Blog post: 3 minute read
Over the past year, I have witnessed a significant effort from Microsoft to unify the protection capabilities across all of their Office 365 services. To demonstrate this, a new configuration option was recently released, currently in preview mode, for associating an Azure Information Protection (AIP) label to a document based on a metadata value in SharePoint. Fantastic news!
This configuration option is currently in preview and is subject to change. For the official documentation, check out the link here.
Follow along while I walk-thru an example of a SharePoint column called Classification that sets an AIP label based on its value in SharePoint.
STEP 1: Create a new site column called Classification with the following settings:
- choice column type
- choice values: General, Non-Business, Confidential
STEP 2: Add the site column to a Document library. (My library was in an Office 365 Group site, but it could be in any kind of a SharePoint site)
STEP 3: In the Azure Portal for your tenant (portal.azure.com), open up the Azure Information Protection blade and set up 2 new properties with the following name/value pairs in Advanced settings within a scoped policy. To do this, refer to this link: How to configure advanced client configuration settings in the portal.
- Name: SyncPropertyName Value: Classification
- Name: SyncPropertyState Value: OneWay
STEP 4: Within the scoped policy, ensure you have 3 labels whose names match exactly to the 3 SharePoint metadata choice values. Shown below, there are 3 labels in this scoped policy (General, Non-Business, Confidential):
STEP 5: Publish the policy.
STEP 6: Test it out by uploading a document to the document library and setting the Classification SharePoint property to one of the choice values. In this example, we’ll choose Confidential.
STEP 7: If you open the document in the Word Client, you will see the Information Protection bar will show the Confidential AIP label is set! Awesome.
Note: you must ensure your label names are exactly the same as the SharePoint column values. You also must ensure you save the document above to set the sensitivity property.
I can see several use-cases for this setup in SharePoint however at the time of this writing, there are several limitations I’ve discovered:
- this will only work if no label has been currently applied to the document. Once a label has been applied to a document, changing the value of the SharePoint column (Classification in this example) will not change the AIP label to that updated value.
- You have to open the document and save it in an Office app in order for the label sensitivity property to be updated. This means, you cannot simply change the Classification property in SharePoint to change the AIP label without going into the Office app.
- If you change the label classification while in the document, it will not update the Classification metadata property in SharePoint. This is a one-way sync.
This feature is currently in preview mode and subject to change so the current behaviour I’ve observed may also change. If it does, I’ll update this post.
Thanks for reading.