We are excited to announce that Rubrik DSPM now supports Microsoft Information Protection (MIP) sensitivity labels. This integration helps our joint customers to better track and secure files with sensitive data – both within and outside of Microsoft environments. 

MIP labels are used by organizations to map sensitive data within their Microsoft environment, control access to that data, and enable protection settings such as encryption. Because MIP labels are stored within the files themselves and labels travel with the data, they can be used to control data movement across different platforms and devices. You can integrate MIP labels with data leak prevention (DLP) and cloud access security broker (CASB) tools. 

By integrating with MIP, Rubrik DSPM enables customers to identify and correct mislabeled sensitive files and to apply MIP labels to unlabeled sensitive files. These new capabilities help customers improve their data security posture and reduce the risk of data exfiltration.

Extend MIP Labels to More Data and Environments

Rubrik DSPM automatically and continuously discovers known and unknown data – structured and unstructured – across Azure, AWS, GCP, Snowflake, and other SaaS platforms. Customers who are primarily in the Microsoft ecosystem and mostly use Azure or Microsoft 365 might already have adopted data labeling via Microsoft Purview. To leverage that existing process and elevate it to the rest of your data estate, Rubrik has created native integration for MIP labels.


The integration focuses on identifying sensitive data that is missing MIP labels or has been incorrectly labeled. This feature is supported for a broad set of file types across Rubrik DSPM supported workloads. 

Purview provides MIP labeling for data in the Microsoft ecosystem. However, customers need to manage sensitive data throughout their broader estate. With Rubrik DSPM’s MIP integration, customers can now detect mislabeled or unlabeled data and apply MIP labels to files outside of their Microsoft ecosystem, such as files stored on AWS.

In addition, Rubrik DSPM allows you to identify and apply MIP labels on both existing (historic) and newly created or modified data.

How It Works

Rubrik DSPM uses a policy framework that continuously evaluates your current data estate and identifies any violations against built-in and custom policies.

sensitive files

As a part of the integration, customers can now create policies that identify missing MIP labels or MIP labels that don’t match Rubrik DSPM classification.

MIP Labels

In this case, the evaluation of the policy has triggered seven violations across various data sources, one of which is a SharePoint Drive. The details of the violation show which files contain sensitive information, but were not properly labeled using MIP. The details of the file itself will show the current MIP label, if any, so you can easily verify any potential mismatch and start the remediation process by labeling the data appropriately. 

Create Custom MIP Policies

You can easily customize how MIP labels are validated via the Rubrik DSPM policy system. This allows you to leverage the Rubrik DSPM data classification in conjunction with conditional, existing or non-existing MIP labeling, to determine the right outcome for your organization.

mip policies

In this case, the policy dictates that the Rubrik DSPM sensitivity classification resulting in a “restricted” label in combination with a lower level MIP label (i.e. not labeled as “confidential”) will result in a policy violation alert, which you can then remediate.

Remediate MIP Misconfigurations

In order to apply a missing MIP label or correct a mismatch based on the Rubrik DSPM classification, you can apply the label to files on AWS S3, either individually or in bulk, directly from the Rubrik DSPM UI. MIP labels are applied to the files directly (as metadata), enabling other security tools to utilize the label wherever the file lives. The newly applied MIP labels are valid for existing workflows.

confidential mip labels
apply mip labels


The amount of data that a typical organization needs to manage, classify, and secure is becoming a superhuman problem. Therefore, the more automation we can introduce, the better. By automatically validating MIP labeling across the entire estate and helping you correctly label your sensitive data, we can greatly reduce the toil on your IT and security operations teams, and simultaneously improve your overall data security posture.

Rubrik’s integration with MIP is part of a long standing strategic relationship with Microsoft. Rubirk already has numerous integrations with Microsoft across the Rubrik Security Cloud, including M365 data management, integration with Microsoft Sentinel and Security Copilot, support for Azure and Hyper-V, and our jointly engineered Rubrik Cloud Vault solution built atop Microsoft Azure Blob Storage.