SharePoint Metadata sets AIP Label

Blog post: 3 minute read

Over the past year, I have witnessed a significant effort from Microsoft to unify the protection capabilities across all of their Office 365 services. To demonstrate this, a new configuration option was recently released, currently in preview mode, for associating an Azure Information Protection (AIP) label to a document based on a metadata value in SharePoint. Fantastic news!

This configuration option is currently in preview and is subject to change. For the official documentation, check out the link here.

Follow along while I walk-thru an example of a SharePoint column called Classification that sets an AIP label based on its value in SharePoint.

STEP 1: Create a new site column called Classification with the following settings:

  • choice column type
  • choice values: General, Non-Business, Confidential

STEP 2: Add the site column to a Document library. (My library was in an Office 365 Group site, but it could be in any kind of a SharePoint site)

AIPSTEP 3: In the Azure Portal for your tenant (portal.azure.com), open up the Azure Information Protection blade and set up 2 new properties with the following name/value pairs in Advanced settings within a scoped policy. To do this, refer to this link: How to configure advanced client configuration settings in the portal.

  • Name: SyncPropertyName   Value: Classification
  • Name: SyncPropertyState     Value: OneWay

    AdvancedProperties
    How they appear in the Advanced settings blade

STEP 4: Within the scoped policy, ensure you have 3 labels whose names match exactly to the 3 SharePoint metadata choice values. Shown below, there are 3 labels in this scoped policy (General, Non-Business, Confidential):

Scoped Policy in Azure

STEP 5: Publish the policy.

STEP 6: Test it out by uploading a document to the document library and setting the Classification SharePoint property to one of the choice values. In this example, we’ll choose Confidential.

Update SharePoint Column

STEP 7: If you open the document in the Word Client, you will see the Information Protection bar will show the Confidential AIP label is set! Awesome.

InformationProtectionBar

Note: you must ensure your label names are exactly the same as the SharePoint column values. You also must ensure you save the document above to set the sensitivity property.


My Thoughts

I can see several use-cases for this setup in SharePoint however at the time of this writing, there are several limitations I’ve discovered:

  • this will only work if no label has been currently applied to the document. Once a label has been applied to a document, changing the value of the SharePoint column (Classification in this example) will not change the AIP label to that updated value.
  • You have to open the document and save it in an Office app in order for the label sensitivity property to be updated. This means, you cannot simply change the Classification property in SharePoint to change the AIP label without going into the Office app.
  • If you change the label classification while in the document, it will not update the Classification metadata property in SharePoint. This is a one-way sync.

This feature is currently in preview mode and subject to change so the current behaviour I’ve observed may also change. If it does, I’ll update this post.

Thanks for reading.

-JCK


Credit: Photo by Aliis Sinisalu on Unsplash

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s