Enterprise customers can leverage our BETA integration with Azure Information Protection labelled files. This allows for certain files to be encrypted at-rest at the file level, and can allow you to maintain control over the users that can decrypt them.

The AIP integration assumes the following:

  • Your Azure tenant has a valid subscription to AIP.

  • You have created a valid AIP label. The SafeBase app will be re-applying a new, email scoped, label for each customer that downloads a protected file.

  1. Reach out to your SafeBase CSM if you are interested in this add-on for your SafeBase instance.

  2. Once the SafeBase team has informed you that AIP is active, please go to the Settings page in the SafeBase app to complete configuration.

    1. You will find a new section called Document Settings that should allow you to choose Azure Information Protection in the dropdown.

    2. Before you can connect, please enter your Azure Tenant ID. You should be able to find this in your Azure portal Directories + subscriptions settings. Ensure that you are using the ID

    3. Click on the Connect button. An Azure administrator (or other privileged user with permissions to approve new apps) will be required to complete the approval process. The OAuth connection requires the following permissions:

      1. After clicking on Allow, a new service principal will be created that has the following permissions:

        1. UnifiedPolicy.Tenant.Read, which is required to have access to the policy configurations for AIP.

        2. Content.Writer, which is required to create protected content with labels.

        3. Content.SuperUser, which is required to read content that has already been labeled.

        4. Application.Read.All, which is required for SafeBase to be able to log data and read the service configuration for AIP.

  3. After the app is successfully connected, you will be redirected back to the Settings page in the SafeBase app.

  4. Upload your AIP encrypted files with the appropriate label that allows for all authenticated users to access the file.

    1. Notify the SafeBase team of the files that are AIP labelled. We will have to mark them as AIP labelled on our end. In the future, this will be automatic.

  5. After this has been completed, the AIP labelled files will have a tooltip distinguishing them from other, non-labelled files. This tooltip will indicate to the user that this file will take slightly longer to download.

  6. These files will be scoped to the domain of the user that downloads the file from your SafeBase Trust Center. Access will expire after 30 days.

Did this answer your question?