If you relies on cloud files repositories (like SharePoint Online) you can integrate Azure Information Protection (AIP) with Microsoft Cloud App Security (MCAS) to automatically apply labels on your files and improve your data governance.
To do so, you need:
- Azure Information Protection capability activated on your tenant and have labels configured (this should go without saying
)
- Microsoft Cloud App Security (https://portal.cloudappsecurity.com)
- Have a Files Policy configured
- and off course appropriate license applied to your users
- Azure Information Protection: AIP P1 / EMS E3
- Microsoft Cloud App Security: MCAS Standalone / EMS E5
- To enable “Session control” – AAD P1 (In case you own MCAS Standalone)
Integrate AIP with MCAS
To integrate Azure Information Protection with Cloud App Security you need to grant permissions to MCAS.
Access your MCAS portal (https://portal.cloudappsecurity.com) and go the Settings and reach the Information Protection\Azure Information Protection blade or just use the direct URL https://portal.cloudappsecurity.com/#/settings/?section=securityConnectors
Enable the first option to enable AIP scanner on your cloud files repositories and the second option (optional) if you wish to scan files only in your tenant; if you keep this second option unchecked AIP will be able to scan files from other tenant, like when you receive a file from an external partner and save it to SharePoint). NOTE by keeping it unchecked you are not granting AIP permissions to access other tenant files
and grant the permission
Enable file monitoring
Access the Settings\Information Protection\Files configuration blade to enable file monitoring
Create a policy
Still from the MCAS portal, access the Control\Policies blade and create a new File Policy
Name your policy and define the filter to set where the policy will be applied
Select App then equal and select Microsoft OneDrive for Business and Microsoft SharePoint Online and enable content inspection to define content filtering, with the Inspect protected files option enabled and you can then define the AIP label to be applied in the Governance section
You can add additional filters if you want/need
NOTE you may have to connect MCAS to Office 365 first by accessing the Investigate\Connected apps configuration blade and select Office 365
Implement Session Control
You can then create session control to monitor download of document and block it.
NOTE first you need to have setup Conditional Access in Azure AD/Intune to route the session to MCAS
From the Control\Policies blade, create a new Session Policy
Name the policy and select Control file download (with DLP) or Control file upload (with DLP) for the Session Control Type and choose Block as Action
As result, when your end-user is trying to download a file matching the Session Policy, a message will be displayed and the download will be blocked