the file policy. To do that, under Inspection method select Data Classification Service. Under Choose inspection type select Sensitive information type… A list of built in sensitive information types will popup. Select any relevant information type that you would like to detect (we will select Credit Card Number) and click Done.
- Like the AIP Unified Labeling client, MCAS supports the ability to inspect documents with Office 365 custom created sensitive information types. More information on this can be found here: https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type
- Check the Inspect protected file option if you wish for MCAS to inspect content in AIP protected files using the configured sensitive information types.
- Check the Create an alert for each matching file if this specific policy exposes a risk which you would like to be alerted on.
- Under the Governance section we will click on the apps we selected in step 6 and configure the governance actions that we would like to apply. A full description of all available actions can be found here: https://docs.microsoft.com/cloud-app-security/governance-actions. We will review the actions that are relevant for our use case.
- Make private – For our use case, if sensitive labeled files are detected, you can remove access from users who are not the document owner. For example: Highly confidential document that has been shared internally within groups that are not allowed to access it.
- Remove external users – same as action A but will remove only external users’ access.
- Put in user / admin quarantine – If you don’t allow a labeled file to be stored in the configured cloud service / location (or any other relevant condition) then file can be quarantined.
- Apply classification label and choosing the relevant classification label from the dropdown list.
- Remove classification label will remove AIP label from the file.
- Once done, click on Create at the bottom to save your policy and let the detection process start scanning your tenant documents.
Session control capabilities with Azure Information Protection labels
MCAS session policies enable real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session. With session control you can allow access while monitoring the session and/or limit specific session activities using the reverse proxy capabilities of Conditional Access App Control.
This capability come in one hand with the AIP integration which you can leverage for the following main use cases:
- Monitor downloads of labeled documents
- Block downloads of labeled documents
- Protect already labeled / non-labeled documents on download
For example, you can decide that from unmanaged devices, or for sessions coming from specific locations, you want to allow the user to access the app but also limit the download of sensitive files or require that certain documents be protected upon download.
As mentioned at the beginning of this blog, please verify the mentioned prerequisites to use MCAS session control (Starting with license requirements and create an AAD Conditional Access policy to route the session to MCAS).
When a session policy is active, all traffic is routed through MCAS in order to be monitored, the end user is prompted when they are logged into the specific application so they will be aware.
We will now review the options of what we can achieve by configuring Session polices.
- On the Control tab, click Policies.
- Click on Create policy button and select Session policy.
- Call the policy Session control test with labels.
- Enter a description.
- Set a policy severity and category.
- Under Session control type we can select one of these options to enable AIP capabilities:
- Control file download (with DLP)
- Control file upload (with DLP)
- From the point the policy contains 2 different filters which we can configure: Activity filters & File filers. Let’s review what are the options we have under each filter.
- Activity filters – this allows us to configure the activity properties which we want to trigger the policy, for example: device compliant status, if domain joined, specific location, ISP, user and more. In addition, we should configure here the application which we want to control, the dropdown list will show us the already configured apps from step 5 of the prerequisites. For our example we will select to control devices that are not compliant, not domain joined, outside the company 4 trusted countries, and using OneDrive for Business and SharePoint online apps.
- File filters – using this filter we can granularly configure control for sensitive files which have an Azure Information Protection label. The drop down pulls the current published label policy. In addition, it will show labels with (external) tags that originated from other tenants into your cloud applications and was scanned for label discovery (as mentioned in the Enable Azure Information Protection integration in Microsoft Cloud App Security section of this article). For our example we will select to control only documents that are labeled with Confidential label and its sub labels.
- An additional option to trigger the policy to match is based on document content inspection, this can be configured when we enable the content inspection option in the policy.
- Lastly, we reach the Actions section where we can decide which controls we want to apply on the matched session policy. We have 3 different options:
- Test – audit only, can be visible in MCAS Activity log.
- Block – Intercept downloaded or uploaded files that match the policy and block them, for example – downloading a file that is highly sensitive on a not domain joined machine. Or block uploading a highly sensitive file to a specific folder or cloud application. The block action will show a user prompt that the file downloaded is blocked, this message can be customized. A blocked file will download a tombstone txt file to the end user machine mention that a file was blocked.
- Protect (for file download interception only) – This action will apply classification label on downloaded files as configured in your policy. You will only see here classification labels that have protection assigned. An additional option is to protect the downloaded file not with a label but with custom permissions, the same concept as a user defined label in the AIP Client. The rights are applied once file is downloaded to the user who download the file, no other user can access the file once downloaded. In case protection fails or a not supported AIP file is downloaded then you can override the protection action and block the file from being downloaded. For this you should check the Block download of any file that is unsupported by native protection or where native protection is unsuccessful.
- Once done, click on create to enable your new session policy and start enforcing file download activities per specific activity / file conditions and perform actions on them.
Investigate files stored connected apps with AIP labels.
To provide data protection, Microsoft Cloud App Security gives you visibility into all the files from your connected apps. After you connect Microsoft Cloud App Security to an app using the App connector, Microsoft Cloud App Security scans all the files, for example all the files stored in OneDrive and Salesforce. You can also use the Files page to filter files to investigate what kind of data is saved in your cloud apps. Files page can provide 2 main functionalities in relation to Azure Information protection:
- Apply or remove label manually on a specific file
- Use file filters to produce a list of labeled files per specific label
We will start reviewing the files page with locating confidential files.
- To access the Files page, we should select it from the left toolbar under the Investigate
- Once we opened the Files page, we need to view the classification filter so we can control which the labeled files we want to view. For this we need to click the advanced button on the right side.
- Now we can select the Classification label filter from the list of filters, select Azure Information Protection from the 2nd filter and then we can filter by specific labels with equals This specific filter will give us a list of all the Confidential labeled files in our connected apps. We can click on each file to see it’s label, if it’s encrypted and many more details.
- Using the same filter, we can locate files that are unlabeled and apply a label manually. To do that, in the filters select Classification label, 2nd filter Azure Information Protection, and then choose is not set
This will show a list of unlabeled files in your connected apps. But no worries, we can now apply label on one of them manually or perform bulk classification using a new created policy using this filter.
- To label files manually we should locate the file we would like to label, click the 3 dots on the right and select apply classification label. From the drop down list select the relevant label and apply it.
- To bulk label all non-labeled files manually we should click the New policy from search This will create a new file policy which we should configure it’s governance action to apply a label as mentioned in File policies capabilities with Azure Information Protection labels.
Azure Information Protection is completely integrated with Microsoft Cloud App Security in terms of viewing labels, applying them automatically and manually on connected applications from Office 365, and also non-Microsoft connected apps. This integration provides consistent control and visibility over your company owned sensitive documents also in the cloud.
The Information Protection Customer Experience Engineering Team