Azure Information Protection – Integrate AIP with Cloud App Security to automatically apply labels

If you relies on cloud files repositories (like SharePoint Online) you can integrate Azure Information Protection (AIP) with Microsoft Cloud App Security (MCAS) to automatically apply labels on your files and improve your data governance.

To do so, you need:

  • Azure Information Protection capability activated on your tenant and have labels configured (this should go without saying Open-mouthed smile)
  • Microsoft Cloud App Security (
  • Have a Files Policy configured
  • and off course appropriate license applied to your users
    • Azure Information Protection: AIP P1 / EMS E3
    • Microsoft Cloud App Security: MCAS Standalone / EMS E5
    • To enable “Session control” – AAD P1 (In case you own MCAS Standalone)

Integrate AIP with MCAS

To integrate Azure Information Protection with Cloud App Security you need to grant permissions to MCAS.

Access your MCAS portal ( and go the Settings and reach the Information Protection\Azure Information Protection blade or just use the direct URL


Enable the first option to enable AIP scanner on your cloud files repositories and the second option (optional) if you wish to scan files only in your tenant; if you keep this second option unchecked AIP will be able to scan files from other tenant, like when you receive a file from an external partner and save it to SharePoint). NOTE by keeping it unchecked you are not granting AIP permissions to access other tenant files

and grant the permission



Enable file monitoring

Access the Settings\Information Protection\Files configuration blade to enable file monitoring



Create a policy

Still from the MCAS portal, access the Control\Policies blade and create a new File Policy


Name your policy and define the filter to set where the policy will be applied

Select App then equal and select Microsoft OneDrive for Business and Microsoft SharePoint Online and enable content inspection to define content filtering,  with the Inspect protected files option enabled and you can then define the AIP label to be applied in the Governance section



You can add additional filters if you want/need

NOTE you may have to connect MCAS to Office 365 first by accessing the Investigate\Connected apps configuration blade and select Office 365



Implement Session Control

You can then create session control to monitor download of document and block it.

NOTE first you need to have setup Conditional Access in Azure AD/Intune to route the session to MCAS

From the Control\Policies blade, create a new Session Policy


Name the policy and select Control file download (with DLP) or Control file upload (with DLP) for the Session Control Type and choose Block as Action


As result, when your end-user is trying to download a file matching the Session Policy, a message will be displayed and the download will be blocked


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.