Views:

To provision an account for Microsoft Information Protection (MIP) on the Cloud App Security management console, you need to have one of the following licenses which include a MIP service plan:

  • Microsoft 365 E5/A5/G5/E3/A3/G3
  • Office 365 E5/A5/E3/A3
  • Information Protection for Office 365 - Standard
  • Information Protection for Office 365 - Premium

The steps outlined below detail how to provision an account for Microsoft Information Protection.

  1. Log on to the Cloud App Security management console.
  2. Go to Administration > Service Account.
  3. Click Add, hover over the organization for which you need to provision services, and select Microsoft Information Protection from the list that appears on the right side.
     
    Microsoft Information Protection appears in the list only if you have provisioned a service account for at least one of the SharePoint Online, OneDrive, Microsoft Teams (Teams), Microsoft Teams (Chat), and Exchange Online services.
     
  4. Provision a Microsoft Information Protection account.
    1. Click Click here at the end of Step 1.
    2. On the Microsoft logon screen that appears, specify your Office 365 Global Administrator credentials to sign in.
    3. On the authorization screen that appears, click Accept to grant Cloud App Security the permission.
  5. Go back to the management console as instructed and click Done.
  6. Hover over the notification icon in the upper-right corner of the management console.

    If the message "You have provisioned for Microsoft Information Protection." appears on the Notifications screen, the provisioning is successful.

For administrators that have provisioned an RMS account, Cloud App Security allows you to migrate to a Microsoft Information Protection (MIP) account for enhanced protection provided that you have one of the following licenses which include a MIP service plan:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium
  • Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium
  • Enterprise Mobility + Security E3/E5
  • Office 365 E5/A5/E3/A3/F3
  • Azure Information Protection Plan 1
  • Azure Information Protection Plan 2
  1. Choose Administration > Service Account.
  2. In the Status column of an RMS account, click Migrate to Microsoft Information Protection Account.
  3. Provision a Microsoft Information Protection account for Cloud App Security to implement enhanced protection.
    1. Click Click here at the end of Step 1.
    2. On the Microsoft logon screen that appears, specify your Office 365 Global Administrator credentials to sign in.
    3. On the authorization screen that appears, click Accept to grant Cloud App Security the permissions.
  4. Go back to the management console.
  5. Remove the RMS account by specifying the Office 365 Global Administrator credentials used for provisioning the RMS account, and click Verify.
     
    If an authentication error occurs, you can still click Done to only remove the RMS account from Cloud App Security. This does not remove the RMS account from your Office 365 services.
     
  6. Click Done.

    After the process is completed, the RMS account changes to a MIP account.

  1. Choose Administration > Service Account.
  2. Select the RMS account and click Remove.

    Alternatively, you can click Remove Account in the Status column.

  3. Click OK to confirm the removal.
  4. Optionally, on the Remove RMS Account screen that appears, specify your Office 365 Global Administrator credentials (email address and password) used when creating the account, and then click OK.
     
    This step will not appear if there is a SharePoint Online Delegate Account provisioned and this Delegate Account is already promoted to the Global Admin role.
     
    After the RMS account is removed, Cloud App Security will not scan and protect the Azure RMS-protected files shared in SharePoint Online, OneDrive, and Microsoft Teams (Teams).

The steps outlined below detail how to deprovision a Microsoft Information Protection account.

  1. Choose Administration > Service Account.
  2. Select the Microsoft Information Protection account and click Remove.
  3. On the Remove Microsoft Information Protection screen that appears, click OK.
     
    Microsoft Information Protection can be deprovisioned only if you have not specified the Apply sensitivity label or Remove sensitivity label action in any Data Loss Prevention policy of your organization.
    To quickly find out whether the Apply sensitivity label or Remove sensitivity label action is specified in a Data Loss Prevention policy, check whether the policy has a "Microsoft Information Protection enabled" mark on it.
     
Keywords: Cloud App Security, MIP account, RMS account, enhance protection, how to