Skip to main content
Microsoft Security

Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others – both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldn’t, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should – when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

  1. Visibility – You can’t protect what you can’t see. Strive to achieve complete visibility into sensitive data across all repositories.
  2. Data-centric protection – Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
  3. Assume breach – Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsoft’s data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.

Microsoft Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Microsoft Defender ATP’s built-in sensors discovers labeled data on all devices monitored by the Microsoft Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

Azure Information Protection – Data discovery dashboard shows data discovered by both Microsoft Defender ATP and Azure Information Protection.

Figure 1. Azure Information Protection – Data discovery dashboard shows data discovered by both Microsoft Defender ATP and Azure Information Protection

It doesn’t end there. Being an endpoint protection suite, Microsoft Defender ATP monitors and calculates device machine risk level – an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that device’s record in Microsoft Defender ATP, where the administrator can investigate and mitigate detected security threats.

Azure Information Protection – Data discovery dashboard shows device risk calculation.

Figure 2. Azure Information Protection – Data discovery dashboard shows device risk calculation

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Microsoft Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

Windows Defender Security Center– Settings page.

Figure 3. Microsoft Defender Security Center– Settings page

Detect sensitive data leaks from Windows devices

In addition, Microsoft Defender ATP integrates sensitive data awareness into Microsoft Defender Security Center. Each incident or alert raised in Microsoft Defender Security Center includes a ‘data sensitivity’ attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation – from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Microsoft Defender Security Center – Incident queue, sorted by data sensitivity.

Figure 4. Microsoft Defender Security Center – Incident queue, sorted by data sensitivity


Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Microsoft Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.

These are just the first few steps we’ve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.

Start here to learn how you can leverage of this capability.


Omri Amdursky
Microsoft Defender ATP team


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.