Tuesday, May 16, 2017

Using Azure Information Protection (AIP) Labels in SharePoint search

Azure information protection let’s you classify and add policies to documents regardless of where they are stored, but is tied to an Office 365 tenant. AIP operate directly on the Office files, and is currently available when using the desktop versions of Office (versions 2010/13/16)  on Windows (versions 7/8/10) – when you have installed the AIP client.

This means that even though you save copies or e-mail the files, AIP is still tied to the document.

Note: See the pricing plans page to see which SKU’s include AIP.

Resources about AIP

Classifying documents

The two images below show two documents, each classified with a different AIP label (see the above resources for information about enabling and configuring AIP). The first one actually has two labels: Confidential and Anyone (not protected).

image

image

Both documents are stored in a SharePoint library.

image

So where does the AIP labels appear in search?

If you head over to the crawled properties settings for search schema management and search for MSIP_Label_*_Name, you will get one entry per label used.

image

Map each of the label name crawled properties to the same RefinableString managed property, before you re-index the library for the mapping to take effect. I also added an alias of AIPLabel to my RefinableString00 managed property.

image

This means you should create one sample document for each label, in order for the crawled properties to be discoverable.

If all goes according to plan you should now get the label name in the managed property. The picture below is from using the SharePoint query tool.

image

There are a total of 8 crawled properties per label, so map up the ones you need and happy protecting!

  • Name – Label name
  • Enabled – if AIP is enabled or not for the document
  • Application – Name of protector application
  • Extended MSFT Method – Manual/automatic depending on how the label was added
  • SetBy – Account name of the person applying the label
  • SetDate – Date and time when the label was added
  • Ref – Uri identifier to the Azure AD hosting AIP for the tenant
  • SiteId – unique identifier of the Azure AD hosting AIP for the tenant

image