- Log on to the Azure portal with a user that's defined as a super-user in the organizational account in Azure.
- In the left navigation pane, select the Azure Active Directory service, and select App registrations, New registration.
- In the Register an application page, enter your application's registration information:
- Name — Enter a meaningful application name that's displayed to users of the app.
- Supported account types — Select Accounts in this organizational directory only.
Redirect URl (optional) — You can leave this field blank.
- Select Register. Azure AD assigns a unique application (client) ID to your app, and you're redirected to your application's Overview page.
- Copy the values of two fields: Application (client) ID and Directory (tenant) ID. You need them later to create the Azure server configuration in ePO Registered Servers.
- Click API permissions under Manage, and click Add a permission. The Request API permissions page appears.
- Add the MIP APIs and permissions that the application needs at runtime:
- On the Select an API page, click Azure Rights Management Services.
- On the Azure Rights Management Services API page, click Application permissions.
- On the Select permissions section, expand the Content node and select
Content.DelegatedReader, Content.DelegatedWriter , andContent.SuperUser permissions. This option allows the application to create and access protected content for all users in your organizational account in Azure. - Click Add permissions to save.
- Repeat step 7 above, and search the API from the Select an API page.
- On the Select an API page, click APIs my organization uses. In the search field, type Microsoft Information Protection Sync Service and select it.
- On the Microsoft Information Protection Sync Service API page, click Application permissions.
- Expand the
UnifiedPolicy node and verifyUnifiedPolicy.Tenant.Read . - Click Add permissions to save.
- On the API permissions page, click Grant admin consent for (Tenant Name), and then click Yes. This selection gives pre-consent to the application using this registration, to access the APIs under the specified permissions. If you sign in as a global administrator, consent is recorded for all users in the tenant that run the application. Otherwise, it applies only to your user account.
- Click
Certificates & secrets under Manage and then click New client secret:- Add a description for your client secret, select a duration, and click Add.
- Copy and save the created client secret value.
How to configure Azure MIP in Data Loss Prevention
Technical Articles ID:
KB91833
Last Modified: 2023-11-16 06:47:21 Etc/GMT
Last Modified: 2023-11-16 06:47:21 Etc/GMT
Environment
DLP Endpoint 11.10.x, 11.6.x
DLP Monitor 11.10.x
DLP Prevent 11.10.x
Summary
This article provides information about the Azure Microsoft Information Protection (MIP) support in DLP Discover 11.10.x, 11.7.x, DLP Endpoint 11.10.x, 11.6.x and DLP Prevent and Monitor 11.10.x. It also provides the configuration process needed to use it.
NOTE: When you register multiple Azure servers in ePolicy Orchestrator (ePO), it can cause performance slowness. We recommend that you add only the Azure servers that you need.
Contents:
Click to expand the section you want to view:
Perform the following tasks:
NOTE: When you register multiple Azure servers in ePolicy Orchestrator (ePO), it can cause performance slowness. We recommend that you add only the Azure servers that you need.
Click to expand the section you want to view:
Perform the following tasks:
- Register a client application with Azure Active Directory (AD):
To use the Azure MIP function in the DLP Discover server, the client application must be registered with the Azure AD. To register the client application, perform the following steps:
To use Azure functions with DLP Endpoint, the client application must be registered with the Azure AD. To register the client application, perform the following steps:
NOTE: Currently, DLP supports only corporate environments that use Hybrid Azure AD [Federation Services, Password-Hash Sync and Pass-through authentication (PTA)].
- Log on to the Azure portal with a user that's defined as a super-user in the organizational account in Azure.
- In the left navigation pane, select the Azure Active Directory service, and select App registrations, New registration.
- In the Register an application page, enter your application's registration information:
- Name: Enter a meaningful application name that's displayed to users of the app.
- Supported account types: Select Accounts in this organizational directory only.
Redirect URl (optional) : This field can be left blank.
- Select Register. Azure AD assigns a unique application (client) ID to your app, and you're redirected to your application's Overview page.
- Copy the values of two fields: Application (client) ID and Directory (tenant) ID. You need them later to create the Azure server configuration in ePO Registered Servers.
- In the list of pages for the app, select Manifest, and perform the following:
- Set the
allowPublicClient property to true in the manifest editor. - Click Save in the bar above the manifest editor.
- Verify that
signInAudience is set toAzureADandPersonalMicrosoftAccount . - Verify that
accessTokenAcceptedVersion is set to 2.
- Set the
- Click API permissions under Manage, and click Add a permission. The Request API permissions page appears.
- Add the MIP APIs and permissions that the application needs at runtime:
- On the Select an API page, click Azure Rights Management Services.
- On the Azure Rights Management Services API page, click Application permissions.
- In the Select permissions section, expand the Content node and select
Content.DelegatedReader, Content.DelegatedWriter ,Content.Writer , andContent.SuperUser . This option allows the application to create and access protected content for all users in your organizational account in Azure. - Change the type of permissions to Delegated Permissions, and select
user_impersonation permission . - Click Add permissions to save.
- Repeat step 7 and search the API from the Select an API page:
- On the Select an API page, click APIs my organization uses. In the search field, type Microsoft Information Protection Sync Service and select it.
- On the Microsoft Information Protection Sync Service API page, click Application permissions.
- Expand the UnifiedPolicy node and select UnifiedPolicy.Tenant.Read.
- Change to Delegated permissions, and select UnifiedPolicy.User.Read.
- Click Add permissions to save.
- Repeat step 7 and search the API from the Select an API page:
- On the Select an API page, click Microsoft Graph.
- On the Microsoft Graph page, click Application permissions.
- On the Select permissions section, select
User.Read.All, Policy.Read.All Member.Read.Hidden, InformationProtectionPolicy.Read.All, Group.Read.All, Domain.ReadWrite.All, Device.ReadWrite.All, Application.ReadWrite.OwnedBy, and Application.ReadWrite.All permissions. - Change the type of permissions to Delegated Permissions, and select
User.Read, User.Read.All, User.ReadBasic.All, and Group.Read.All permissions. - Click Add permissions to save.
- On the API permissions page, click Grant admin consent for (Tenant Name) and Yes. This selection gives pre-consent to the application using this registration to access the APIs under the specified permissions. If you sign in as a global administrator, consent is recorded for all users in the tenant that run the application. Otherwise, it applies only to your user account.
- Click
Certificates & secrets under Manage, and then click New client secret:- Add a description for your client secret, select the duration, and click Add.
- Copy and save the created client secret value.
- See Information protection and perform the following when configuring labels:
- If the label is set to Encryption, make sure that the users who use the label have at least Co-Owner rights on the label.
- Verify that the label is set to the used policy:
- Go to Label Policies and check if label is visible under the Published Labels section.
- Assign the label using the Edit Policy option in case it's not visible.
For more information about how to create and publish labels, see this Microsoft documentation.
To use the Azure MIP function in the DLP Prevent and DLP Monitor servers, the client application must be registered with the Azure AD. For the description of rights required for application registrations see, Microsoft API Permissions.
To register the client application, perform the following steps:- Log on to the Azure portal with a user that's defined as a super-user in the organizational account in Azure.
- In the left navigation pane, select the Azure Active Directory service, and select App registrations, New registration.
- In the Register an application page, enter your application's registration information:
- Name — Enter a meaningful application name that's displayed to users of the app.
- Supported account types — Select Accounts in this organizational directory only.
Redirect URl (optional) — You can leave this field blank.
- Select Register. Azure AD assigns a unique application (client) ID to your app, and you're redirected to your application's Overview page.
- Copy the values of two fields: Application (client) ID and Directory (tenant) ID. You need them later to create the Azure server configuration in ePO Registered Servers.
- Click API permissions under Manage, and click Add a permission. The Request API permissions page appears.
- Add the MIP APIs and permissions that the application needs at runtime:
- On the Select an API page, click Azure Rights Management Services.
- On the Azure Rights Management Services API page, click Application permissions.
- On the Select permissions section, expand the Content node and select
Content.DelegatedReader, Content.DelegatedWriter , andContent.SuperUser permissions. This option allows the application to create and access protected content for all users in your organizational account in Azure. - Click Add permissions to save.
- Repeat step 7 above, and search the API from the Select an API page.
- On the Select an API page, click Azure Rights Management Services.
- On the Azure Rights Management Services API page, click Delegated permissions.
- On the Select permissions section and select user_impersonation permission. This option allows the application in Azure Active Directory to perform actions on behalf of a particular user.
- Click Add permissions to save.
- Repeat step 7 above, and search the API from the Select an API page.
- On the Select an API page, click APIs my organization uses.
- In the search field, type Microsoft Information Protection Sync Service and select it.
- On the Microsoft Information Protection Sync Service API page, click Application permissions.
- Expand the
UnifiedPolicy node and verifyUnifiedPolicy.Tenant.Read. - Click Add permissions to save.
- Repeat step 7 above, and search the API from the Select an API page.
- On the Select an API page, click APIs my organization uses.
- In the search field, type Microsoft Information Protection Sync Service and select it.
- On the Microsoft Information Protection Sync Service API page, click Delegated permissions.
- Expand the
UnifiedPolicy node and verifyUnifiedPolicy.User.Read. - Click Add permissions to save.
-
On the API permissions page, click Grant admin consent for (Tenant Name) and then click Yes.
NOTE: This selection gives pre-consent to the application using this registration, to access the APIs under the specified permissions. If you sign in as a global administrator, consent is recorded for all users in the tenant that run the application. Otherwise, it applies only to your user account.
- Click
Certificates & secrets under Manage and then click New client secret:- Add a description for your client secret, select a duration, and click Add.
- Copy and save the created client secret value.
- To follow the Firewalls and network infrastructure requirements, see Microsoft Learn.
- Register an Azure Server in ePO Registered Servers.
After the client application is created in the Azure portal, you need to define an Azure server in the ePO configuration.
NOTE: Make sure that the rights management owner is the app owner in the app you're using. You can view it in the Owners tab under the Application Settings.
Also, labels used in Azure must be added manually to the server definition.
These labels can then be selected when you define an RM policy reaction for Azure Server. For more details about this task, see the Data Loss Prevention Installation Guide for your product version.
- Register an Azure server for Microsoft Information Protection.
NOTE: This topic is applicable to DLP Endpoint for use with MVISION ePO. DLP Endpoint for use with MVISION ePO can integrate with Azure Microsoft Information Protection (MIP).
Register an Azure server and protection labels so that you can select it for protection in rule reactions.
- In MVISION ePO, select Menu, DLP Policy Manager, Definitions.
- In the left pane, in the RM Servers category, select Microsoft Information protection. Click Actions, New Item.
- Enter a name for the server configuration and optional description.
- Enter the Application (Client) ID and Directory (Tenant) ID as defined in your Azure application registration details.
- Enter each AIP label name and AIP label ID as it appears in your Azure account.
- Click Save when you've completed the configuration.
Your Azure server and information protection labels are now saved.
You can create a Classification using the Azure Information Protection labels and add it to a data protection rule.
For product documents, go to the Product Documentation portal.
Related Information
Troubleshooting Azure Token Acquisition
Locate the following DLP Text extractor log content:
"... AcquireADALToken] Failed to acquire token, status:" <Status#>
Example: "AcquireADALToken] Failed to acquire token, status: CAA20003"
Status code translation:
CAA2000C - The request requires user interaction.
It means that silent token acquisition fails.
Check the following:
This error indicates wrong username/password for AD Password Authentication. Make sure that the username and password are correct.
CAA82EE7 - The server name can't be resolved.
For more information, see this documentation.
CAA90018 - Can't discover a user realm.
For more information, see this Microsoft documentation.
Failure to connect to a user realm endpoint and perform realm discovery. (Windows 10 version 1809 and later only).
Locate the following DLP Text extractor log content:
Example: "AcquireADALToken] Failed to acquire token, status: CAA20003"
Status code translation:
CAA2000C - The request requires user interaction.
It means that silent token acquisition fails.
Check the following:
- Azure AD Seamless Single Sign-On (SSO) is selected as the Authentication method.
- Multifactor Authentication (MFA) is Disabled for the App.
- In the permissions section, administrator consent must be granted.
This error indicates wrong username/password for AD Password Authentication. Make sure that the username and password are correct.
CAA82EE7 - The server name can't be resolved.
For more information, see this documentation.
CAA90018 - Can't discover a user realm.
For more information, see this Microsoft documentation.
Failure to connect to a user realm endpoint and perform realm discovery. (Windows 10 version 1809 and later only).
- The device must have access to Microsoft in the SYSTEM context. This access allows the device to perform realm discovery for the verified domain. It also needs to determine the domain type (managed or federated).
- If the on-premises environment needs an outbound proxy, IT must make sure that the SYSTEM context on the device can discover and silently authenticate to the outbound proxy.
Affected Products
Languages:
This article is available in the following languages: