Illustrating Dynamic Content Marking in Microsoft Information Protection (MIP)

Author name


At Amazing Dino Consulting, we recognize the importance of data classification and protection. With the influx of data coming in and out of organizations daily, safeguarding your sensitive information is more crucial than ever. Leveraging Microsoft Information Protection (MIP) provides an efficient way to classify and protect sensitive data based on its content. In this blog post, we'll explore dynamic content marking, a feature that can automate and tailor protection measures for your documents.


What is Dynamic Content Marking?

Dynamic content marking in MIP allows organizations to automatically append specific labels, headers, footers, or watermarks to documents based on predefined variables. This provides a layer of information about the document, enhancing data governance and compliance.


How Does It Work?

When you configure a sensitivity label for content markings in MIP, you can use variables in the text string for your header, footer, or watermark. The supported variables include:


  • ${Item.Label}: Label display name of the label applied. Example: General
  • ${Item.Name}: File name or email subject of the content being labeled. Example: Sales.docx
  • ${Item.Location}: Path and file name of the document or the email subject for an email being labeled. Example: \Sales\2023\Q3\Report.docx
  • ${User.Name}: Display name of the user applying the label. Example: Richard Simone
  • ${User.PrincipalName}: Azure AD user principal name (UPN) of the user applying the label. Example: test@amazingdino.testing
  • ${Event.DateTime}: Date and time when the content is labeled, either in the local time zone of the user in Microsoft 365 apps or UTC for Office Online and auto-labeling policies. Example: 8/10/2023 1:30 PM


Note: The syntax for these variables is case-sensitive.


Demonstration

First, go to compliance.microsoft.com->Information Protection->Labels and click "create a label". Then, enter the name and associate information.

 

Then, update the scope info and click "Next"

Then, click "Apply content marking" and click "Next"

In Content marking section, select "Add a watermark" and click "Customize text".

From the 'Customize watermark text' section, you can enter the content that you would like to display in the document.

Save it, update additional text if needed and click "Next".


From the auto-labeling section onward, click 'Next' until the label is created if no changes are needed.

Review the settings and do the final check before you create the label.

The label is now created successfully.


You can now publish the label and apply it to your M365 tenant. Here is the screenshot used in my environment.


Limitation on the dynamic content

If you want to apply content and display the viewer's name, it is not possible without third-party software."



Final Thoughts

Dynamic content marking in MIP empowers organizations to automate and fine-tune their data protection strategy. By leveraging these capabilities, organizations can ensure that their documents are appropriately labeled, thus enhancing data governance and regulatory compliance.

Our experience with Azure AD Application Proxy

By looka_production_101445564 July 2, 2023
Azure AD Applicaiton Proxy
email security, why third party email security is required, Avanna, Office 365

Basic of Email Security

By looka_production_101445564 January 27, 2023
In this blog post, we discuss the basics of email security, the security features provided by Office 365, why third-party email security is still required. We state that while Office 365 provides a number of built-in security features, it is important to note that third-party email security is still required. We concludes the blog post and welcome anyone who is interested in learning more about the services to contact us.

More on SASE solution selection

By looka_production_101445564 January 15, 2023
There are multiple considerations on selecting SASE solution. Here are soem of my personal view. Point of Presence SASE points of presence (POPs) are typically deployed in public clouds or data centres and are managed by vendors. However, some solution may allow you to add the gateway software and become customer’s POP to meet your need. Each vendor has its own performance limitations for their POPs, including throughput (some vendors only support sub-1Gbps), the number of concurrent sessions, and their auto-scale policy (which may need to be inquired about). Available bandwidth from the POP is key area you need to consider. Beware on the latency between your CPE or client and security POP. For example, your CPE in Vietnam may end up connect to SASE POP in SG which may add up to 40-60ms. Security feature I would say the following are MUST have features TLS/SSL Decryption for detecting callback traffic and the certificate must be installed automatically by the VPN client DNS security - detecting DNS tunnel traffic as some exfiltration traffic are tunneled inside DNS traffic AI-driven and up-to-date URL categorization and filtering capable of zero-day Malware detection For SaaS, it depends on whether you have any existing solution in place, those are the key one you need to look at. SaaS security - please note that not every vendor may support the SaaS that you are using DLP Logging, monitoring and Reporting The following are mandatory features I will look into myself SIEM integration end to end network performance analysis - from end user to the application Be able to search log in the management portal Be able to generate executive summary report with some level of customization Last but not least, you should do proof-of-concept testing to validate your use case when you select right SASE solution. I do see many successful implementation are required well-defined use case and proof-of-concept testing to pick the right solution. Contact us if you need help from selecting right SASE solution for you.