Azure information protection is used to protect sensitive data when sharing internally and externally to the organization. In my previous post of Azure Information protection overview, I have described what AIP is, its relation to Azure RMS, how its protection works and licensing. This post is about enabling AIP in your Azure Tenant and implementing labels to classify and protect your data. Also, I will cover how to protect internal data of your organization using an example.

If you are new to AIP, my advice is read my Overview of AIP and get an idea of AIP to know what you can do with it. Then you can enable an EMS trial to your existing subscription to test the configurations.

Before configuring Azure Information protection following 3 things you have to do

• Assign AIP License
• Activate Azure Information Protection
• Installing AIP Client

AIP Licenses

As described in the Overview post there are two plans of AIP licenses available. If you are implementing this for testing purpose you can enable following two trials to your existing Office 365 subscription.

• Enterprise Mobility + Security E5
• Azure Information Protection Premium P2

Activate Azure Information Protection

After adding a licensing subscription which enables AIP plan 1 or 2, next you have to activate the AIP from Azure Portal. Login to the portal with admin credentials, look for AIP console by searching azure information protection, in Protection activation, Activate if not already activated.

Installing AIP Client

AIP client is a small software tool to enable AIP capabilities on the Operating system and Office applications. When you receive a document protected from AIP, you should install the AIP client to view the document. It’s a free tool and no licenses required, so you can share AIP protected documents to external parties and they can install the tool to view the data. AIP client can be installed individually or deployed using software deployment tools such as SCCM. 

AIP Client – Download

After installing the client on the computer, there are new options to select in office apps and windows right click menu.

Configuring, Classification, and Labeling

When protecting data from AIP, data should be classified according to the sensitivity. In the example, you can classify data as confidential, internal and public. These data can be tagged into labels, from AIP console we can create labels and according to the classification of the label, you can configure the policies and permissions. In example Data labeled as confidential, we can configure the protection as view only. Data labeled as public we can configure as without any protection.

There are few default labels in the AIP console but there isn’t any protection configured for those. Let’s see how to create a label and add protection.

Select the Policy Type

1. Log in to the Azure Portal - All services and click Azure Information Protection.
2. In policies, there are two policy types. Global and Scoped policies. Global policy is applied to all users of the organization. A scoped policy you can configure to apply to a particular security group.   
   

Create a New Label

1. In global policies there are few default labels created, you can configure policies to the default labels or create a new label from Add a new label from the portal.
   
2. Type the Display name, Description according to the classification
3. From “Set visual making” options, you can add a header, footer, and a watermark to the protected documents
4. Save the Label

Configuring Protection to a Label

Protection can be added according to the label classification, there are 3 Protection settings

1. Set Permissions
2. Set user-defined permissions (Preview)
3. Select predefined template

Set Permissions

From Set Permissions you can grant permissions to email domain level, group level, and user level. Internal Domain and users can be selected from the list and external users or domain can be entered by Enter Details tab.   

There is a number of permissions to select from the preset such as Co-Owner, Reviewer, Viewer. Also, specific permission can be granted from the custom selections.

Set user-defined permissions (Preview)

This option can be used when the user wants to select the permissions and to whom the permissions should be added. When this label configured, the user will get a prompt to select the user or group and the permissions which should be added to the sharing document.

Select a predefined template

From this option, you can select the previously created ARMS templates as protection setting

Custom Scenario – Protecting Company Internal data

To Most organizations, it is a challenge to protect internal data going outside. In most cases, these are unintentional mistakes from users. In the example, the user may send an internal mail mistakenly adding someone outside the organization, this can be a competitor, customer or someone which can make a negative impact to the organization.

With Azure Information Protection, we can classify data as internal and make policies who have access to it and what level of access. Also, we can force all the data to be classified as Internal otherwise user choose so. When the user sends an email or create a new word document, an internal label is added as default, internal label policy makes data only accessible to the internal or specified domain names. When the data accidentally or purposefully shared to outside, outside data receiver cannot open it, because data is encrypted and only open to the internal domain specified users. And let’s imagine email should need to go to an outside person, then the user can override the internal label to a public label or label with some restrictions. In this way, an additional layer of security is added to the sharing data.

To archive this, you have to create a label and add protection only to access by the internal domains. And make it the default classification.

1. Create a new label as Internal or General
   Follow the above-mentioned steps to create a label.

2. Click Protection, tick Set Permissions
   
   
   
3. Click Add permissions

4. Click add Company Name – All members,
   this will add the Internal mail domain,
   

5. If you have additional domains add them in Enter Details
   

6. You can select the permissions setting for each domain, Co-Owner is having all the permissions, here we are configuring internal label so no need to restrict.
   

7. Click save and go to the global policy page

8. Select the default policy as newly created Internal Label.

9. Click Publish from the top menu

10. To test the configuration login to a test client
    Here I’m testing with Outlook and AIP client should be installed and AIP license is added to the user.

11. Open Outlook, you can see default policy is added as a label, (General). Now this email can be accessed by only the users specified by the label domain list.
    

12. If required, the user can remove this policy so mail can send out as unencrypted
    

13. Not only in outlook, when you create an office document, still default label is added.
    

From this way, we can control and minimize the unintentional data sharing to the outside world. Also using the same scenario you can create labels according to internal groups to protect data within the organization. This will protect sensitive data such as financial or HR being shared across the organizations.

Azure Information Protection is a vast area to discuss in one post, there is a lot of areas we can target to provide solutions with, from my future posts I’m hoping to provide information on Document Tracking, protect your own data with custom policy, Recipient only policy and how to enable superuser access.

Hope this post is useful

Cheers

Asitha De Silva