Microsoft Purview Information Protection and Netskope DRM
Microsoft Purview Information Protection and Netskope DRM
Microsoft Purview Information Protection currently works with CASB Inline, API Data Protection, Endpoint DLP and IaaS.
Microsoft Purview Information Protection (MPIP) was formerly known as Microsoft Information Protection (MIP).
The feature set includes the following:
Ability to read:
Netskope allows reading of labels for identifying sensitive content and providing the ability to take action based on the sensitivity label as well as content.
Below use cases are supported:
- Read MPIP Labels from unencrypted documents, webmail
- Read MPIP Labels from encrypted documents, webmail
- Read content from encrypted and unencrypted documents, webmail
- Detect if there is encrypted content passing through traffic
Ability to Write:
- Classify content(files with existing label) based on sensitivity of the content
- Ex: Scan for a file to identify the sensitivity of the content within the file. Based on the sensitivity, a certain label shall be applied such that the file is updated with the correct label
- Classify content(files with no label) based on sensitivity of the content
- Scan for a file to identify the sensitivity of the content within the file. Based on the sensitivity, a certain label shall be applied to the file such that the file which had no label now has the correct label. This is extremely useful as customers will have a large amount of files which are not classified and as part of compliance, need to ensure that every file in the organization has a label.
Note: If the label that is applied to the file is configured in Microsoft to apply encryption, then the same will be adhered to based on the label that is applied.
Sensitivity Label Integration
See Microsoft Documentation for more information.
Upon granting access, Netskope will fetch your pre-defined sensitivity labels as defined in vendor portal. For example, MPIP labels are fetched from Microsoft Compliance page.
In order to grant access and fetch your configurations:
1.Go to Settings > Manage > Sensitivity Label Integration.
2.Click Setup Instance, click Microsoft, enter the Instance Name, select between GCC High and Commercial, and click Grant Access.


3. Click … on the right-side of your newly setup instance and click View.
Sensitivity Label is the label defined in the Microsoft compliance page. A parent label can have multiple sublabels.
Order is the priority of the labels as defined in the Microsoft Purview Information Protection instance.
Scope defines the objects that the label will be applicable to.
These labels will be available for referencing when creating/editing a DLP File Profile.
Sync Labels:
Netskope provides the ability to sync labels on demand for any change that has been made to the label in the Microsoft compliance page. The same can be achieved by using the option, Sync sensitivity labels in either of the workflows/screenshots shown below.
Email (.eml) File Scanning Support
As of R123, decryption of emails is supported. Decryption of attachments is not supported. Labels will not be read from attachments and they will not be decrypted. If Outlook Encrypt is enabled, decryption will not work. If the email is sent as plaintext, decryption will not work.
For more information, see Real-time Protection Policies and View DLP Incidents related to SMTP Proxy.