Configure an API Data Protection Policy for MPIP

Configure an API Data Protection Policy for MPIP

You can configure a policy to read MPIP labels and apply Netskope actions as defined in the policy. Netskope can take actions such as quarantining a file or restricting external access.

The following instructions walk you through the process of creating an API Data Protection policy for MPIP. For detailed instructions on creating an API Data Protection policy, see Create an API Data Protection Policy.

To edit a section previously completed, click on the pencil icon beside the section title.

To create an API Data Protection policy for MPIP:

  1. In the Netskope UI, go to Policies > API-enabled Protection and click New Policy.
  2. Under Application, select a supported app and instance. For information about supported cloud apps, see Cloud apps supported with MIP.

    Click Next.

  3. Under Users, select the users, profiles, or groups associated with the app. The policy will scan the app based on your selection. Click Next.
  4. Under Content, choose the type of sharing options and whether you want to scan all file types or specific file types. Click Next.
  5. Under DLP, select DLP and the DLP profile you want to use with this policy. You can choose a predefined or custom DLP profile. Click Next.

    For information about creating a DLP Profile, see Create a Custom DLP Profile.

  6. Under Action, select IRM Protect. Select MPIP as the IRM vendor and then select the MPIP Profile.


    • This note applies to Microsoft Office 365 OneDrive and SharePoint Sites only.If you do not see an MPIP profile in the drop-down list, log in to your Microsoft 365 admin center, go to the compliance section. Under Information protection, ensure that the MPIP label is published to ‘all’ groups or a group that contains the global administrator account.

    • This note applies to Microsoft Office 365 Outlook only.Netskope currently does not support “Encrypt-Only” labels for Outlook.

  7. Select an MPIP label under MIP profile. Click Next.


    • Microsoft does not allow to create a policy with Remove Encryption action on MPIP-encrypted files. The file types that are not allowed are Office 365 file extensions. Due to this limitation, in the Netskope UI, when you set up a policy to apply an MPIP label, the policy will not trigger on such Office 365 file types. This is because Netskope cannot replace a label from an MPIP-encrypted file with any other label. This issue is not observed in Adobe PDF and .jpeg, .png, and .tiff image file types.
    • Netskope API Data Protection supports MIP sub-level labels i.e., if you have a sensitive file handled by a member of the division A; so the MPIP tag would be CONFIDENTIAL (parent) and Division A (sub-level).
  8. Under Notification, select the notification frequency and the receiver along with an email template. Click Next.
  9. Under Set Policy, provide a policy name and description. Click Save.


If you delete an in-use label from the Azure portal, then you should edit the API Data Protection policy to use the new label or delete the policy using the deleted label.

Share this Doc

Configure an API Data Protection Policy for MPIP

Or copy link

In this topic ...