Configuring policy to look for Azure Information Protection classification label


Article ID: 184645


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention Endpoint Discover


Best practice on configuring DLP to trigger incidents for documents with Azure Information Protection (AIP) classification label(s) applied.


AIP classification labels have IDs and names.

For example. label: MSIP_Label_XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU_Name=Business Critical;
XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU (X,Y,Z,K and U - are either numbers or Latin letters) is label ID,  Business Critical is presented classification name.

Keyword policy defined to search just for the classification name Business Critical may cause a lot of false positives as these words may be detected not only in metadata which is not a goal when looking for files with AIP labels applied.

If you define keyword rule using Name=Business Critical - it may not be detected for word/excel files because labels in MS Office files' metadata is defined using different template:

Name : Business Critical


The best option will be keyword rule with proximity match:

but it needs a review of a few test incidents to define proper maximum word distance ( less is better).

Another solution (but may have more false positives than first one ) to cover this type of data is to use label ID ( XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU) as a keyword rule together (via "and" condition) with Business Critical as another keyword rule: