Architectural Case Study | Extending Microsoft Purview with Fortra (Digital Guardian) DLP via the MIP SDK
This post is a continuation of a series. See part 1, here.
Most enterprises already live in dual worlds. On one side, Microsoft Purview governs information inside Microsoft 365. But on the other, dedicated DLP platforms like Digital Guardian DLP control endpoints, networks, and file movement.
So what's the problem...?
These two worlds traditionally don’t share context.
→ Purview knows the label and where it was applied, but not the path the file takes once it leaves Microsoft’s visibility boundary.
→ 3rd Party DLP knows the path, but not the label or user intent.
And this is exactly where data is most vulnerable; between cloud policy and user behavior.
Discovery, meet enforcement...
This is where the Microsoft Information Protection SDK (MIP SDK) enters. It lets third-party products call the same framework that Microsoft itself uses to classify, label, and protect files. In practical terms, this can look like:
→ Digital Guardian detects and classifies sensitive content (PII, HIPAA, financials).
→ The DG Agent calls the MIP SDK File API to apply the correct Microsoft sensitivity label.
→ Once labeled, that file becomes a "first-class citizen" inside Purview.
The file’s metadata now flows through:
→ Microsoft DLP in SharePoint, Exchange, and Teams
→ Microsoft 365 audit logs
→ Insider Risk Management
With this, you’ve turned two disparate ecosystems into one continuous protection fabric. How neat is that?
How can we demonstrate this model using Fortra and the MIP SDK?
Phase 1 (DG eDLP 7.7)
DG agents gained the ability to inspect MIP-protected files, decrypt them securely using SDK authentication, and classify or control them without breaking encryption. This closed a major DLP visibility gap into protected content:
Phase 2 (DG eDLP 7.8–7.9)
DG could now apply MIP labels automatically, with or without user interaction.
Rule actions in DG could be mapped directly to Microsoft labels, ensuring consistent taxonomy and unified reporting in Purview:
When DG detects sensitive data, it tags it with the same label Microsoft uses. When Microsoft sees that label later in SharePoint (for example), it enforces the same policy again. True end-to-end continuity!
What's the architecture behind it?
The integration uses standard MIP SDK authentication flows to obtain tokens for labeling operations. In plain language, the DG agent authenticates to Microsoft just like a Microsoft app would, which means it doesn’t sidestep any of your configured governance. Once authorized, the agent can:
→ Read and apply MIP labels.
→ Append label metadata to the Alternate Data Stream (ADS) for tracking.
→ Decrypt and inspect encrypted files without user friction.
DG even supports both cloud and on-prem deployment models, which is a key advantage for regulated industries that can’t rely on full-cloud enforcement. Purview, of course, has the On-Prem Information Protection Scanner, but it's not always the best tool for the job.
The Combined Power of Content, Context, and User-Based Classification...
Fortra’s classification model is content-based, context-based, and user-based. This aligns perfectly with Microsoft Purview’s signal hierarchy:
| Fortra Classification Signal | Microsoft Equivalent | Integration Benefit |
|---|---|---|
| Content (file inspection, regex, fingerprints) | Standard SITs & EDM classifiers | Deep inspection and validation before labeling |
| Context (user, network, app, operation) | Purview activity and exfiltration signals | Enriches Purview’s visibility beyond Microsoft 365 |
| User-based (manual classification) | End-user label selection | Seamless UX between DG agent and Purview label picker |
Users classify once and both ecosystems honor it.
What does the integration enable?
→ Inspection and enforcement of policies on MIP-protected content without breaking encryption.
→ Generation of unified audit events when labels are applied or changed.
→ Ability to display MIP labels directly in DG consoles, ensuring analysts see Purview classifications inside their standard dashboard.
→ Blocking or warning based on label mismatches.
→ Adds visibility and control over removable media, FTP, webmail, and unmanaged endpoints, areas where native Purview coverage technically exists but can be limited.
Once DG and Purview share a label taxonomy, you multiply your options:
→ Inspection continuity...
- DG can read, decrypt, and inspect MIP-protected content without breaking encryption.
→ Audit unification...
- Label changes trigger Purview audit events visible to compliance teams.
→ Policy correlation...
- DG can enforce rules when labels mismatch, e.g., "Public" files leaving via Gmail.
Architect’s Takeaways (or, "design via principle")...
- Unify policy sources...
- Maintain one label taxonomy that drives both Microsoft 365 and endpoint enforcement.
- Preserve telemetry...
- Treat every label application, no matter where it occurs, as an auditable Purview event.
- Delegate strengths...
- Let Microsoft handle encryption and governance.
- Let third-party DLP handle deep inspection and control.
- Design governance early...
- Shared labeling means shared accountability.
- Shared accountability allows you to coordinate taxonomy and versioning across teams.
This is how you advance from vendor compatibility discussions to actually architecting a single system. A single system that expresses data identity consistently from endpoint to cloud.
The Fortra integration with Microsoft Purview is, I believe, a preview of where enterprise data protection is heading. Together, when unified by the MIP SDK, these products become a self-reinforcing control system. No single "best-in-class" data security platform is truly complete in isolation. Together, they become a true Data Security Superpower.
https://dataclassification.fortra.com/resources/datasheets/enhancing-microsoft-aip
