Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Azure Information Protection administration portal provides access to administrator reports. These reports provide visibility on the labels users apply, manually or automatically, across any applications that have integrated the MIP SDK. Development partners leveraging the SDK can easily enable this functionality, allowing information from their applications to surface in customer reports.
Event Types
There are three types of events that can be submitted via the SDK to Azure Information Protection Analytics. Heartbeat events, discovery events, and change events
Heartbeat Events
Heartbeat events are generated automatically for any application that has integrated the Policy SDK. Heartbeat events include:
- TenantId
- Time Generated
- User Principal Name
- Name of the machine where the audit was generated
- Process Name
- Platform
- Application ID - Corresponds to the Microsoft Entra Application ID.
These events are useful in detecting applications across your enterprise that are using the Microsoft Information Protection SDK.
Discovery Events
Discovery events provide information on labeled information that is read or consumed by the Policy SDK. These events are useful as they surface the devices, location, and users who are accessing information across an organization.
Discovery events are generated in the Policy SDK, by setting a flag when creating the mip::PolicyHandler object. In the example below, the value for isAuditDiscoveryEnabled is set to true. When mip::ExecutionState is passed to ComputeActions() or GetSensitivityLabel() (with existing metadata information and content identifier), discovery information will be submitted to Azure Information Protection Analytics.
The discovery audit is generated once the application calls ComputeActions() or GetSensitivityLabel() and provides mip::ExecutionState. This event is generated only once per handler.
Review the mip::ExecutionState concepts documentation for more details on execution state.
// Create PolicyHandler, passing in true for isAuditDiscoveryEnabled
auto handler = mEngine->CreatePolicyHandler(true);
// Returns vector of mip::Action and generates discovery event.
auto actions = handler->ComputeActions(*state);
//Or, get the label for a given state
auto label = handler->GetSensitivityLabel(*state);
In practice, isAuditDiscoveryEnabled should be true during mip::PolicyHandler construction, to allow file access information to flow to Azure Information Protection Analytics.
Change Event
Change events provide information about the file, the label that was applied or changed, and any justifications provided by the user. Change events are generated by calling NotifyCommittedActions() on the mip::PolicyHandler. The call is made after a change has been successfully committed to a file, passing in the mip::ExecutionState that was used to compute the actions.
If the application fails to call this function, no events will land in Azure Information Protection Analytics.
handler->NotifyCommittedActions(*state);
Audit Dashboard
Events submitted to the Azure Information Protection audit pipeline will surface in reports at https://portal.azure.com. Azure Information Protection Analytics is in public preview and features/functionality may change.
Next Steps
- For details on the auditing experience in Azure Information Protection, see the preview announcement blog on Tech Community.
- Download the Policy SDK Samples from GitHub and try out the Policy SDK