Microsoft Purview Information Protection connection

NOTE: In this release of Fusion, Microsoft Purview Information Protection is the supported file protection system from Microsoft. This file protection system type is referred to as "Microsoft data protection" in Fusion.

Fusion supports sensitivity labels whose scope defines their use on "items".

You can use your existing Microsoft Purview Information Protection sensitivity labels to apply file protection to supported documents managed by Fusion.

If you will be creating one or more Microsoft data protection file protection systems, you must complete additional tasks to enable this processing.

Microsoft data protection requirements

Connecting to Microsoft Purview Information Protection for file protection requires the following be in place prior to using file protection in Fusion.

  • Appropriate Microsoft O365 licensing.

  • Sensitivity labels created in Microsoft Purview Information Protection. In Fusion, these labels are called "file protection rules".

    IMPORTANT: Fusion supports sensitivity labels whose scope defines their use on "items".

  • An app registration in Azure Active Directory admin center for Fusion. For more information, see Create an app registration for Fusion.

  • At least one agent cluster configured in Fusion for each Microsoft data protection system you will create. Multiple agent clusters can be assigned to a single system, but any given cluster may not be assigned to more than one system.

Create an app registration for Fusion

To protect files with Microsoft Purview Information Protection, you must create an app registration for Fusion in Azure Active Directory admin center.

  1. In Azure Active Directory admin center, use the following guidelines to create an app registration for Fusion.

    • Define an application Name that is easily identifiable. For example, Fusion data protection.

    • For Supported account type, select Accounts in any organizational directory only .

    • Do NOT define a Redirect URI.

    • Make note of the following details for your new app. You will need to enter this information when you create the protection system in Fusion.

      • Display Name

      • Application (client) ID

      • Directory (tenant) ID

  2. In Azure Active Directory admin center, add API permissions for the newly created app.

    1. Add the following APIs and permissions.

      API Permission type Permission
      Azure Rights Management Services Delegated user_impersonation
        Application Content.DelegatedReader
        Application Content.DelegatedWriter
        Application Content.SuperUser
        Application Content.Writer
      Microsoft Information Protection Sync Service Delegated UnifiedPolicy.User.Read
        Application UnifiedPolicy.Tenant.Read
    2. For each of the added permissions, grant admin consent for the new app.

    3. For the Microsoft Graph (1) User.Read permission (added automatically with the app registration), grant admin content for the new app.

  3. In Azure Active Directory admin center, add a client secret for the newly created app.

    Make note of the Secret ID and the secret value. The secret value is only presented immediately following creation; you will need to enter this value when you create the protection system in Fusion.