Microsoft Purview Information Protection and Netskope DRM

Microsoft Purview Information Protection and Netskope DRM

Up to three (3) Microsoft Purview Information Protection instances are supported at this time.
Microsoft Purview Information Protection currently works with CASB Inline, API Data Protection, Endpoint DLP and IaaS.

Microsoft Purview Information Protection (MPIP) was formerly known as Microsoft Information Protection (MIP).

The feature set includes the following:

Ability to read:

Netskope allows reading of labels for identifying sensitive content and providing the ability to take action based on the sensitivity label as well as content. 

Below use cases are supported:

  • Read MPIP Labels from unencrypted documents, webmail
  • Read MPIP Labels from encrypted documents, webmail
  • Read content from encrypted  and unencrypted documents, webmail
  • Detect if there is encrypted content passing through traffic
The Ability to Write only applies to API Data Protection.

Ability to Write:

  • Classify content(files with existing label) based on sensitivity of the content
    • Ex: Scan for a file to identify the sensitivity of the content within the file. Based on the sensitivity, a certain label shall be applied such that the file is updated with the correct label
  • Classify content(files with no label) based on sensitivity of the content
    • Scan for a file to identify the sensitivity of the content within the file. Based on the sensitivity, a certain label shall be applied to the file such that the file which had no label now has the correct label. This is extremely useful as customers will have a large amount of files which are not classified and as part of compliance, need to ensure that every file in the organization has a label.

Note: If the label that is applied to the file is configured in Microsoft to apply encryption, then the same will be adhered to based on the label that is applied.

Sensitivity Label Integration

If DRMEncryptProperty is set to 1, then Netskope will not be able to read encrypted labels.
See Microsoft Documentation for more information.
The Microsoft Purview Information Protection integration is now validated and available to Federal customers supporting GCC High.

Upon granting access, Netskope will fetch your pre-defined sensitivity labels as defined in vendor portal. For example, MPIP labels are fetched from Microsoft Compliance page.

In order to grant access and fetch your configurations:

  • 1.Go to Settings > Manage > Sensitivity Label Integration.

    2.Click Setup Instance, click Microsoft, enter the Instance Name, select between GCC High and Commercial, and click Grant Access.

    3. Click on the right-side of your newly setup instance and click View.

  • Sensitivity Label is the label defined in the Microsoft compliance page. A parent label can have multiple sublabels.

    Order is the priority of the labels as defined in the Microsoft Purview Information Protection instance.

    Scope defines the objects that the label will be applicable to.

    These labels will be available for referencing when creating/editing a DLP File Profile.

    Sync Labels:

    Netskope provides the ability to sync labels on demand for any change that has been made to the label in the Microsoft compliance page. The same can be achieved by using the option, Sync sensitivity labels in either of the workflows/screenshots shown below.

    Email (.eml) File Scanning Support

    As of R123, decryption of emails is supported. Decryption of attachments is not supported. Labels will not be read from attachments and they will not be decrypted. If Outlook Encrypt is enabled, decryption will not work. If the email is sent as plaintext, decryption will not work.


    For more information, see Real-time Protection Policies and View DLP Incidents related to SMTP Proxy.

    Share this Doc

    Microsoft Purview Information Protection and Netskope DRM

    Or copy link

    In this topic ...