Configure Azure Information Protection in Skyhigh CASB
Azure Information Protection (AIP) allows organizations to classify and optionally protect sensitive documents using default and custom labels. Once you configure AIP, use AIP labels in Skyhigh CASB DLP policies for supported CSPs.
NOTE: Before enabling API for Microsoft AIP in Skyhigh CASB, you need to configure the AIP sensitivity labels in the security portal and create label policies and publish them. For configuring AIP sensitivity labels and policies, see Create and configure sensitivity labels and their policies.
To create and configure a Data Classification instance:
- In Skyhigh CASB go to Settings > Data Classification.
- Click Add Classification Instance.
- Select Microsoft AIP and provide an instance name. Click Save.
- Select the AIP instance you just created.
- Click Enable to the right of the Enable API.
- Enter Office 365 global admin credentials and accept the permissions requested. The permissions include the ability to read protected content for the office 365 and on behalf of the user to perform scans on encrypted data.
NOTE: Skyhigh CASB does not decrypt encrypted emails (Exchange Online) via AIP.
- Click Select Services.
IMPORTANT: You will not be allowed to save DLP policies using an AIP instance without mapping the AIP instance to the appropriate service instances attached to the policy. Be careful while selecting service instances. Selecting the wrong service instance could result in documents in the organization or division being encrypted with the AIP labels of another organization or division.
- Select a Service Instance and click Done to complete the integration.