Analytics and central reporting for Azure Information Protection (public preview)
Applies to: Azure Information Protection
Relevant for: AIP unified labeling client and classic client
To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.
This article describes how to use Azure Information Protection (AIP) analytics for central reporting, which can help you track the adoption of your labels that classify and protect your organization's data.
AIP analytics also enable you to do perform the following steps:
Monitor labeled and protected documents and emails across your organization
Identify documents that contain sensitive information within your organization
Monitor user access to labeled documents and emails, and track document classification changes.
Identify documents that contain sensitive information that might be putting your organization at risk if they are not protected, and mitigate your risk by following recommendations.
Identify when protected documents are accessed by internal or external users from Windows computers, and whether access was granted or denied.
The data that you see is aggregated from your Azure Information Protection clients and scanners, from Microsoft Cloud App Security, and from protection usage logs.
Azure Information Protection analytics for central reporting is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
AIP reporting data
For example, the Azure Information Protection analytics for central reporting displays the following data:
|Report||Sample data shown|
|Usage report||Select a time period to show any of the following:
- Which labels are being applied
- How many documents and emails are being labeled
- How many documents and emails are being protected
- How many users and how many devices are labeling documents and emails
- Which applications are being used for labeling
|Activity logs||Select a time period to show any of the following:
- Which files previously discovered by scanner were deleted from the scanned repository
- What labeling actions were performed by a specific user
- What labeling actions were performed from a specific device
- Which users have accessed a specific labeled document
- What labeling actions were performed for a specific file path
- What labeling actions were performed by a specific application, such File Explorer and right-click, PowerShell, the scanner, or Microsoft Cloud App Security
- Which protected documents were accessed successfully by users or denied access to users, even if those users don't have the Azure Information Protection client installed or are outside your organization
- Drill down into reported files to view Activity Details for additional information
|Data discovery report||- What files are on your scanned data repositories, Windows 10 computers, or computers running the Azure Information Protection clients
- Which files are labeled and protected, and the location of files by labels
- Which files contain sensitive information for known categories, such as financial data and personal information, and the location of files by these categories
|Recommendations report||- Identify unprotected files that contain a known sensitive information type. A recommendation lets you immediately configure the corresponding condition for one of your labels to apply automatic or recommended labeling.
If you follow the recommendation: The next time the files are opened by a user or scanned by the Azure Information Protection scanner, the files can be automatically classified and protected.
- Which data repositories have files with identified sensitive information but are not being scanned by the Azure Information Protection. A recommendation lets you immediately add the identified data store to one of your scanner's profiles.
If you follow the recommendation: On the next scanner cycle, the files can be automatically classified and protected.
The reports use Azure Monitor to store the data in a Log Analytics workspace that your organization owns. If you're familiar with the query language, you can modify the queries, and create new reports and Power BI dashboards. You might find the following tutorial helpful to understand the query language: Get started with Azure Monitor log queries.
For more information, read the following blog posts:
Information collected and sent to Microsoft
To generate these reports, endpoints send the following types of information to Microsoft:
The label action. For example, set a label, change a label, add or remove protection, automatic and recommended labels.
The label name before and after the label action.
Your organization's tenant ID.
The user ID (email address or UPN).
The name of the user's device.
The IP address of the user's device.
The relevant process name, such as outlook or msip.app.
The name of the application that performed the labeling, such as Outlook or File Explorer
For documents: The file path and file name of documents that are labeled.
For emails: The email subject and email sender for emails that are labeled.
The sensitive information types (predefined and custom) that were detected in content.
The Azure Information Protection client version.
The client operating system version.
This information is stored in an Azure Log Analytics workspace that your organization owns and can be viewed independently from Azure Information Protection by users who have access rights to this workspace.
For more details, see:
- Permissions required for Azure Information Protection analytics
- Manage access to Log Analytics Workspace using Azure permissions
- Azure Information Protection audit log reference
Prevent the AIP clients from sending auditing data
Unified labeling client
To prevent the Azure Information Protection unified labeling client from sending auditing data, configure a label policy advanced setting.
To prevent the Azure Information Protection classic client from sending this data, set the policy setting of Send audit data to Azure Information Protection analytics to Off:
|To configure most users to send data, with a subset of users who cannot send data||Set Send audit data to Azure Information Protection analytics to Off in a scoped policy for the subset of users.
This configuration is typical for production scenarios.
|To configure only a subset of users who send data||Set Send audit data to Azure Information Protection analytics to Off in the global policy, and On in a scoped policy for the subset of users.
This configuration is typical for testing scenarios.
Content matches for deeper analysis
Azure Information Protection lets you collect and store the actual data that's identified as being a sensitive information type (predefined or custom). For example, this can include credit card numbers that are found, as well as social security numbers, passport numbers, and bank account numbers. The content matches are displayed when you select an entry from Activity logs, and view the Activity Details.
By default, Azure Information Protection clients don't send content matches. To change this behavior so that content matches are sent:
|Unified labeling client||Configure an advanced setting in a label policy.|
|Classic client||Select a checkbox as part of the configuration for Azure Information Protection analytics. The checkbox is named Enable deeper analytics into your sensitive data.
If you want most users who are using this client to send content matches but a subset of users cannot send content matches, select the checkbox and then configure an advanced client setting in a scoped policy for the subset of users.
To view the Azure Information Protection reports and create your own, make sure that the following requirements are in place.
|An Azure subscription||Your Azure subscription must include Log Analytics on the same tenant as Azure Information Protection.
For more information, see the Azure Monitor pricing page.
If you don't have an Azure subscription or you don't currently use Azure Log Analytics, the pricing page includes a link for a free trial.
|Audit logging URL network connectivity||AIP must be able to access the following URLs in order to support AIP audit logs:
|Azure Information Protection client||For reporting from the client.
If you don't already have a client installed, you can download and install the unified labeling client from the Microsoft Download Center.
Note: Both the unified labeling client and the classic client are supported. To deploy the AIP classic client, open a support ticket to get download access.
|Azure Information Protection on-premises scanner||For reporting from on-premises data stores.
For more information, see Deploying the Azure Information Protection scanner to automatically classify and protect files.
|Microsoft Cloud App Security (MCAS)||For reporting from cloud-based data stores.
For more information, see Azure Information Protection integration in the MCAS documentation.
Permissions required for Azure Information Protection analytics
Specific to Azure Information Protection analytics, after you have configured your Azure Log Analytics workspace, you can use the Azure AD administrator role of Security Reader as an alternative to the other Azure AD roles that support managing Azure Information Protection in the Azure portal. This additional role is supported only if your tenant isn't on the unified labeling platform.
Because Azure Information Protection analytics uses Azure Monitoring, role-based access control (RBAC) for Azure also controls access to your workspace. You therefore need an Azure role as well as an Azure AD administrator role to manage Azure Information Protection analytics. If you're new to Azure roles, you might find it useful to read Differences between Azure RBAC roles and Azure AD administrator roles.
For more information, see:
- Required Azure AD administrator roles
- Required Azure Log Analytics roles
- Minimum roles to view the reports
Required Azure AD administrator roles
You must have one of the following Azure AD administrator roles to access the Azure Information Protection analytics pane:
To create your Log Analytics workspace or to create custom queries:
- Azure Information Protection administrator
- Security administrator
- Compliance administrator
- Compliance data administrator
- Global administrator
After the workspace has been created, you can then use the following roles with fewer permissions to view the data collected:
- Security reader
- Global reader
Required Azure Log Analytics roles
To create the workspace or to create custom queries, one of the following:
- Log Analytics Contributor
After the workspace has been created, you can then use one of the following roles with fewer permissions to view the data collected:
- Log Analytics Reader
Minimum roles to view the reports
After you have configured your workspace for Azure Information Protection analytics, the minimum roles needed to view the Azure Information Protection analytics reports are both of the following:
- Azure AD administrator role: Security reader
- Azure role: Log Analytics Reader
However, a typical role assignment for many organizations is the Azure AD role of Security reader and the Azure role of Reader.
Storage requirements and data retention
The amount of data collected and stored in your Azure Information Protection workspace will vary significantly for each tenant, depending on factors such as how many Azure Information Protection clients and other supported endpoints you have, whether you're collecting endpoint discovery data, you've deployed scanners, the number of protected documents that are accessed, and so on.
However, as a starting point, you might find the following estimates useful:
For audit data generated by Azure Information Protection clients only: 2 GB per 10,000 active users per month.
For audit data generated by Azure Information Protection clients, and scanners: 20 GB per 10,000 active users per month.
If you use mandatory labeling or you've configured a default label for most users, your rates are likely to be significantly higher.
Azure Monitor Logs has a Usage and estimated costs feature to help you estimate and review the amount of data stored, and you can also control the data retention period for your Log Analytics workspace. For more information, see Manage usage and costs with Azure Monitor Logs.
Configure a Log Analytics workspace for the reports
If you haven't already done so, open a new browser window and sign in to the Azure portal with an account that has the permissions required for Azure Information Protection analytics. Then navigate to the Azure Information Protection pane.
For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.
Locate the Manage menu options, and select Configure analytics (Preview).
On the Azure Information Protection log analytics pane, you see a list of any Log Analytics workspaces that are owned by your tenant. Do one of the following:
To create a new Log Analytics workspace: Select Create new workspace, and on the Log analytics workspace pane, supply the requested information.
To use an existing Log Analytics workspace: Select the workspace from the list.
If you need help with creating the Log Analytics workspace, see Create a Log Analytics workspace in the Azure portal.
AIP classic client only: Select the checkbox Enable deeper analytics into your sensitive data if you want to store the actual data that's identified as being a sensitive information type.
For more information about this setting, see the Content matches for deeper analysis section on this page.
You're now ready to view the reports.
View the AIP analytics reports
From the Azure Information Protection pane, locate the Dashboards menu options, and select one of the following options:
|Usage report (Preview)||Use this report to see how your labels are being used.|
|Activity logs (Preview)||Use this report to see labeling actions from users, and on devices and file paths. In addition, for protected documents, you can see access attempts (successful or denied) for users both inside and outside your organization, even if they don't have the Azure Information Protection client installed.
This report has a Columns option that lets you display more activity information than the default display. You can also see more details about a file by selecting it to display Activity Details.
|Data discovery (Preview)||Use this report to see information about labeled files found by scanners and supported endpoints.
Tip: From the information collected, you might find users accessing files that contain sensitive information from location that you didn't know about or aren't currently scanning:
- If the locations are on-premises, consider adding the locations as additional data repositories for the Azure Information Protection scanner.
- If the locations are in the cloud, consider using Microsoft Cloud App Security to manage them.
|Recommendations (Preview)||Use this report to identify files that have sensitive information and mitigate your risk by following the recommendations.
When you select an item, the View data option displays the audit activities that triggered the recommendation.
Modify the AIP analytics reports and create custom queries
Select the query icon in the dashboard to open a Log Search pane:
The logged data for Azure Information Protection is stored in the following table: InformationProtectionLogs_CL
When you create your own queries, use the friendly schema names that have been implemented as InformationProtectionEvents functions. These functions are derived from the attributes that are supported for custom queries (some attributes are for internal use only) and their names will not change over time, even if the underlying attributes change for improvements and new functionality.
Friendly schema reference for event functions
Use the following table to identify the friendly name of event functions that you can use for custom queries with Azure Information Protection analytics.
|Time||Event time: UTC in format YYYY-MM-DDTHH:MM:SS|
|User||User: Format UPN or DOMAIN\USER|
|ItemPath||Full item path or email subject|
|ItemName||File name or email subject|
|Method||Label assigned method: Manual, Automatic, Recommended, Default, or Mandatory|
|Activity||Audit activity: DowngradeLabel, UpgradeLabel, RemoveLabel, NewLabel, Discover, Access, RemoveCustomProtection, ChangeCustomProtection, NewCustomProtection, or FileRemoved|
|ResultStatus||Result status of the action:
Succeeded or Failed (reported by AIP scanner only)
|ErrorMessage_s||Includes Error message details if ResultStatus=Failed. Reported by AIP scanner only|
|LabelName||Label name (not localized)|
|LabelNameBefore||Label name before change (not localized)|
|ProtectionType||Protection type [JSON]
"Type": ["Template", "Custom", "DoNotForward"],
|ProtectionBefore||Protection type before change [JSON]|
|MachineName||FQDN when available; otherwise host name|
|Platform||Device platform (Win, OSX, Android, iOS)|
|ApplicationName||Application friendly name|
|AIPVersion||Version of the Azure Information Protection client that performed the audit action|
|TenantId||Azure AD tenant ID|
|AzureApplicationId||Azure AD registered application ID (GUID)|
|ProcessName||Process that hosts MIP SDK|
|LabelId||Label GUID or null|
|IsProtected||Whether protected: Yes/No|
|ProtectionOwner||Rights Management owner in UPN format|
|LabelIdBefore||Label GUID or null before change|
|InformationTypesAbove55||JSON array of SensitiveInformation found in data with confidence level 55 or above|
|InformationTypesAbove65||JSON array of SensitiveInformation found in data with confidence level 65 or above|
|InformationTypesAbove75||JSON array of SensitiveInformation found in data with confidence level 75 or above|
|InformationTypesAbove85||JSON array of SensitiveInformation found in data with confidence level 85 or above|
|InformationTypesAbove95||JSON array of SensitiveInformation found in data with confidence level 95 or above|
|DiscoveredInformationTypes||JSON array of SensitiveInformation found in data and their matched content (if enabled) where an empty array means no information types found, and null means no information available|
|ProtectedBefore||Whether the content was protected before change: Yes/No|
|ProtectionOwnerBefore||Rights Management owner before change|
|UserJustification||Justification when downgrading or removing label|
|LastModifiedBy||User in UPN format who last modified the file. Available for Office and SharePoint only|
|LastModifiedDate||UTC in format YYYY-MM-DDTHH:MM:SS: Available for Office and SharePoint only|
Examples using InformationProtectionEvents
Use the following examples to see how you might use the friendly schema to create custom queries.
Example 1: Return all users who sent audit data in the last 31 days
InformationProtectionEvents | where Time > ago(31d) | distinct User
Example 2: Return the number of labels that were downgraded per day in the last 31 days
InformationProtectionEvents | where Time > ago(31d) | where Activity == "DowngradeLabel" | summarize Label_Downgrades_per_Day = count(Activity) by bin(Time, 1d)
Example 3: Return the number of labels that were downgraded from Confidential by user, in the last 31 days
InformationProtectionEvents | where Time > ago(31d) | where Activity == "DowngradeLabel" | where LabelNameBefore contains "Confidential" and LabelName !contains "Confidential" | summarize Label_Downgrades_by_User = count(Activity) by User | sort by Label_Downgrades_by_User desc
In this example, a downgraded label is counted only if the label name before the action contained the name Confidential and the label name after the action didn't contain the name of Confidential.
After reviewing the information in the reports, if you are using the Azure Information Protection client, you might decide to make changes to your labeling policy.
Unified labeling client: Make changes to your labeling policy in the Microsoft 365 compliance center. For more information, see the Microsoft 365 documentation.
Classic client: Make changes to your policy in the Azure portal. For more information, see Configuring the Azure Information Protection policy.
AIP audit logs are also sent to the Microsoft 365 Activity Explorer, where they may be displayed with different names. For more information, see: