Introduction
Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP in short) helps you discover, classify, and protect sensitive information wherever it lives or travels. Its primary strength is tight integration with the Microsoft 365 ecosystem and the ability to classify data at rest. Teramind is a unified endpoint data loss prevention, user activity monitoring, insider threats detection, and productivity optimization solution all packed into a single platform. Teramind is very good at preventing data leaks for data in motion and in use.
Why Integrate Teramind and Microsoft Purview
Integrating both products will help you utilize the strength of each product, fill out gaps, and leverage your existing investment while simplifying security and business cases. Adding Teramind to your Microsoft Purview stack gives you several, unique advantages:
| Purview | Teramind Value Add |
Extended Your SIT/DLP Library and Simplify DLP Rule Generation | Purview gives you 200+ SIT rules. However, the rules editor isn’t as intuitive or flexible and might require PowerShell and XML to tune. | Whereas Teramind comes with a large library of behavior policies and rules (350+ MITRE rules alone). Visual rules editor makes creating complex rules a bridge. |
Supercharge Data Discovery | Purview is good for discovering data at rest and comes with an auto-labeling feature. However, scan results are often stale. Purview labels can sometimes take up to 48 hours to activate. | Teramind offers on-the-fly content detection without requiring time-consuming data-at-rest scans. Labels are applied immediately. All the activity tracking and rule enforcement are real-time too. |
Expand the Data Classification Scope | Purview requires Microsoft 365 and is highly suitable for things like Office documents, Outlook emails, and SharePoint repositories. However, a separate AIP scanner product is needed for classifying on-prem data. The scanner also supports only a fixed number of file types. | Teramind on the other hand comes with a built-in classifications library for PII, PHI, PFI, Code Snippets, etc. which can be applied to any document or data streams such as email content, webpages, IMs, etc. There is no need for a scanner and there is no limit on file types. |
Get Greater Threat Context | Purview helps you discover and classify the data but it’s very transactional information and has difficulty in identifying certain types of threats such as insider threats, frauds, workflow/productivity issues, etc. | Teramind provides additional context to the data via comprehensive activity reports, BI analytics, and screen recordings. Features like OCR complement Purview’s threat-hunting capabilities by identifying risks of sensitive data exposure. |
Conduct Security Orchestration with Extended Integrations | Purview is tightly integrated with the Microsoft ecosystem including DLP, Defender, Sentinel, etc. However, its third-party support is often patchy and requires heavy implementation uplifting. | Teramind supports integration with a range of SIEM, PM, log analytics, service management/helpdesk, third-party analytics, HRM systems, and more. By using Teramind as the central hub, you aggregate security intelligence from Purview, Teramind, and other parties. |
Prerequisites
An Azure account.
The Azure account must be at least a Cloud Application Administrator.
Access to an Entra Tenant. You can find instructions on how to create one on the Microsoft Entra Documentation Portal.
Step 1: Register an Application
To get started with integrating Microsoft Purview you will need to register an application in Microsoft Entra. Registering your application establishes a trust relationship between your app and the Microsoft identity platform.
Follow the instructions below to register an application on Microsoft Entra:
1.1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
1.2. If you have access to multiple tenants, click the Settings icon at the top.
1.3. Select the Directories + subscriptions tab on the left.
1.4. Click the Switch button next to a tenant in which you want to register the application.
1.5. Select Identity > Applications > App registrations from the menu on the left.
1.6. Click New registration.
1.7. Enter a display Name for your application.
1.8. Under the Supported account types section, select the Accounts in this organizational directory only option.
1.9. Click the Register button. When registration finishes, you will see the app registration's Overview tab:
1.10. Copy/save the Application (client) ID and Directory (tenant) ID. You will need them in Step 6: Configure the Database.
Step 2: Add API Permissions
The MIP SDK uses backend Azure services for labeling and protection. The integration requires two service:
Azure Rights Management Service: required by the application to read and inspection protection settings.
Microsoft Graph: exposes REST APIs and client libraries to access data on various Microsoft cloud services.
Both of these services come with two types of permissions:
Application Permissions: allow the application to act as it’s own entity, rather than on behalf of a specific user.
Delegation Permissions: allow the application to perform actions on behalf of a particular user.
Follow the instructions below to set up the API permissions:
2.1. Select Identity > Applications > App registrations from the menu on the left.
2.2. Select the All applications tab.
2.3. Click your app Display name to open it.
2.4. Select the API permissions tab on the left.
2.5. Click the Add a permission button under the Configured permissions section. The Request API permissions panel will open:
2.6. Under the Microsoft APIs tab, select Microsoft Graph.
2.7. Both of the APIs come with two types of permissions: Delegate permissions and Application permissions. Search for the permissions according to the table below:
Microsoft Graph
Permission | Type | Description |
InformationProtectionPolicy.Read | Delegated | Allows the application to read sensitivity labels and label policy settings, on behalf of the signed-in user. |
InformationProtectionPolicy.Read.All | Application | Allows the application to read sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user. |
User.Read | Delegated | Allows users to sign-in to the application, and allows the application to read the profile of signed-in users. It also allows the application to read basic company information of signed-in users. |
2.8. Once you find the right permission, click the Checkmark in front of the permission to select it.
2.9. Repeat Step 7 – 8 until you have selected all the permissions then click the Add permissions button to add them.
2.10. Repeat Step 5 – 9 but this time select Azure Rights Management Service in Step 6 and follow the table below for the permissions:
Azure Rights Management Service
Permission | Type | Description |
Content.DelegatedReader | Application | Allows the application to decrypt and read content in the context of the user. |
Content.SuperUser | Application | Allows the application to read protected content on behalf of a user. |
user_impersonation | Delegated | Allows the application to create and access protected content for the user. |
At the end of the above steps, you should see a screen like the one below with all the required permissions added:
Step 3: Add a Client Secret
Credentials and client secrets are used by confidential client applications that access a web API. Credentials allow the application to authenticate as itself, requiring no interaction from a user at runtime. Similar to a password, a client secret is a unique string value.
Follow the instructions below to set up a client secret:
3.1. Select Identity > Applications > App registrations from the menu on the left.
3.2. Select the All applications tab.
3.3. Click your app Display name to open it.
3.4. Select the Certificates & secrets tab on the left.
3.5. Select the Client secrets tab.
3.6. Click the New client secret button. The Add a client secret panel will open:
3.7. Enter a Description for the client secret and select the Expires period. Note that you can specify a maximum of value two years for the Expires date.
3.8. Click the Add button to add the client secret.
3.9. Copy/save the Value (you can click the Copy 
icon to copy it to the clipboard) and the Expires date. You will need them in Step 6: Configure the Database.
Please save the secret Value in a safe place. You will not be able to view or copy it later once you leave or refresh the page.
Step 4: Create Sensitivity Labels
With Microsoft Purview, you can create sensitivity labels such as Public, Confidential, Secret, etc. and publish them. These labels can then be assigned to files from Microsoft 365 apps or via the Azure Information Protection Utility (see Step 5: Classify Documents).
Follow the instructions below to create sensitivity labels:
4.1. Sign in to the Purview portal.
4.2. Select Information Protection from the menu on the left.
4.3. Select Sensitivity labels.
4.4. Create labels by clicking the Create a label button.
4.5. Publish labels by clicking the Publish labels button.
Notes
You can have a two-level hierarchy for labels: main and sub-labels. For example, Confidential > HR Confidential.
It can take from 1 hour to 48 hours for the labels to become active depending on populating a new group and group membership changes, or network replication latency and bandwidth restrictions.
More information about creating labels can be found on the Microsoft Purview Documentation Portal.
Step 5: Classify Documents (optional)
If you haven’t used the Auto-labeling for files and emails feature when creating the sensitivity labels, or, you want to classify file types beyond MS Office, you can manually classify documents by using one of the methods below.
Option 1: Using the Microsoft 365 Classification Feature
Microsoft 365 Apps for Enterprise has built-in support for classifying files. When you launch an Office app such as Word, you can apply sensitivity labels when opening or editing a document:
More information about applying labels this way can be found on the Microsoft Support Portal.
Option 2: Using the Purview Information Protection Client
Microsoft Purview Information Protection client is a utility that allows you to classify and label files manually. It extends sensitivity labels beyond features that are built into Microsoft 365 apps. For example, it can be used with File Explorer, PowerShell, and the on-premises scanner. It supports a wide range of file types and comes with a viewer for encrypted files.
After installing the client, you can, for example, classify files from the Windows File Explorer:
More information about the client can be found on the Microsoft Purview Documentation Portal.
Step 6: Configure the Database
To enable the integration, the following keys need to be added to the Teramind kv_store table:
Key | Description |
|
|
| Your Entra account ID. For example, |
| The Directory (tenant) ID you copied in Step 1.10. |
| The Application (client) ID you copied in Step 1.10. |
| The Client Secret Value you copied in Step 3.9. |
| The Client Secret Expire Date you copied in Step 3.9.
It defines the lifetime of the Client Secret to check on the server side and writes warnings to the server log.
The format is: |
| The period (in minutes) of updating the profile from the Purview/MIP subsystem which contains an up-to-date list of available labels.
The default value is |
Step 7: Deploy the Custom Agent
A custom Teramind Agent will be provided to you that has the Microsoft Purview/MIP capability. Please deploy it to your target computers.
For more information about installing the Teramind Agent, check out this article: How to download and install the Teramind Agent.
Step 8: Create Behavior Policies & Rules
You are now ready to create behavior policies and rules with the Purview/MIP labels from your Teramind Dashboard.
8.1. Create or edit a rule. Select Content sharing for the SELECT THE TYPE OF RULE field.
8.2. Select FILES and/or EMAILS from the Types of Content section.
8.3. Select the Content tab.
8.4. Select MIP label from the SELECT WHAT MAKES THIS DATA SENSITIVE drop-down list.
8.5. Select Equals, Contains, etc. from the SELECT MATCH TYPE list.
8.6. Add sensitivity labels in the SPECIFY VALUE field.
8.7. Configure the rest of the rule, and click the CONTINUE button to move between tabs. Click SAVE & LAUNCH RULE to save the rule.
For more information about Behavior Policies & Rules, check out the Rules Guide.
Architecture
 |