Microsoft Purview Information Protection connection

NOTE: In this release of File Analysis Suite, Microsoft Purview Information Protection is the supported file protection system from Microsoft. This file protection system type is referred to as "Microsoft data protection" in File Analysis Suite.

File Analysis Suite supports sensitivity labels whose scope defines their use on "items".

You can use your existing Microsoft Purview Information Protection sensitivity labels to apply file protection to supported documents managed by File Analysis Suite.

If you will be creating one or more Microsoft data protection file protection systems, you must complete additional tasks to enable this processing.

Microsoft data protection requirements

Connecting to Microsoft Purview Information Protection for file protection requires the following be in place prior to using file protection in File Analysis Suite.

  • Appropriate Microsoft O365 licensing.

  • Sensitivity labels created in Microsoft Purview Information Protection. In File Analysis Suite, these labels are called "file protection rules".

    IMPORTANT: File Analysis Suite supports sensitivity labels whose scope defines their use on "items".

  • An app registration in Azure Active Directory admin center for File Analysis Suite. For more information, see Create an app registration for File Analysis Suite.

  • At least one agent cluster configured in File Analysis Suite for each Microsoft data protection system you will create. Multiple agent clusters can be assigned to a single system, but any given cluster may not be assigned to more than one system.

Create an app registration for File Analysis Suite

To protect files with Microsoft Purview Information Protection, you must create an app registration for File Analysis Suite in Azure Active Directory admin center.

  1. In Azure Active Directory admin center, use the following guidelines to create an app registration for File Analysis Suite.

    • Define an application Name that is easily identifiable. For example, File Analysis Suite data protection or FAS data protection.

    • For Supported account type, select Accounts in any organizational directory only .

    • Do NOT define a Redirect URI.

    • Make note of the following details for your new app. You will need to enter this information when you create the protection system in File Analysis Suite.

      • Display Name

      • Application (client) ID

      • Directory (tenant) ID

  2. In Azure Active Directory admin center, add API permissions for the newly created app.

    1. Add the following APIs and permissions.

      API Permission type Permission
      Azure Rights Management Services Delegated user_impersonation
        Application Content.DelegatedReader
        Application Content.DelegatedWriter
        Application Content.SuperUser
        Application Content.Writer
      Microsoft Information Protection Sync Service Delegated UnifiedPolicy.User.Read
        Application UnifiedPolicy.Tenant.Read

    2. For each of the added permissions, grant admin consent for the new app.

    3. For the Microsoft Graph (1) User.Read permission (added automatically with the app registration), grant admin content for the new app.

  3. In Azure Active Directory admin center, add a client secret for the newly created app.

    Make note of the Secret ID and the secret value. The secret value is only presented immediately following creation; you will need to enter this value when you create the protection system in File Analysis Suite.