(beta) MIP Labels 1.0

Instructions for mapping MIP Labels to DSPM Data Classification

This beta release is available for select customers.

MIP labels 1.0 are supported for Azure and AWS sidecars for SharePoint and OneDrive accounts. Teams accounts are not supported.

Microsoft Purview sensitive labels can be mapped to and from DSPM to ensure that Data Classification used on DSPM reflects the sensitivity classification rules set up on Purview. This ensures consistency across the organization for Data Protection / Information Protection policies.

Data security team can create new sensitivity labels on Purview based on the organization requirement and these can be synced to DSPM. Once these are synced the MIP labels can be mapped with the Data Classification set up on DSPM and once it is done, all the documents from Microsoft OneDrive and Sharepoint can be updated with the labels based on the scan classification outcome from DSPM.

Micorsoft API supports limited set of File formats for which Sensitivity Labels can be applied. The list of the file formats is given here - https://learn.microsoft.com/en-us/purview/sensitivity-labels-sharepoint-onedrive-files#supported-file-types

For eg:

Some of the documents on OneDrive / Sharepoint are classified with Sensitivity Label "Public" based on a previous review. Post scanning task of the data from DSPM, it gets classified with PHI, then the user can update the MIP label to "PHI" for the document from DSPM admin configuration.

The details for each of the options and columns are as follows:

  1. Account - This shows the list of Microsoft Sharepoint or OneDrive accounts that are currently onboarded on DSPM.
  2. Save - This option is used to save the changes when a MIP label is mapped with a DSPM classification based on Information Protection policy definition.
  3. Sync Labels - This triggers the syncing of Sensitivity Labels that are created on Microsoft Purview to DSPM. By default when a cloud run for the Sharepoint / OneDrive account is run, it syncs all the labels from MIP to DSPM. Otherwise on selecting this it syncs on a standalone basis as well.

The details for the each of the columns are as follows:

  1. Normalyze Classification - This column lists all the data classification labels which are defined on DSPM platform.
  2. Normalyze Entities -This column lists the entities that are attached with each of the classification. This is not applicable for custom entities since they cannot be attached to a Data Classification label.
  3. Description - Details for each of the data classification field.
  4. MIP Label - This column shows if the DSPM data classification is mapped to a specific MIP label or not. If there are no mapping, then it shows "No Mapping" and when the mapping is setup, it shows the name of the "Sensitivity Label" as defined on the Purview platform.
  5. Action - The selection and assignment of MIP Labels to map with DSPM classification is done from this button.

The mapping has to be applied for Sharepoint and OneDrive separately since each is considered as an independent application from DSPM perspective.

Steps to map MIP Label with DSPM data classification labels are as follows:

  1. Navigate to Scan Config - MIP Labels

  2. For the specific DSPM Classification - select Action - Edit Mapping

  3. On selecting "Edit Mapping" - pop up block will come up which shows the list of all the Sensitivity labels synced from the Purview account.

  4. Select the sensitive label which is designated to be mapped with the selected DSPM Classification.

  5. Select Assign after selecting the MIP Label as shown in the above Screenshot.
  6. On selecting Assign, pop up window closes and the Save button gets enabled. The selected Sensitivity label is displayed under the MIP Label column

  7. On selecting Save, DSPM triggers the workflow which will apply the selected MIP Sensitivity Label to all those documents that are classified with the selected DSPM classification.

    For eg: in the above screenshot all the documents in DSPM which are part of Sharepoint or OneDrive application and have Data Classification "Tax" applied will be updated with the sensitivity label "Confidential:Trusted People" by Purview application on Sharepoint or OneDrive. For users reviewing the documents from Sharepoint application the applied label will be shown accordingly.

    After MIP labels are applied to files, a Full Data Scan must be run before the MIP labels will appear on the Files tab.

    You may not see the MIP labels on the Files tab immediately. It can take up to 24 hours for the labels to be applied to files.