Enterprise Recon Cloud 2.12.0

Download ER Cloud 2.12.0 User Guide (PDF)

All Documentation > ER Cloud 2.12.0 User Guide > How-to Guides > Analysis, Remediation, and Reporting > How To Integrate Data Classification with MIP

How To Integrate Data Classification with MIP

PRO This feature is only available in Enterprise Recon Cloud PRO Edition. To find out more about upgrading your ER Cloud license, please contact Ground Labs Licensing. See Subscription License for more information.

This section covers the following:

Overview
How Data Classification with MIP Works
Requirements
Install the MIP Runtime Package
Configure Data Classification with MIP
Disable Data Classification with MIP
View Classification Status
Apply Classification
Remove Classification

Overview

Enterprise Recon Cloud seamlessly integrates with Microsoft Information Protection (MIP), enabling you to leverage the sensitive data discovery capabilities in ER Cloud to better classify, label, and protect sensitive data across your organization.

Once MIP integration is configured, you can view the sensitivity labels for match locations in the Investigate page. The filtering feature lets you easily select match locations with specific classification labels, and take the appropriate remediation or access control action to secure the data.

Sensitivity labels defined by your organization can be applied to supported match locations from the Enterprise Recon Cloud web interface and API. This metadata can be propagated to external services, such as data loss prevention (DLP) solutions, to implement additional controls to complete your organization's information protection strategy.

To integrate MIP Classification in ER Cloud, you must:

Have a valid Office 365 subscription (for more information, refer to Microsoft Information Protection (MIP) SDK setup and configuration).
Generate a Client ID.
Generate a Client Secret Key.
Set Up MIP Credentials.

How Data Classification with MIP Works

For the more detailed explanation on how this feature works, refer to the Analysis - How Data Classification with MIP Works section.

Requirements

Requirements	Description
License	Enterprise Recon Cloud PRO license.
Node Agents	64-/32-bit Windows Agent, version 2.5.0 and above. Refer to the Install Windows Agents section.
MIP Runtime Package	64-/32-bit MIP runtime package (e.g. er2_2.x.x-windows-xxx_mip-runtime.msi). Select a MIP runtime installer with the same computing architecture (64-/32-bit) as the installed Windows Agent. For example, if you have installed a 64-bit Windows Agent, select and install the 64-bit MIP runtime installer. Refer to Install the MIP Runtime Package below.
Scan Modes	Data Classification with MIP is supported for match locations that were scanned as: Local storage scans with a locally installed Windows Node Agent. Refer to Scan Local Storage in the Scan Local Storage and Local Memory section. Network storage scans via a Windows Proxy Agent - only supported for Windows Share Targets. Refer to Scan Windows Share in the Scan Network Storage Locations section.
Operating Systems	Data Classification with MIP is supported on all 64-/32-bit Windows versions currently supported by Microsoft.
File Types	Refer to Supported File Types below.
User Permissions	Manage MIP Credentials Global Admin and Classification Admin users have permissions to set up and modify the MIP credentials in the Settings > Analysis > Classification page. For more information, refer to Assign Global Permissions in the Grant User Permissions section. Classify Sensitive Data Global Admin users can manually assign classification labels to all Targets and locations from the Investigate page. Classification Admin users can manually assign classification labels to all Targets and locations for which they have permissions to in the Investigate page. All users can manually assign classification labels to Targets and locations for which they are granted Classification Resource Permissions. View MIP Classification Labels Users with access to the Investigate page can view the sensitivity label of locations for which they have resource permissions to. For more information, refer to Grant User Permissions.

Supported File Types

Enterprise Recon Cloud MIP integration supports the following file types:

Classification Action	File Types
Apply classification labels (without encryption)	All file types supported by the MIP SDK for classification only All file types that support metadata elements
Apply classification labels (with encryption) that require file protection	All file types supported by the MIP SDK for classification only All file types that support metadata elements All other file types Original file types (and their corresponding file extensions) may change after applying classification labels (with encryption) that require file protection. For more information, refer to Supported file types for classification and protection.

For more information, refer to Microsoft 365 - Learn about sensitivity labels.

Install the MIP Runtime Package

Log in to the ER Cloud Web Console.
Go to Settings > Agents > Node Agent Downloads.
On the Node Agent Downloads page, download the appropriate Windows MIP runtime package (e.g. er2_2.x.x-windows-xxx_mip-runtime.msi). Select a MIP runtime package installer with the same computing architecture (64-/32-bit) as the installed Windows Agent.
(Optional) Verify the checksum of the downloaded Node Agent package file. Refer to Verify Checksum for Node Agent Package File in the Install Windows Agent section.
Run the downloaded installer on the same host as the installed Windows Agent and click Next >.
In the Choose Setup Type dialog, select Install.
In the Ready to Install dialog, select Install.
Click Finish to complete the installation.

Configure Data Classification with MIP

Generate a Client ID

With your administrator account, log in to the Azure app registration portal.
In the App registrations page, click on + New registration.

In the Register an application page, fill in the following fields:

Field	Description
Name	Enter a descriptive display name for ER Cloud. For example, Enterprise Recon.
Supported account types	Select Accounts in this organizational directory only.

Click Register. A dialog box appears, displaying the overview for the newly registered app, "Enterprise Recon".
Take down the values for the Application (client) ID. This will be required to set up MIP credentials.
In the Manage panel, click API permissions.
In the Configured permissions section, click + Add a permission.

In the Request API permissions page, search and select the following permissions for the "Enterprise Recon: app:

API Permission	Notes
Microsoft APIs > Azure Rights Management Services > Delegated Permissions	Check the user_impersonation permission.
APIs my organization uses > Microsoft Information Protection Sync Service > Delegated Permissions	Check the UnifiedPolicy.User.Read permission.

Click Add permissions.
In the Configured permissions page, click on Grant admin consent for <organization name>.
In the Permissions requested Accept for your organization window, click Accept. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".

Generate a Client Secret Key

With your administrator account, log in to the Azure app registration portal.
In the App registrations page, go to the Owner applications tab. Click on the app that you registered when generating a Client ID. For example, "Enterprise Recon".
In the Manage panel, click Certificates & secrets.
In the Client secrets section, click + New client secret.

In the Add a client secret page, fill in the following fields:

Field	Description
Description	Enter a descriptive label for the Client Secret key.
Expires	Select a validity period for the Client Secret key.

Click Add. The Value column will contain the Client Secret key.
Copy and save the Client Secret key to a secure location. This will be required when you set up MIP credentials.

Save your Client Secret key in a secure location. You cannot access this Client Secret key once you navigate away from the page.

Set Up MIP Credentials

Users with Global Admin and Classification Admin global permissions can set up the MIP credentials in the Settings > Analysis > Classification page.

Microsoft Information Protection ("MIP") helps to discover, classify, and protect sensitive information wherever it lives or travels ("MIP Classification Functions"). By choosing to connect Enterprise Recon ("ER") to MIP, you are also agreeing to send error and performance data, including information about the configuration of your software like the software you are currently running and your IP address ("Data"), to Microsoft over the internet. Microsoft uses this Data to provide and improve the quality, security and integrity of Microsoft products and services. For more information on how Microsoft uses this Data, please read the Microsoft Privacy Statement. When turned off, the MIP Classification Functions will not be available through ER.

To set up MIP credentials:

Log in to the ER Cloud Web Console.
Go to Settings > Analysis > Classification.
Set the toggle button to On.

In the Microsoft Information Protection (MIP) section, fill in the following fields:

Field	Description
Login ID	Enter the Microsoft 365 user account that will be used for classification. For example, enterprise-recon-user@example.onmicrosoft.com. Sensitivity labels that can be retrieved by ER Cloud depends on the labels that are available in label policies published to the specified user. The Data Classification with MIP feature in ER Cloud does not support user accounts with two-factor authentication (2FA) enabled. You are recommended to use a Microsoft service account that does not require 2FA to be enabled when setting up the MIP credentials.
App ID	Enter the Application (client) ID value obtained when generating a Client ID. For example, myAppId-example-enterpriserecon-1234.
App Secret	Enter the Client Secret key value obtained when generating a Client Secret Key. For example, myAppSecretKey-enterpriserecon-123.
Password	Enter the password of the user specified in the Login ID field.
Agent	Select a Windows Agent with direct internet access. The selected Windows Agent will be used to retrieve classification labels that are published to the user specified in the Login ID field.

Click Retrieve to verify the MIP credentials and retrieve the sensitivity labels published to the user specified in the Login ID field. MIP credentials are saved (and overwritten) upon successful authentication.

The Retrieve button will only be enabled when there is at least one suitable Windows Agent that is available and connected to the Master Server.

Update MIP Credentials

Users with Global Admin and Classification Admin global permissions can modify the MIP credentials configured in ER Cloud.

To modify the MIP credentials:

Log in to the ER Cloud Web Console.
Go to Settings > Analysis > Classification.

In the Microsoft Information Protection (MIP) section, edit the following fields:

Field	Description
Login ID	Enter the Microsoft 365 user account that will be used for classification. For example, enterprise-recon-user@example.onmicrosoft.com. Sensitivity labels that can be retrieved by ER Cloud depends on the labels that are available in label policies published to the specified user. The Data Classification with MIP feature in ER Cloud does not support user accounts with two-factor authentication (2FA) enabled. You are recommended to use a Microsoft service account that does not require 2FA to be enabled when setting up the MIP credentials.
App ID	Enter the Application (client) ID value obtained when generating a Client ID. For example, myAppId-example-enterpriserecon-1234.
App Secret	Enter the Client Secret key value obtained when generating a Client Secret Key. For example, myAppSecretKey-enterpriserecon-123.
Password	Enter the password of the user specified in the Login ID field.
Agent	Select a Windows Agent with direct internet access. The selected Windows Agent will be used to retrieve classification labels that are published to the user specified in the Login ID field.

Click Retrieve to verify the updated MIP credentials and retrieve the sensitivity labels published to the user specified in the Login ID field. MIP credentials are saved (and overwritten) upon successful authentication.

The Retrieve button will only be enabled when there is at least one suitable Windows Agent that is available and connected to the Master Server.

Disable Data Classification with MIP

To disable Data Classification integration with MIP:

Go to Settings > Analysis > Classification.
Set the toggle button to Off.

View Classification Status

Navigate to the Investigate page to view the results grid (refer to the View Investigate Page section).

In the Investigate page results grid, the MIP Classification status for a supported match location is reflected in the following columns:

Column	Description	Examples
MIP Label	Displays the latest MIP sensitivity label applied to the location. If the MIP sensitivity label for a location is applied or modified using ER Cloud, a notification icon will be displayed in this column. If the last-known MIP sensitivity label for a location no longer corresponds to an active or valid label, the MIP Label column displays the label ID.	Confidential, Public
Classification Type	If the location has any MIP sensitivity label applied, this column indicates if the label was manually applied in ER Cloud (Classified), or applied outside of ER Cloud (Discovered).	Classified, Discovered
Status	Displays the status of the most recent remediation, access control, or classification action performed on the location.	Pending label modification, MIP label modified

Apply Classification

The Classify button will be disabled if:

Data Classification integration with MIP is disabled, or
Unsupported Target locations are selected, or
The user does not have permissions to perform classification actions on one or more selected match locations.

You can manually apply the sensitivity classification of a supported match location in ER Cloud. To manually apply or modify the MIP sensitivity label associated with a match location:

Go to the Investigate page.
Select the match location(s) that you want to apply or modify the MIP classification labels for.

A file that is applied with a classification label with protection settings (encryption) can only be decrypted by users that are authorized by the label's encryption settings.
Click the Classify button to bring up the Classify locations with a Sensitivity Label (MIP) dialog box.
Select a sensitivity label from the dropdown menu to be applied to or modified for the match location(s).
Enter a name in the Please sign-off to confirm label modification field.
Enter a reason in the Reason field.
Click Ok to classify the match location(s) with the selected MIP sensitivity label. Otherwise click Cancel to cancel the data classification operation.

Remove Classification

You can manually remove the sensitivity classification of a supported match location in ER Cloud. To manually remove the MIP sensitivity label associated with a match location:

Go to the Investigate page.
Select the match location(s) that you want to apply or modify the MIP classification labels for.
Click the Classify button to bring up the Classify locations with a Sensitivity Label (MIP) dialog box.
Select Remove sensitivity label from the dropdown menu.
Enter a name in the Please sign-off to confirm label modification field.
Enter a reason in the Reason field.
Click Ok to remove the classification for the match location(s). Otherwise click Cancel to cancel the data classification operation.