If you’re using Azure Information Protection (AIP) in your organization, you’ll know that once a document has been assigned an AIP label, it is stored in clear text as a document property called Sensitivity. This is visible in the backstage of the Office client in Advanced Properties. What’s great about this is it allows the label to be leveraged in other applications simply by reading the document property.
An example of an application that can leverage this property is Data Loss Prevention (DLP). We can configure DLP rules based on AIP labels as an added level of protection for documents. This is what I’ll demonstrate in this post.
Please refer to this post, Use AIP Labels in SharePoint Search, where I discuss another way to leverage the AIP label using the SharePoint search mechanism.
Scenario: You have a Top Secret AIP label configured in your organization to be used for all highly sensitive documents. You may have configured some protection controls in AIP such as encryption, preventing copying/forwarding and inserting visual markings (watermark/header/footer). For additional data protection, you may also want a DLP Policy with a rule enabled on any content labeled Top Secret to block people from sharing or to restrict access to everyone except the primary site collection admin, document owner and person who last modified it. In this post, I’ll demonstrate how to restrict access. Check out my other post, A SharePoint Content Type DLP Policy, to see how to block external sharing at a document content type level.
TLDR? Here are the steps:
- Create the AIP labels in a policy
- Publish the AIP Policy
- Add some documents to a document library
- Label some documents with the Top Secret AIP Label
- Wait for them to be crawled
- Create a managed property mapped to the Sensitivity crawled property
- Test search results for the AIP-labeled documents
- Add a DLP Policy and DLP Rule for the Top Secret label via PowerShell
- Wait for DLP Policy to take effect
- Monitor document library to ensure DLP action is enforced
Step 1 and 2: Create AIP Labels and Publish
Configure AIP labels in the Azure Portal by adding them to the Global Policy. In this example, I’ve added 3 labels: General, Confidential, Top Secret:
Step 3 and 4: Add documents and label them
If you have AIP configured in your environment, you will see an Information Protection bar under the Office ribbon in the Office client programs (not in the Online versions). It will display your published AIP labels.
In this example, I created several documents on a Microsoft Team’s library in the General channel (folder) and labeled five of them Top Secret. They are highlighted by the yellow stars in the image below.
Step 5 and 6: Search Configuration
These steps will be familiar to you if you’ve done any kind of search configuration in SharePoint. The crawled property for the AIP labels is called Sensitivity.
Note: The AIP labels are also in the crawled properties with the name MSIP_Label_*_Name where * is the ID of the Label (you can find the ID on the bottom of the configuration screen for each label). Please refer to this post by @MikaelSvenson titled Using Azure Information Protection (AIP) Labels in SharePoint search where he shows how to use those crawled properties.
I recently discovered the Sensitivity crawled property was in the search schema as well which allowed for a simpler mapping (and appears to work equally as well).
Map the Sensitivity crawled property to one of the RefinableString## pre-configured managed properties in the search schema. In this example, I’ve mapped it to RefinableString02, provided a descriptive alias, SensitivityAlias, and initiated another crawl on the library/site where the content is stored.
Step 7: Test
To ensure the managed property has been populated with the AIP Label names before we set up the DLP rules, search for the managed property on the top left search box on the SharePoint site. You can use either the RefinableString02 or SensitivityAlias names in your search query. Once content is crawled, you will get your 5 Top Secret documents returned as results:
Step 8: Create DLP Policy and Rule via PowerShell
Now that we have the search index returning the AIP labels, we can leverage this in our DLP rule.
We cannot add a rule pointing to an AIP Label thru the UI so we must use PowerShell. Refer to Create a DLP policy to protect documents with FCI or other properties for detailed instructions on the PowerShell commands and references.
DLP Policies are configured in the Security & Compliance center so we start by connecting to that to run our PowerShell. Reference: Connect to the S&C Center
Create a new DLP Policy called TopSecret_policy to be applicable to all Exchange, SharePoint and OneDrive locations:
[code language=”powershell” light=”true”]
New-DlpCompliancePolicy -Name TopSecret_policy -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -Mode Enable
Create a DLP Rule in the TopSecret_policy by leveraging the RefinableString02 managed property. In this example, I’ve chosen to block access to Top Secret documents to anyone inside the organization with the exception of the owner, author and site owner and will place the Blocked Access red icon on each of those documents.
Note: you can use either the managed property name, RefinableString02, or the alias name, SensitivityAlias, in the DLP compliance rule. Both will work although the alias will make it much easier for others looking at the rule to know which property the rule is for.
- “RefinableString02:Top Secret”
- “SensitivityAlias:Top Secret”
[code language=”powershell” light=”true”]
New-DlpComplianceRule -Name TopSecret_content -Policy TopSecret_policy -AccessScope InOrganization -BlockAccess $true -ContentPropertyContainsWords “SensitivityAlias:Top Secret” -Disabled $false
Once the DLP Policy and Rule have been added via PowerShell, you will see them in the Data Loss Prevention section of the Security & Compliance Center. However, you will not be able to view the details of the rule or change it thru the UI.
Step 9: Wait for DLP Policy to take effect
DLP policies are synced to the locations we’ve configured in the policy and will then asynchronously start to evaluate the content and enforce the block access restriction we’ve configured on the rule.
In just a few minutes, the Blocked Access indicators were there!
Important: DLP leverages the search index in SharePoint to constantly monitor new and changed content. Due to this, there is a period of time before content is crawled when a DLP rule may not detect content that it should.
Note: as soon as the DLP action took effect, this prevented these documents from being returned in search results due to the BlockAccess restriction. However, know that the documents are still being crawled in order for the DLP rules and actions to be applied on any new/changed documents.
Step 10: Monitor Library for Blocked Access indicators
As you can see by the image below, the DLP blocked access indicators are now showing for the 5 documents labeled with the Top Secret AIP label. Great news!
It is my opinion that you should use both AIP and DLP to protect your documents and to safeguard against accidental sharing of sensitive information. This is one way of doing that.
Thanks for reading.