Promoting Azure Information Protection labels to SharePoint metadata column

Edit 1-March-2017:
Microsoft has reached out to ask me if I would be so kind to stress that the solution described below is a temporary solution and it could be that things might change in the future. Hereby stated. Now on to the article itself.

On February 8th this year, Microsoft made the latest version of Azure Information Protection (AIP) general available. You can find the announcement here: https://blogs.technet.microsoft.com/enterprisemobility/2017/02/08/azure-information-protection-december-update-moves-to-general-availability/

What was also part of that release, but wasn’t mentioned in the announcement, is the integration with SharePoint metadata columns. Before this GA release, some integration was already possible, but that required registry hacks on local client machines. With the latest release it is possible to do the configuration in the Azure Portal. There are some caveats, but we’ll get to that later in this article.

The scenario

When you label a document with AIP, the label information is stored in the properties of that particular document.

Here I have set the Sensitivity of my document to Internal:

When you have a look at the document properties, you’ll find that a couple of AIP related properties have been set for this document. Some MSIP_ properties and a Sensitivity property (or another name if you have defined another property title in your AIP configuration in Azure, see step 1 under Implementation, further down this article).

Now what we would like, is to have the value of the Sensitivity column promoted to a SharePoint metadata column. The main reason why you’d might want this, is because in SharePoint you cannot see the label of a document without opening that document. It could be quite convenient to see the label right in the Document Library or even create views or sortings based on the label.

Let’s see how we can accomplish this.

The implementation

First, we need to set up some things in the Azure Portal:

Step 1
Login to the Azure Portal and go to your Azure Information Protection overview page. Take note of the Title value. The default value for Title is Sensitivity. This is also the property name in Word, and, very important, this is also the name you must use for your metadata column in SharePoint. So, if you’d like a different property/column name than Sensitivity, this is where you should change that.

Step 2
Click the three dots on the right side of your policy:

and choose Advanced settings:

Step 3
Type in the following properties:

Name: SyncPropertyName
Value: Sensitivity
(the value here must be the same as the Title value you defined in step 1, and the same as the metadata column name in SharePoint)

Name: SyncPropertyState
Value: TwoWay

Next, let’s create a column in SharePoint:

Step 1
Browse to the Document Library of your choice, and create a new column of the type Choice. The column name must be that same name as the Title and the SyncPropertyName again.

Step 2
In the list with choices, type in the exact same labels as defined in Azure. When you use sub labels, type in the master label and sub label in one line, separated by a space.

Here’s an example of some labels I have defined in Azure:

Here’s how that would look in the choice column:

That’s it! We are now ready to use the SharePoint column. When you upload a document with a certain label set, the Sensitivity column in SharePoint automatically inherits the chosen label. Below you’ll find an example Test4.docx that has an AIP label applied and that has that same value in the SharePoint metadata column.

Caveats

Like I said in the introduction, there are some caveats you need to be aware of:

  1. For some reason, directly saving an Office document to SharePoint does not set the metadata column. This only happens the first time you save a document to SharePoint and only when you save it directly from the Office application. If you save the document locally first and then upload it to SharePoint, the column is set. If you open an already saved document from SharePoint in an Office application, then change the label, and then save the document again, the label is set as well.
  2. Like said before, if you change the label of an existing document in Office and save the document again in SharePoint, the metadata column is updated. This works the other way around too. If you change the value of the metadata column for a particular document and then open that document in Office, you’ll notice the label has changed accordingly. This is very useful, for example, for bulk setting AIP labels for documents. But his also has a drawback. If you have configured AIP in such a way that a user must justify the lowering of the classification of a document, the user will not be asked for this justification when he lowers the classification by changing the value of the metadata column in SharePoint.It is of course possible to make the SharePoint column read-only with some plumbing, but that is beyond the scope of this article. (You could even create the column as a Single line of text column then)

Microsoft is aware of the current caveats, and is working on better SharePoint integration for AIP. Still, the promotion of AIP labels to SharePoint metadata columns could be very useful, for reasons as laid out in this article. I hope this helps you with your AIP implementation

Leave a Reply