If you’re using Azure Information Protection (AIP) in your organization, you’ll know that once a document has been assigned an AIP label, it is stored in clear text as a document property. This is visible in the backstage of the Office client in Advanced Properties. What’s great about this is it allows the label to be leveraged in other applications simply by reading the document property.
An example of an application that can leverage this property is SharePoint search. We can find documents with a specific AIP label thru SharePoint search targeted to a document library, site, site collection or even a tenant. I will demonstrate a practical example of doing this in the remainder of this post.
Please refer to my post, Use AIP Labels in DLP Policy Rules, where I discuss another application (DLP) that can leverage the AIP label. In that post, I demonstrate how to add an additional level of protection to your documents by checking for the existence of an AIP label when configuring DLP actions.
Scenario: You have configured a scoped policy in your organization that includes an AIP label for a special project called Alpha Project to be applied to all of the project’s confidential documents. For this label, you may have configured some extra protection controls in AIP such as encryption, preventing copying/forwarding and inserting visual markings (watermark/header/footer).
Note: a scoped policy is different from the global policy in that it targets a subset of users in your organization so only they see the label as an option in their Office clients. To be clear, although this post is walking thru the steps of doing this for a label in a scoped policy, the same steps apply for any label in the global policy.
What if we wanted to show all of the Alpha Project’s Confidential documents to a security officer or auditor? We can do this by combining AIP and SharePoint Search. Awesome!
TLDR? Here are the steps:
- Create an AIP Label in a policy
- Publish the policy
- Add some documents to a SharePoint library
- Label some of them with the AIP label
- Wait for them to be crawled
- In the tenant’s search schema, create a managed property mapped to the crawled property sensitivity that will contain the AIP label values
- Re-crawl your document library
- Test search results for the AIP-labeled documents
- Build a page with a web part to show the AIP-labeled documents
Step 1 and 2: Create and Publish AIP Labels
In this example, I start by creating a scoped policy for Alpha Project in the Azure Portal. A scoped policy inherits all labels from the Global Policy which, in this particular tenant, includes these 3 labels: General, Confidential, Top Secret. You assign a group of users that will receive the policy (I’ve assigned a Microsoft Teams group called Joanne’s Team) and add a sub-label under the Confidential label called Alpha Project.
Publish the Policy.
Steps 3 and 4: Add Documents and Label them
When you are in the Office client programs, you will see an Information Protection bar under the Office ribbon. It will display your published AIP labels. Since I am a member of Joanne’s Team, I will see these labels:
I created several documents in my Microsoft Team’s library in the General channel (folder) and labeled 3 of them with the Alpha Project label. They are highlighted by the red stars in the image below.
Note: in the image above, the Block access indicator is showing on 3 other documents I labeled Top Secret. This is a visual indicator from the DLP Policy rule in effect for documents with an AIP label of Top Secret. I demonstrate this in another post of mine, Use AIP Labels in DLP Policy Rules.
Steps 5,6,7: Search Schema and Crawling
These steps will be familiar to you if you’ve done any kind of search configuration in SharePoint. The crawled property for the AIP labels is called Sensitivity.
Note: The AIP labels are also in the crawled properties with the name MSIP_Label_*_Name where * is the ID of the Label. You can find the ID on the bottom of the configuration screen for each label. Please refer to this post by @MikaelSvenson titled Using Azure Information Protection (AIP) Labels in SharePoint search where he shows how to use those crawled properties.
I recently discovered the Sensitivity crawled property was also in the search schema which allowed for a simpler mapping (and appears to work equally as well).
Map the Sensitivity crawled property to one of the RefinableString## pre-configured managed properties in the search schema. In this example, I’ve mapped it to RefinableString02 and given it a descriptive alias. Once you’ve done this, initiate another crawl on the library/site where your content is stored.
Step 8: Test
To ensure the managed property has been populated with the AIP Label names, search for the managed property on the top left search box on the SharePoint site. You should get your 3 Confidential documents for Alpha Project returned as results: (You could also search by the alias, SensitivityAlias:Confidential \ Alpha Project)
Step 9: Build a Page
In addition to just issuing a plain old search request like above to get your results, you can also create a page to surface the search results. In the classic experience, you can create a classic page with a Content Search Web Part. In the modern experience, you can create a modern page with a Highlighted Content Web part. Whichever option you choose, you need to filter on the RefinableString02 managed property to only see the Confidential \ Alpha Project documents. In this example, I’ve created a modern page with a Highlighted Content Web part. Here is the filter:
… and here are all documents returned with a Confidential \ Alpha Project label in the Microsoft Team’s site collection.
This post has shown how to tie together the Protection Controls implemented by AIP with the search capability of SharePoint. I’m interested to learn about different ways we can leverage the AIP label sensitivity property in other applications.
Thanks for reading.
Credit: Photo by Nikita Vantorin on Unsplash
but this does not mean that if those documents are encrypted that the search service can read the content, right ?
It can only read the Sensitivity property and not file content ?
This is true. There is an update currently in Public Preview that will *also* allow the contents of the encrypted document to be indexed by search as well. Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files
Thankk you for sharing this