Blog post: 3 minute read
Over the past year, I have witnessed a significant effort from Microsoft to unify the protection capabilities across all of their Office 365 services. To demonstrate this, a new configuration option was recently released, currently in preview mode, for associating an Azure Information Protection (AIP) label to a document based on a metadata value in SharePoint. Fantastic news!
This configuration option is currently in preview and is subject to change. For the official documentation, check out the link here.
Follow along while I walk-thru an example of a SharePoint column called Classification that sets an AIP label based on its value in SharePoint.
STEP 1: Create a new site column called Classification with the following settings:
- choice column type
- choice values: General, Non-Business, Confidential
STEP 2: Add the site column to a Document library. (My library was in an Office 365 Group site, but it could be in any kind of a SharePoint site)
STEP 3: In the Azure Portal for your tenant (portal.azure.com), open up the Azure Information Protection blade and set up 2 new properties with the following name/value pairs in Advanced settings within a scoped policy. To do this, refer to this link: How to configure advanced client configuration settings in the portal.
- Name: SyncPropertyName Value: Classification
- Name: SyncPropertyState Value: OneWay
How they appear in the Advanced settings blade
STEP 4: Within the scoped policy, ensure you have 3 labels whose names match exactly to the 3 SharePoint metadata choice values. Shown below, there are 3 labels in this scoped policy (General, Non-Business, Confidential):
STEP 5: Publish the policy.
STEP 6: Test it out by uploading a document to the document library and setting the Classification SharePoint property to one of the choice values. In this example, we’ll choose Confidential.
STEP 7: If you open the document in the Word Client, you will see the Information Protection bar will show the Confidential AIP label is set! Awesome.
Note: you must ensure your label names are exactly the same as the SharePoint column values. You also must ensure you save the document above to set the sensitivity property.
My Thoughts
I can see several use-cases for this setup in SharePoint however at the time of this writing, there are several limitations I’ve discovered:
- this will only work if no label has been currently applied to the document. Once a label has been applied to a document, changing the value of the SharePoint column (Classification in this example) will not change the AIP label to that updated value.
- You have to open the document and save it in an Office app in order for the label sensitivity property to be updated. This means, you cannot simply change the Classification property in SharePoint to change the AIP label without going into the Office app.
- If you change the label classification while in the document, it will not update the Classification metadata property in SharePoint. This is a one-way sync.
This feature is currently in preview mode and subject to change so the current behaviour I’ve observed may also change. If it does, I’ll update this post.
Thanks for reading.
-JCK
Credit: Photo by Aliis Sinisalu on Unsplash
Thanks found the missing piece in the puzzle, great series of articles.
With Unified Labels still a ways off from fully available is this still applicable?
Hi Berney,
Unified labels are now in Public Preview and at this time I’m unsure of how it will work in tandem with the Classification column discussed in this post. Here is a link to the Microsoft blog post discussing the move from AIP labels to the new Unified one: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-the-availability-of-unified-labeling-management-in/ba-p/262492
As I find out more, I’ll update this post.
-JCK
Hi Joanne:
Great post, usefull and clear.
Could this work with managed metadata column insted of choice column?
Thanks
Hi Francisco, I don’t think it works for anything but choice.
-JCK
Hi Joanne, I can confirm it does not work with managed metadata column.
F.Matos
Does this work for SharePoint Online as well? Is it important/requried to create a site column or can I create it for a library only?
Hi RichardG, I’ve only tried it with a site column. Assuming it will also work with a list column. The example I gave was from SPO.
-JCK
Hi Joanne, is this supported for SharePoint Server and Unified client? My customer would like to use metadata integration, but I am unable to find support for that. I am assuming this is not supported, but I wonder if there is any workaround for SharePoint Server. Maybe AIP scanner can help?
Thank you
Hi Jakob, the AIP unified label scanner is the way to go against your SP on-Orem environment. Link: https://docs.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner
-JCK
it works on a SP 2013 onprem environment with unified labelling client with below powershell.
It assumes you have a MMS type column “Classification” in SP.Repeat this call for every label as needed and ensure the rule name(TestRule5) is unique.
Set-Label -Identity “Test-Confidential” -AdvancedSettings @{labelByCustomProperties=”TestRule5,Classification,5;#Test-Confidential|4d18ca4b-afa3-492d-93a9-231172edea3d”}