Microsoft Purview Information Protection and Netskope DRM

Microsoft Purview Information Protection and Netskope DRM

Up to three (3) Microsoft Purview Information Protection instances are supported at this time.
Microsoft Purview Information Protection currently works with CASB Inline, API Data Protection, Endpoint DLP and IaaS.

Microsoft Purview Information Protection (MPIP) was formerly known as Microsoft Information Protection (MIP).

The feature set includes the following:

Ability to read:

Netskope allows reading of labels for identifying sensitive content and providing the ability to take action based on the sensitivity label as well as content. 

Below use cases are supported:

  • Read MPIP Labels from unencrypted documents, webmail
  • Read MPIP Labels from encrypted documents, webmail
  • Read content from encrypted  and unencrypted documents, webmail
  • Detect if there is encrypted content passing through traffic
The Ability to Write only applies to API Data Protection.

Ability to Write:

  • Classify content without using any protection settings
    • Ex: Simply assign a label as a result of classifying the content without applying any encryption or other protection policies.
  • Provide protection settings that include encryption and content markings
    • Ex: Apply a “Confidential” label to a document or email, and that label encrypts the content and applies a “Confidential” header, footer and watermark. Encryption can also restrict what actions authorized people can take on the content.
  • Protect content in Office apps across different platforms and devices
    • Ex: Apply labels in Word, Excel, PowerPoint, and Outlook on the Office desktop apps and Office on the web

For detailed information, see Integrate Netskope with Microsoft Purview Information Protection.

Sensitivity Label Integration

If DRMEncryptProperty is set to 1, then Netskope will not be able to read encrypted labels.
See Microsoft Documentation for more information.
The Microsoft Purview Information Protection integration is now validated and available to Federal customers supporting GCC High.

Upon granting access, Netskope will fetch your pre-defined sensitivity labels as defined in vendor portal. For example, MPIP labels are fetched from Microsoft Compliance page.

In order to grant access and fetch your configurations:

  • 1.Go to Settings > Manage > Sensitivity Label Integration.

    2.Click Setup Instance, click Microsoft, enter the Instance Name, select between GCC High and Commercial, and click Grant Access.

    3. Click on the right-side of your newly setup instance and click View.

  • Sensitivity Label is the label defined in the Microsoft compliance page. A parent label can have multiple sublabels.

    Order is the priority of the labels as defined in the Microsoft Purview Information Protection instance.

    Scope defines the objects that the label will be applicable to.

    These labels will be available for referencing when creating/editing a DLP File Profile.

    Sync Labels:

    Netskope provides the ability to sync labels on demand for any change that has been made to the label in the Microsoft compliance page. The same can be achieved by using the option, Sync sensitivity labels in either of the workflows/screenshots shown below.

    Email (.eml) File Scanning Support

    As of R122, admins are able to define policies for matching against Sensitivity Labels applied to SMTP Proxy Traffic. For the time being, decryption for emails is currently not supported.
    For more information, see Real-time Protection Policies and View DLP Incidents related to SMTP Proxy.

    Share this Doc

    Microsoft Purview Information Protection and Netskope DRM

    Or copy link

    In this topic ...