Search Tutorials


SC-401 Information Protection | Microsoft Purview | JavaInUse

SC-401 - Information Protection

Quick Navigation

Information Protection Overview

Microsoft Purview Information Protection (formerly Microsoft Information Protection / MIP) is the framework for classifying and protecting sensitive data across Microsoft 365, on-premises repositories, third-party clouds, and endpoints.

The protection stack uses sensitivity labels as the common thread:

  • Cloud-native files: Protected via Microsoft 365 services (Exchange, SharePoint, OneDrive, Teams) using built-in Office app labeling
  • On-premises files: Scanned and labeled by the AIP scanner (on Windows Server)
  • Endpoints: Protected via Microsoft Purview Information Protection client (Windows) with endpoint DLP from MDE integration
  • Third-party apps: Extended via MDCA session controls and file scanning
  • Email: Protected via Microsoft Purview Message Encryption built on Azure RMS

MIP Unified Labeling Client

The Microsoft Purview Information Protection (MIP) unified labeling client is a Windows application that extends sensitivity label support beyond what is built into Office apps. It was previously called the Azure Information Protection (AIP) unified labeling client.

Components

ComponentFunction
MIP client add-in for OfficeAdds the Sensitivity button and MIP features to Office 2016/2019 apps that predate built-in support
MIP viewerOpens and reads protected files (.pfile, .ppdf, protected Office files) that cannot be opened by the native app
MIP scannerService that scans on-premises file shares and SharePoint Server for sensitive data and applies or recommends labels
MIP PowerShell moduleAIPService module for managing Azure RMS keys, tenant configuration, and generating usage logs
Modern Microsoft 365 Apps (M365 Apps for Enterprise / Business) have built-in sensitivity label support via the Office platform and do NOT require the MIP client add-in. The MIP client is needed primarily for older Office versions (2016, 2019) and for the on-premises scanner. The MIP client add-in may conflict with the built-in labeling experience in M365 Apps - use the built-in experience where possible.

File Protection Behaviors

When a label with encryption is applied to a file using MIP:

  • Office files (.docx, .xlsx, .pptx): Protected in-place, file format unchanged
  • Non-Office files (PDF, images, etc.): Wrapped in a .pfile container (e.g., image.jpg becomes image.jpg.pfile)
  • PDFs: Can be natively protected as .pdf with Azure RMS protection without wrapping

AIP Scanner (On-Premises)

The Microsoft Purview Information Protection scanner (formerly AIP scanner) runs as a Windows service and connects to an on-premises SQL Server database to scan local file shares and SharePoint Server sites.

Scanner Architecture

  • Scanner service: Installed on a Windows Server (2019 or later recommended)
  • SQL Server database: Stores scan configuration, discovered items, and results (can be SQL Express for smaller deployments)
  • Service account: A dedicated AD account that needs local logon right, NTFS read access to file shares, and Azure AD app registration for Azure RMS operations
  • Purview portal configuration: Scanner clusters and content scan jobs are configured in Information Protection - Scanner in the Purview compliance portal

Scanner Operating Modes

ModeActionUse Case
Discovery onlyScans and reports on sensitive content found; no labeling or protection appliedInitial audit of on-premises data estate
Enforce (label and protect)Applies configured sensitivity labels and protection to matched filesBulk classification of existing on-premises content

Content Scan Jobs

A content scan job defines what to scan (repositories: file share UNC paths or SharePoint Server URLs) and how to handle discovered sensitive content. Within a content scan job you configure:

  • Repositories to scan (file shares, SharePoint Server)
  • SITs and trainable classifiers to look for
  • Default label to apply, or specific labels per SIT
  • Whether to also classify files with no sensitive content (apply a default "General" label)
  • File types to include or exclude
The scanner requires network connectivity to Microsoft Azure endpoints for Azure RMS key operations. It does NOT need to send file content to Microsoft - scanning happens locally and only the Azure RMS key service is contacted for license operations. For air-gapped environments, Hold Your Own Key (HYOK) configuration is possible but adds significant complexity.

Bulk Classification with PowerShell

For Office files and PDFs in SharePoint Online or OneDrive, PowerShell can be used with the MIP SDK or Set-Label cmdlets for bulk operations.

Common PowerShell approaches:

  • AIPService module: Manage Azure RMS tenant settings, templates, and audit logs
  • PurviewInformationProtection module: Apply, get, and remove labels on local files
  • Exchange Online PowerShell + Set-Label: Manage label policies programmatically
  • SharePoint Online PnP PowerShell: Set sensitivity labels on SharePoint sites (container labels)
Bulk label application using PowerShell requires the MIP client to be installed on the machine running the commands (for file-level operations). For SharePoint/OneDrive site-level container labels, the SharePoint Admin module is used. Always test in a non-production environment before bulk operations - applied encryption can lock users out of files if permissions are not configured correctly.

Microsoft Purview Message Encryption (OME)

Microsoft Purview Message Encryption (formerly Office 365 Message Encryption / OME) protects email messages sent inside and outside the organization using Azure Rights Management encryption built on top of Azure AD identity.

How OME Works

  1. A mail flow rule (Exchange Transport Rule) or sensitivity label with encryption is applied to an outbound email
  2. Exchange Online encrypts the message using Azure RMS before delivery
  3. Internal recipients (Office 365 users) can open the email transparently via Outlook
  4. External recipients receive a wrapper email with a link to the OME portal
  5. External users authenticate via Microsoft account, Google, Yahoo, or one-time passcode (OTP)
  6. The authenticated user reads the email in the OME web portal

OME Templates

OME templates can be customized to apply your organization's branding to the wrapper email and the OME portal (logo, header color, disclaimer text).

Common OME Rights Templates

TemplateBehavior
Encrypt-OnlyEncrypts the message; recipients can forward, reply, and copy content
Do Not ForwardEncrypts and prevents recipients from forwarding, copying, or printing the message
Custom RMS templateApplies a specific Azure RMS template with custom usage rights (view, print, edit, etc.)
OME does not require any client software installation by recipients. The OME portal is web-based and accessible from any modern browser. For recipients using Gmail or Yahoo, Microsoft redirects authentication through those identity providers. For recipients on any other email system, a one-time passcode is sent to their email address to authenticate access.

Advanced Message Encryption

Advanced Message Encryption (AME) extends OME with additional controls for scenarios requiring stricter access management. It requires Microsoft 365 E5 or the Information Protection and Compliance add-on.

AME Additional Features

FeatureDescription
Revoke encrypted emailSender or admin can revoke access to an already-sent encrypted email - external recipients lose access when they next attempt to view it in the portal
Email expirationSet an expiration date after which external recipients can no longer access the encrypted message in the OME portal
Multiple OME templatesCreate and use multiple custom branded templates (OME only supports one default template; AME supports multiple for different scenarios)
Encrypted email portals per templateDifferent branding experiences for different user groups or business units
Email revocation only affects external recipients accessing the OME portal. Internal Microsoft 365 recipients already have a local copy decrypted in their mailbox and cannot have that copy revoked after the fact. AME is particularly valuable for legal, financial, and healthcare communications where message recall capability is a compliance requirement.

MIP SDK and Third-Party Integration

The Microsoft Information Protection (MIP) SDK allows developers to build sensitivity label support into custom applications and third-party systems.

  • Available for .NET, C++, Java, and Python
  • Enables custom apps to read, apply, and honor Purview sensitivity labels and Azure RMS protection
  • Used by ISVs (Symantec DLP, Boldon James, Seclore) to integrate with Purview labeling
  • Custom apps can consume the label taxonomy and apply labels to files programmatically

For SC-401, understand that third-party ISV tools can extend Purview labeling to SAP, file shares, and other repositories through certified MIP SDK integrations - you are not limited to Microsoft's own scanner for non-Microsoft systems.

Popular Posts

1Z0-830 Java SE 21 Developer Certification Prepare with Notes and Real Time Practice Tests Azure AI Foundry Hello World What is Azure AI Foundry Azure AI Agent Hello World Set up and run your first agent Foundry vs Hub Projects When to choose Foundry or hub-based Build Agents with SDK Threads, messages, runs in Python Bing Web Search Agent Ground agents with real-time data Function Calling Agent Custom functions & tool integration Spring Boot + Azure Key Vault Hello World Example Fetch secrets from Azure Key Vault in Spring Boot Spring Boot + Elasticsearch + Azure Key Vault Example Secure Elasticsearch config using Azure Key Vault Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication Connect Spring Boot to Azure AD using OAuth2 Deploy Spring Boot App to Azure App Service Host Spring Boot application on Azure App Service Secure Azure App Service using Azure API Management Protect deployed Spring Boot app with API Management Deploy Spring Boot JAR to Azure App Service Deploy executable JAR directly to Azure Deploy Spring Boot + MySQL to Azure App Service Host Spring Boot with MySQL database on Azure Spring Boot + Azure Managed Identity Example Access Azure Key Vault using Managed Identity Secure Spring Boot Azure Web App with Managed Identity + App Registration Secure Spring Boot app via Azure Portal configuration Elasticsearch 8 Security - Integrate Azure AD OIDC Integrate Azure AD OIDC with Elasticsearch & Kibana
��