Microsoft Information Protection (MIP) integration is a capability of Box Shield that allows you to map Microsoft sensitivity labels, including encrypted sensitivity labels, to Box classification labels when files and new versions of files are uploaded or updated. Once you enable and configure Microsoft Information Protection integration and map Microsoft sensitivity labels to Box classification labels, files in your enterprise that are uploaded or updated will be scanned for a Microsoft sensitivity label. If a Microsoft sensitivity label exists for a file, it will have a mapped Box classification label added to the file's metadata instance, and this should happen almost immediately after upload or update.
Before you can enable MIP integration in Box, you must first register the Box for MIP application in Azure Active Directory, which entails installing the Box for MIP application in Azure Active Directory, granting the Box for MIP application permissions to synchronize with Box, and then allowing Azure Active Directory to complete the registration process.
Install and Configure the Box for MIP Application in Azure Active Directory
You must be an Azure Active Directory administrator.
- Click https://login.microsoftonline.com/common/adminconsent?client_id=963a4eb2-b128-4d26-8893-f3d8621a5ea8.
- If necessary, sign in to Azure Active Directory.
- Review and approve the permissions required for the Box for MIP app to work correctly. Specifically, the following permissions are listed:
- Read all protected content for this tenant.
- Read all unified policies for this tenant.
- Sign in and read user profile.
Sign in and read user profile is a generic permission required only at the time of granting permissions and does not grant Box permission to read all your users' profiles. You can view the actual permissions granted to the Box for MIP app in Azure Active Directory > Enterprise applications > Box for MIP > Permissions.
The Azure registration process once you've completed installation and configuration of the Box fo MIP application may take some time, from a few minutes to somewhat longer, to complete. Registration in Azure must finish before you can successfully enable the integration in Box with your Microsoft Tenant ID in the procedure below.
Enable and Configure Microsoft Information Protection Integration
- The Box for MIP application is installed in Azure Active Directory and has the Read all unified policies of the tenant permission enabled.
- Your Microsoft Tenant ID. To find your Microsoft Tenant ID:
- Log in to Microsoft Azure as a Global or User Management Admin.
- Go to Azure Active Directory > Manage > Properties. Your Microsoft Tenant ID the value in the Tenant ID field.
- In the Admin Console, click Classification.
- Click the Classification Settings
- In the Microsoft Information Protection section, select Enable Integration.
- Enter your Microsoft Tenant ID and click Save. You will be asked to authorize the connection.
- Select Prevent Modifications if you do not want existing classification labels on files mapped from sensitivity labels to be updated by anyone, including users, the folder cascade, or auto-classification.
- Select Set Default Mapping if you want any unmapped Microsoft sensitivity labels to be mapped to a Box classification label, and then select a Box classification label. If you do not select a default and you do not map all Microsoft sensitivity labels, then some content may not get Box classification labels applied.
- Map your existing classification labels to the Microsoft sensitivity labels in your tenant:
- Select an item from the Microsoft sensitivity label drop-down list.
- Select an item from the Box classification labels drop-down list that you want mapped to the chosen Microsoft sensitivity label.
- To add more mappings, click Add Mapping.
- Click Save.
See the Microsoft Information Protection section in the Classification Settings topic for additional details.