Microsoft Data Classification Services integration

Applies to: Microsoft Cloud App Security

Important

Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Microsoft Cloud App Security enables you to natively use the Microsoft Data Classification Service to classify the files in your cloud apps. Microsoft Data Classification Service provides a unified information protection experience across Office 365, Azure Information Protection, and Microsoft Cloud App Security. The classification service allows you to extend your data classification efforts to the third-party cloud apps protected by Microsoft Cloud App Security, using the decisions you already made across an even greater number of apps.

Note

This feature is currently available in the US, Europe, Australia, India, Canada, Japan, and APAC.

Enable content inspection with Data Classification Services

You have the option to set the Inspection method to use the Microsoft Data Classification Service with no additional configuration required. This option is useful when creating a data leak prevention policy for your files in Microsoft Cloud App Security.

  1. In the file policy page, under Inspection method, select Data Classification Service. You can also set the Inspection method in the session policy page with Control file download (with inspection) selected.

    data classification service setting

  2. Select whether the policy should apply when any or all of the criteria are met.

  3. Choose inspection type by selecting the Sensitive information types.

    Choose data classification service inspection type

  4. You can use the default sensitive information types to define what happens to files protected by Microsoft Cloud App Security. You can also reuse any of your Office 365 custom sensitive information types.

    Note

    You can configure your policy to use advanced classification types such as Fingerprints, Exact Data Match, and trainable classifiers.

  5. Optionally, you can unmask the last four characters of a match. By default, matches are masked and shown in their context, and include the 40 characters before and after the match. If you select this checkbox, it will unmask the last four characters of the match itself.

  6. Leveraging file policies, you can also set alerts and governance actions for the policy. For more information, see file policies and governance actions. Leveraging session policies, you can also monitor and control actions in real-time when a file matches a DCS type. For more information, see session policy.

Setting these policies enables you to easily extend the strength of the Office 365 DLP capabilities to all your other sanctioned cloud apps and protect the data stored in them with the full toolset provided to you by Microsoft Cloud App Security – such as the ability to automatically apply Azure Information Protection classification labels and the ability to control sharing permissions.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.