1

It is not possible for me with the given protection functions, to protect a document (pdf, docx) in a way that it shows the visual marking defined in the azure portal.

By using the Microsoft Information Protection (MIP) SDK I'm able to read the labels and protect documents in accordance. If I Set the visual marking in the azure portal for 'footer' 'header' or 'watermark' and save it and publish it, the generated documents by applying the label with protection doesn't show the header,footer or watermark information in the protected document. Even if I print out, no header, footer or watermark is shown. How need the protection here be done, in order that the visual markings are show in the document how it was defined in the azure portal? Is there a way to read the 'visual marking' information out of the label information?

Get the labels by using Microsoft.InformationProtection.File

labels = engine.SensitivityLabels;

Protect the documents with

        handler = CreateFileHandler(options,options.InputFileStream);

        // Use the SetLabel method on the handler, providing label ID and LabelingOptions
        // The handler already references a file, so those details aren't needed.
        handler.SetLabel(options.LabelId, labelingOptions);

        // The change isn't committed to the file referenced by the handler until CommitAsync() is called.
        // Pass the desired output file name in to the CommitAsync() function.

           var result = Task.Run(async () => await handler.CommitAsync(options.OutputFileStream)).Result;
      //  var result = await handler.CommitAsync(options.OutputFileStream);
        options.FileName = handler.OutputFileName;

The protection works, but no visual markings are shown in the protected document as it would be expected

I would expect that the protected documents have the header, footer, watermark information as defined for the label in the azure portal.

Frank
  • 21
  • 3

2 Answers2

2

I'm on the MIP SDK team at Microsoft.

While we do support writing file protection and MIP label metadata, we don't support writing the content marking in the SDK today.

When you use the SDK to apply the label to an Office document, the next time that document is opened and saved in Office, the content marking will be applied. This is also possible with PDF, but depends upon the consuming application being MIP aware.

We may look at this in the future, but for now we don't have plans to add more than what is listed above (apply at save with AIP client).

If you'd like to submit feedback on this, head to UserVoice and submit an idea!

Tom Moser
  • 748
  • 3
  • 5
  • 1
    Thank you Tom. Because I also protect my own generated files, I would need this label metadata for the visual marking. I want to make the visual marking by myself for these documents. I can't find it in the Microsoft.InformationProtection.Label object. How can I access this visual marking information metadata? – Frank Sep 04 '19 at 07:24
  • I don't have a sample published for the policy API, but you can use Microsoft.InformationProtection.Policy in a pattern similar to the C++ version to call ComputeActions(). This will return the action metadata. I'll work on a policy sample for .NET today or tomorrow and try to get something posted. Our samples are all located here: https://aka.ms/mipsdksamples – Tom Moser Sep 05 '19 at 16:57
  • Take a look at this sample. It's not in Azure Samples, yet, as I was having trouble getting the repo provisioned today. I'll move it there eventually, but this is a start. https://github.com/tommoser/MipSdk-Dotnet-Policy-Quickstart/ That will show you how to supply state information to the ComputeActions() function. That function returns a set of actions and from those actions you'll be able to get the marking information. Make see to update the GetSupportedActions() method in ExecutionStateImplementation if you need things like header, footer, watermark. – Tom Moser Sep 05 '19 at 21:19
  • Thank you Tom. It works with all attributes (size, color,...) as I wanted to. Perfect. Just for the other readers here - it is required to have the UnifiedPolicy.User.Read to be permitted in the API Permission in the Azure Portal for the APP. (I've started with MipSdk-Dotnet-File-ServicePrincipalAuth example, and therefore only the UnifiedPolicy.Tenant.Read activated before) – Frank Sep 12 '19 at 07:44
0

It takes some time for changes to reflect. Also, if you are using O365 make sure you set the changes in the O365 Security and Compliance Center Link

Garima
  • 401
  • 5
  • 29
  • In order to be sure that the updated label is used, I've also now changed the name and the description of the label. I've seen that I get the updated label (with visual marking activated). I tried protection on pdf and docx. In the MS-word in the yellow bar for the protection the new name was also visible. For pdf the acrobat reader was used to view the protected document. Still I don't get any visual marking in the protected documents. I've also tried again to print out the documents, for the case it is only visible in the prints. But also here, no visual marking was present. – Frank Aug 23 '19 at 08:12
  • Ah are you using O365 compliance center? Also, if you apply new label manually on docx, does the header, footer, watermark comes? – Garima Aug 23 '19 at 08:31
  • Yes I use the O365 compliance center - it was required for me to get it working. I activated also the unified labeling in azure. Unfortunately I can not manually apply the labels, since my MS-word version doesn't allow this. – Frank Aug 23 '19 at 08:44
  • Do one thing, install AIP on your machine which will give the capability to apply labels manually. That way you can check first before proceeding. – Garima Aug 23 '19 at 09:36
  • Good input! I labeled with the AIP a pdf, and a docx. In both cases no visual marking was visible in the document. Than I removed and added the label in the MS-word. By this action the visual marking appeared! For me this means that the AIP as well as the MIP sdk doesn't label the documents in accordance to visual marking. They only label and protect it. Is there a way at least get the visual marking information of the label, since I also generate some documents by code? – Frank Aug 23 '19 at 10:28
  • That's weird because when I applied a label using MIP SDK, it provided watermark. I hope you are using single account to do all this and the labels are published to all users. I wrote a blog on all things I did, you might want to check the code - https://mysharepointlearnings.wordpress.com/2019/07/20/working-with-c-mip-sdk/ – Garima Aug 23 '19 at 10:30
  • I've investigated your code. I've not found the SetLabel function, only the DeleteLabel therefore I couldn't compare this code snipped. Really strange for me is, that it protects the document and doesn't throw any exception and just not completes the task fully. Also the AIP protects and labels it without visual marking and makes no failure message at all - and even more strange that it makes the visual marking for you with the same Software (the AIP). This currently makes for me the result of the protection somehow unpredictable. – Frank Aug 24 '19 at 08:09
  • Yes the code is for delete but I used exactly the same for setting label too. Try raising a ticket with MS in this case. I am able to make it work after installing AIP software and it works both manually and programmatically. I think we are missing something very small. – Garima Aug 26 '19 at 04:12
  • 1
    I'll try to contact MS. Thank you very much for your support. – Frank Aug 26 '19 at 09:49