If you use the Microsoft 365 Security platform and you have the licences to use Microsoft Cloud App Security (MCAS), I recommend to implement Azure Information Protection (AIP) into MCAS.
NOTE: MCAS was renamed to Defender for Cloud Apps
Azure Information Protection allows you to label and protect your documents also in an automated way. There are two ways to do that. First: You can use the AIP labels in Azure or second, you migrate your labels to the Office 365 Security & Compliance Center also called Unified Labels. Before you migrate your labels, be aware of some limitations of Unified Labels. Find a detailed overview in this article here.
First of all, assign a licence to your user to use MCAS (usually E5 or the Microsoft 365 Security Add-In) and then login to the MCAS portal. portal.cloudappsecurity.com
From there use the gear in the top right to configure or check your organization settings. They should already be filled out, as this information’s are tenant wide settings.
Navigate to Investigate and select Connected apps. On the plus sign add Office 365 as app and Connect the platform to MCAS.
Also make sure you have enabled Office 365 Auditing in the Security & Compliance portal. Browse to protection.office.com – Search – Audit Log search. If audit log is not yet enabled, enable it. It should be on by default. You can find more details regarding audit log here
Back in MCAS, under settings, select Azure Information Protection. Tick the box Automatically scan new files for AIP labels and content inspection warnings and save it.
MCAS can also inspect protected files using file policies. Grant these permissions to MCAS by activating the option in the settings.
To ignore classification labels set external to your organization, in the Cloud App Security portal, go under Settings and Azure Information Protection. Select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.
Now from Files page and under Investigate you can select the file you like to label. Click the three dots at the right side of the file and choose Apply classification label to apply a label.
Be aware: It takes some time to sync your labels into Cloud App Security and Cloud App Security can apply Azure Information Protection on files that are up to 50 MB.
In the next post I will show you how to apply labels in an automated way to a SharePoint library.