Secure SharePoint Online data – Part 3

This is part three of my blog posts about securing SharePoint Online data. In the first post about this topic, I showed some simple steps to start securing your SharePoint Online data by requiring modern authentication and setting Conditional Access.
In the second post, we went a step further by using Office 365 labels and using DLP Policies.
In this third post I will show you how to provide encryption and apply permissions to files stored in SharePoint Online by using an Azure Information Protection (AIP) label. Applying an AIP label can be done manually, but I will also show you how to integrate AIP with Cloud App Security, for automatically applying an AIP label to all (supported) files in a SharePoint Online document folder.

Create Azure Information Protection label

To start using Azure Information Protection we first need to make sure Azure RMS is activated. Follow these steps to activate Azure RMS.

Now logon to the Azure portal via Click Azure Information Protection on the left menu and click Labels. In this example I will create a sub label under Highly Confidential for my Finance department. Click on the three dots behind Highly Confidential and click Add a sub-label to create a new sub-label.

AIP Labels

Give your sub-label a Name and Desctiption, select Protect under Set permissions for documents and emails containing this label and click Protection Azure (Clod key).

Create sub-label

We need to specify permissions for this label. I assign permissions for my Finance security group, but you can set permissions for multiple groups with different permissions.
Under the Protection settings click Add permissions.


On the Add permissions blade click Browse directory.

Browse directory

On the AAD Users and Groups select your security group (the group needs to be mail-enabled) and click Select.

AAD Users and Groups

Under Choose permissions from preset or set custom we can choose one of the predefined sets of permissions or set custom permissions. Select a set of permissions or create a custom set. Click OK twice. Click Save and click OK again.

Set permissions

Now the sub-label is created, we need to assign this label to a new or existing policy so users can assign the label to a document. Click Policies on the right and choose the Global policy.
Click Add or remove labels. Select the newly created label, click OK, click Save and click OK again.

Add label

End-user experience

The new Azure Information Protection label can now be assigned manually by an user, for example using Excel from a Windows 10 device.

At moment of writing this requires installing the AIP Client on the Windows device and on MacOS the function is builtin Office, but in preview.

Label in Excel

AIP and Cloud App Security

If you purchase Azure Information Protection Premium P2 you are able to set conditions to automatically apply a label. For example you can set a condition to label all files which contain a credit card number with the previous created Finance label.
You can also go a step further in automatically applying a label by integrating Azure Information Protection with Cloud App Security (CAS). In this example I will shows how to connect AIP with CAS and apply the Finance label to all supported files in the document folder on the Finance SharePoint Online site.

Connect AIP and CAS

Setting up the connection between Azure Information Protection and Cloud App Security needs to be done from the CAS portal. Open the CAS portal via Click Connect apps.

Cloud App Security portal

Click on the + Plus sign on the right and choose Office 365.

Connected Apps

Click Connect Office 365

Connect Office 365

Your Office 365 tenant will be scanned for users, data and activities.

Scanning users, data and activities

Click Test now to test the connection between CAS and AIP. You see it already found some users and will continue with scanning. Depending on the numbers of data it can take some while to complete.


When scanning is complete you see Office 365, Microsoft OneDrive for Business and Microsoft SharePoint Online are listed as connected apps.

Connected apps

Click the settings button on the right corner and choose Settings.On the Azure Information Protection tab select Automatically scan new files for AIP labels and content inspection warnings. Click Save.

CAS Settings

From the menu on the left click Control and Policies.

CAS menu

Click Create Policy and choose File policy.

Create a File policy

Give your policy a name and description. Remove all predefined filters under Create a filter for the files this policy will act one. Add a new filter and select Parent folder as filter. Click Select folder.

Create file policy

Search for the folder you want to automatically apply your AIP label to. I will apply the label to the Shared Documents folder under my Finance SharePoint Online site. Select the folder and click Done.

Select a folder

Back in the policy, click Microsoft SharePoint Online and select Apply classification label. From the drop-down list select your AIP label, in my case Highly Confidential – Finance. Click Create to finish creating the File policy.
If the AIP label is created recently and the connection between AIP and CAS is created recently, it can take some time before you see the newley created AIP label.

Apply classification label

From the left menu Click Investigate and Activity Log. Filter the activity log by selecting Microsoft SharePoint Online. You see activities Apply Azure Information Protection classification labels. CAS is applying your AIP label to files in the selected SharePoint Online folder.

Activity log

The Policies tab is one of the locations from where you can see files matching your policy. Find your policy, click the three dots (View all matches). Click on one of the files to see information about the file and also the classification label applied.

Matching files

Be aware that when Azure Information Protection encryption is applied to files stored in Office 365, the service cannot process the contents of these files. Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work.

Be the first to comment

Leave a Reply

Your email address will not be published.