Search <book_title>...

Arctera Insight Information Governance Administrator's Guide

Last Published: 2025-11-24

Product(s): Data Insight (7.2)

Platform: Windows

Section I. Getting started
1. Introduction to Arctera Insight Information Governance administration
  1. About Arctera Insight Information Governance administration
    1. Operation icons on the Management Console
    2. Information Governance administration tasks
2. Configuring Information Governance global settings
Section II. Configuring Information Governance
Section III. Configuring native file systems in Information Governance
Section IV. Configuring SharePoint data sources
1. Configuring monitoring of SharePoint web applications
2. Configuring monitoring of SharePoint Online accounts
Section V. Configuring cloud data sources
Section VI. Configuring Object Storage Sources
1. Amazon S3
Section VII. Health and monitoring
1. Using Arctera Insight Information Governance dashboards
2. Monitoring Information Governance
Section VIII. Alerts and policies
1. Configuring policies
Section IX. Remediation
1. Configuring remediation settings
Section X. Reference

Configuring Microsoft Purview Information Protection (MIP) Label

Microsoft Purview Information Protection (MIP) is a built in, intelligent, unified and extensible solution to protect sensitive data. MIP technology integration allows adding labels to the documents. The label might have a policy to restrict access to the sensitive documents.

Note:

Set MIP label action is supported only for CIFS devices.

When the Management Server or Collector node is connected to the internet, it is advisable to configure MIP label in the online mode. If the Management Server or Collector node do not have internet access or have a firewall, you can opt for an Offline mode. Information Governance recommend the Online mode because of the ease in configuration of MIP label functionality as compared to the offline mode.

In Information Governance, you can configure MIP labels in Online and Offline mode.

Note:

Microsoft's Azure Unified Client is now Microsoft Purview Information Protection Client. Install this new client for labeling files.

Automated policy creation for MIP labels

Information Governance has automated the policy creation for MIP labels. To use this feature, you need to download list of MIP Labels either using PowerShell scripts or manual steps.

Set/Remove MIP Labels via Proxy

To enable proxy support for Set and Remove MIP label operations, save the following proxy configurations in the configuration database at the global level.

Configuration Parameters

set.remove.mip.proxy.enabled	Enable or disable proxy support for Set/Remove operations.
set.remove.mip.proxy.ip	Proxy IP address.

set.remove.mip.proxy.port	Proxy port number.
set.remove.mip.proxy.user	Proxy username.
set.remove.mip.proxy.password	Proxy password.

Note:

The user and password properties for the proxy are required for basic authentication. When using a proxy to set or remove MIP labels, ensure that the password is encrypted using Information Governance Hash Utility. See Information Governance Hash Utility.

Downloading Policy.xml containing list of MIP Labels

To download the Policy.xml containing list of MIP Labels, login to the machine with internet connection and open PowerShell in elevated mode (Run as administrator).

Note:

The machine should have Microsoft Purview Information Protection Client and .NET Framework 4.6.2 or higher installed.

Downloading the Policy.xml file, which contains the list of MIP labels, can be done either by executing PowerShell script or by performing manual steps. You can try either one to download the Policy.xml file.

Executing PowerShell script:
- App Authentication method: Create Azure Application by following the steps given at https://learn.microsoft.com/en-us/powershell/azure/aip/setup-information-protection-client-powershell?view=azureipps#create-and-configure-microsoft-entra-applications-for-set-authentication and then execute the following script:
```
param (
	[parameter(Mandatory=$true)]
    [string]$filePath,
    [parameter(Mandatory=$true)]
    [string]$AppID,
    [parameter(Mandatory=$true)]
    [string]$AppSecret,
    [parameter(Mandatory=$true)]
    [string]$TenantId,
    [parameter(Mandatory=$true)]
    [string]$DelegatedUser
 )

 $creds = Get-Credential

Set-Authentication -AppId $AppID -AppSecret $AppSecret 
-TenantId $TenantId 
-DelegatedUser $DelegatedUser

Export-DebugLogs -FileName $filePath
Clear-Authentication
```
  Note:
  Make sure the following command comes in a single line:
  Set-Authentication -AppId $AppID -AppSecret $AppSecret -TenantId $TenantId -DelegatedUser $DelegatedUser
  After running the script, you will be prompted to enter the location where you want to download .zip file. For example, c:\temp\MIPlabel.zip
  Enter Admin credentials of the machine where PowerShell is running.
  Enter App ID, App Secret, Tenant ID and Delegate User credentials
  Note:
  Make sure UnifiedPolicy.Tenant.Read permission is granted while creating an application.
- User Authentication method: Execute the following script:
```
param (
	[parameter(Mandatory=$true)]
    [string]$filePath
 )

 $creds = Get-Credential

Set-Authentication -OnBehalfOf $creds
Export-DebugLogs -FileName $filePath
Clear-Authentication
```
  After running the script, you will be prompted to enter the location where you want to download .zip file. For example, c:\temp\MIPlabel.zip
  Enter Admin credentials of the machine where PowerShell is running.
  After authentication, one more Microsoft pop up will appear.
  Enter Azure User credentials, having minimum roles of Information Protection Reader and Sensitivity Label Reader.
- After fetching MIP Labels, open the ZIP file.
- Navigate to the MSIP folder and copy any files that have an .xml file name extension.
- (Only applicable for offline mode) Paste these files into the %localappdata%\Microsoft\MSIP folder on the Management Server node.
Performing Manual Steps:
- For the App Authentication method: Create Azure Application by following the steps given at https://learn.microsoft.com/en-us/powershell/azure/aip/setup-information-protection-client-powershell?view=azureipps#create-and-configure-microsoft-entra-applications-for-set-authentication.
- For the User Authentication method:
  - Execute the following command Set-Authentication -OnBehalfOf.
  - A pop-up will appear.
  - Enter the Admin credentials of the machine where PowerShell is running.
  - After authentication, one more Microsoft pop-up will appear.
  - Enter the Azure User credentials, having minimum roles of Information Protection Reader and Sensitivity Label Reader.
- Execute the following command: Export-DebugLogs -FileName <File location where we want to export logs>
  Note:
  The file extension should be .ZIP. For example: C:\Policy.zip
- Execute the following command Clear-Authentication
- Navigate to the MSIP folder and copy any files that have an .xml file name extension.
- (Only applicable for offline mode) On the Management Server node, paste these files into the %localappdata%\Microsoft\MSIP folder, where %localappdata% is the AppData folder of the domain user account, through which the workflow services are running. For example, c:\Users\<domain user>\AppData

Please take note of the following:

You will not be able add any protected label (properties like encrypted mode) to files.
You will not be able configure any MIP label to encrypted files.
Labels which have Allow offline access property set to Never or Some days will not be applied as Information Governance supports only offline mode.

After completing the above steps, you can move on to automating policy creation or applying MIP labels, either in online or offline mode.

To automate policy creation of MIP labels:

Save the Policy.xml file at <Datadir>/tmp/Policy.xml.
Navigate to Settings > Remediation > Data Management and click Configure Microsoft Purview Information Protection (MIP) Label.
Enable Set/Remove MIP label action box should be checked.
If you are opting for Online mode, enter the required credentials.
Click OK.

After clicking OK, a pop-up will appear notifying you that a job has been initiated to create policies for the new labels in the Policy.xml file.

You can navigate to Settings > Events tab to check the status of the triggered job.

All the newly created policies will have MIPCustomPolicy as the prefix and they will be in the disabled mode. Enable the required policies via Policy Manager under the Settings tab to use the MIP labeling..

To configure MIP label on a collector node:

MIP Labeling action is also supported on the collector node. It is recommended to use a collector node to set or remove MIP labels as the collector node is closer to the data source. It also helps in balancing the load and freeing up the Management server for other tasks.

For an existing collector node where workflow services are running:
- Install Microsoft Purview Information Protection Client
- Restart the workflow service

Online mode

Prerequisites

On the Management Server:
- Install .NET Framework 4.6.2 or higher
- Install Microsoft Purview Information Protection Client executable using https://learn.microsoft.com/en-us/azure/information-protection/rms-client/install-unifiedlabelingclient-app
Keep Policy.xml file at <Datadir>/tmp/Policy.xml. You will get this file after Downloading list of MIP Labels. See Downloading Policy.xml containing list of MIP Labels.
Create Azure Application by following the steps given at https://learn.microsoft.com/en-us/powershell/azure/aip/setup-information-protection-client-powershell?view=azureipps#create-and-configure-microsoft-entra-applications-for-set-authentication.

To configure MIP labels in Online mode:

Log in to Information Governance console and click Settings > Remediation > Data management in the left pane.
Click Configure Microsoft Purview Information Protection (MIP) Label and then click Edit in the right pane.
You can select either User scan credentials or Select user in the Run As field. If your choice is Select user, make sure the selected user has access to the filer.
Click MIP Action Mode and select Online
Enter Tenant Id, Client Id, Client Secret Key, and Microsoft Administrator Account details.
Note:
Use Microsoft Administrator Account which is either Global Administrator account or Minimum Privilege account with Information Protector reader and Sensitivity Label reader privileges.
In the Run Set MIP Action on field, select the option where you want to run the set MIP action, either Management Server or Collector
Note:
If you are opting for Collector node, you need to perform all pre-requisite steps on the Collector node as well.
Click OK

Note:

Encrypted labels are supported only in the Online mode.

Supported file extensions for encrypted labels are as follows:

Supported file extension
.txt	.jpeg	.tif	.gif
.xml	.pdf	.tiff	.jpe
.jpg	.png	.bmp	All Microsoft Office files

Offline mode

Prerequisites

On the Management Server:
- Install .NET Framework 4.6.2 or higher
- Install Microsoft Purview Information Protection Client executable using https://learn.microsoft.com/en-us/azure/information-protection/rms-client/install-unifiedlabelingclient-app
Keep Policy.xml file at <Datadir>/tmp/Policy.xml. You will get this file after Downloading list of MIP Labels. See Downloading Policy.xml containing list of MIP Labels.
Modify the Information Governance Workflow Service to run under a different account
To configure MIP label, run the workflow service with the Domain user account, which is a part of Local Administrator group on the Management server.
To change the account, open Service Control Manager (run services.msc), locate the Information Governance Workflow Service and open the properties.
In the 'Log on' tab, change from 'Localsystem' to 'domain\user' and enter the domain\username and password. For example, let us consider Contoso\sara as domain\user.
Now restart the Workflow service and ensure it is in a 'running' state.
Assigning required rights to Contoso\sara
You need to assign Replace a process level token rights to the Create Process As User account. To elevate the rights, navigate to Control Panel > Administrative Tools > Local Security Policy and add the user account (Contoso\sara) to the Replace a process level token rights. To implement the changes, log out of the system.

To configure MIP labels in Offline mode:

Log in to Information Governance console and click Settings > Remediation > Data management in the left pane.
Click Set Microsoft Purview Information Protection (MIP) Label and then click Edit in the right pane.
Click MIP Action Mode and select Offline.
You can select either User scan credentials or Select user in the Run As field. If your choice is Select user, make sure the selected user must have access to the filer.
In the Run Set MIP Action on field, select the option where you want to run the set MIP action, either Management Server or Collector
Note:
If you are opting for Collector node, you need to perform all pre-requisite steps on the Collector node as well.
Click OK

Bifurcation of MIP labels from Arctera Information Classifier (AIC) tags

You can distinguish between MIP labels and VIC tags. It helps determine the number of VIC tags and MIP labels used for classification. Details about MIP labels will be listed under Microsoft Sensitivity Label.