Microsoft Information Protection Integration

Microsoft Information Protection (MIP) integration is a capability of Box Shield that allows you to map Microsoft sensitivity labels, including encrypted sensitivity labels, to Box classification labels when files and new versions of files are uploaded or updated. Once you enable and configure Microsoft Information Protection integration and map Microsoft sensitivity labels to Box classification labels, files in your enterprise that are uploaded or updated will be scanned for a Microsoft sensitivity label. If a Microsoft sensitivity label exists for a file, it will have a mapped Box classification label added to the file's metadata instance, and this should happen almost immediately after upload or update.

Before you can enable MIP integration in Box, you must first register the Box for MIP application in Azure Active Directory, which entails installing the Box for MIP application in Azure Active Directory, granting the Box for MIP application permissions to synchronize with Box, and then allowing Azure Active Directory to complete the registration process.

Supported File Types for MIP Integration

'doc', 'docm', 'docx', 'dot', 'dotm', 'dotx', 'pdf', 'potm', 'potx', 'pps', 'ppsm', 'ppsx','ppt', 'pptm', 'pptx', 'vdw', 'vsd', 'vsdm', 'vsdx', 'vss', 'vssm', 'vst', 'vstm', 'vssx','vstx', 'xls', 'xlsb', 'xlt', 'xlsm', 'xlsx', 'xltm', 'xltx'

Install and Configure the Box for MIP Application in Azure Active Directory

You must be an Azure Active Directory administrator.

1. Click https://login.microsoftonline.com/common/adminconsent?client_id=963a4eb2-b128-4d26-8893-f3d8621a5ea8.
2. If necessary, sign in to Azure Active Directory.
3. Review and approve the permissions required for the Box for MIP app to work correctly. Specifically, the following permissions are listed:
   • Read all protected content for this tenant.
   • Read all unified policies for this tenant.
   • Sign in and read user profile.

     Note

     Sign in and read user profile is a generic permission required only at the time of granting permissions and does not grant Box permission to read all your users' profiles. You can view the actual permissions granted to the Box for MIP app in Azure Active Directory > Enterprise applications > Box for MIP > Permissions.

Enable and Configure Microsoft Information Protection Integration

1. In the Admin Console, click Classification.
2. Click the Classification Settings
3. In the Microsoft Information Protection section, select Enable Integration.
4. Enter your Microsoft Tenant ID and click Save. You will be asked to authorize the connection.
5. Select Prevent Modifications if you do not want existing classification labels on files mapped from sensitivity labels to be updated by anyone, including users, the folder cascade, or auto-classification.
6. Select Set Default Mapping if you want any unmapped Microsoft sensitivity labels to be mapped to a Box classification label, and then select a Box classification label. If you do not select a default and you do not map all Microsoft sensitivity labels, then some content may not get Box classification labels applied.
7. Map your existing classification labels to the Microsoft sensitivity labels in your tenant:
   1. Select an item from the Microsoft sensitivity label drop-down list.
   2. Select an item from the Box classification labels drop-down list that you want mapped to the chosen Microsoft sensitivity label.
   3. To add more mappings, click Add Mapping.
8. Click Save.

See the Microsoft Information Protection section in the Classification Settings topic for additional details.