So, you want to better protect your sensitive information—anytime, anywhere? Use Azure Information Protection.

So, you want to secure your data. There are 4 pillars in today’s environment that we should be looking at to have a holistic security approach.

  • The login identity.

  • The applications in use.

  • The devices users use to access applications and data.

  • The actual data.

If users are not applying the proper login security and application lock downs or using device encryption, then the last resort is the classification and labeling of your data according to your compliance and/or policy. If your users are not following your policies, you might be exposing yourself to data leakage and breaches in security.

While using Office 365 subscriptions such as an E3 or E5, it is good to know which licenses will be needed to allow access to which data that will be classified and labeled.

Figure 1

Setup 3 users:    Abbi in Finance with an O365 E5 subscription, Ada in Finance with an O365 E3 subscription, and Megan in Sales with an O365 E3 subscription.

1. Abbi asked IT to setup the Finance group in AIP for the Finance department to always have their data classified.

2. Abbi will send a Word doc with data to Ada for review. Ada will then mistakenly forward the message to Megan and we will see the result.

3. IT has setup classification and labels for Finance Reviewer and Co-Owner. Click Here to see how the Finance Department Labels were created.

Figure 2

Figure 3

4. After Abbi has Office ProPlus installed and has logged into her O365 account, she opens Microsoft Word and uses the Finance Department Reviewer AIP Template to classify and label this document to send to Ada for review.

The Azure Information Client has been installed on her Windows 10 Device. She used the pencil icon on the AIP client bar to select the template which applies a header and footer, and she has full permission over this document.

Figure 4

5. Since Abbi is a member of the Finance Group in Azure, when she opens Outlook 2016 (Figure 5), she can use the Finance Labels and Classification in all the AIP enabled, Office ProPlus Apps. Since the Word doc has been classified for demo purposes, she does not need to further classify this email. Normally, she would stop the email from being forwarded with the Protect Tab. She will send the email as ‘attach as copy’ rather than Share Link from One Drive for Business as a document .

Figure 5

Figure 6

6. Next, we see the email that comes into Ada’s mailbox (Figure 7). From Abbi as Sensitivity Auto Classified from the Policy (red circle icon on email indicating email is AIP Protected and encrypted). She will click the down arrow on the attachment to open it (Figure 8). She will only be able to open it in Word rather than online, with her authentication using the installed client agent and by then saving data to a secure location like One Drive for Business.

Figure 7

Figure 8

7. If trying you get the error in Figure 9 when trying to open the protected doc from OneDrive by viewing online, it is because it’s rights protected. Ada will Edit in Word, which open doc in protected view. Clicking View Permissions and view her permissions which are now limited. These permissions come from the Reviewer Template Abbi applied on step 4 (Figure 4).

Figure 9

Figure 10

8. Below, (Figure 11), Ada has an E3 subscription and clicks Enable Editing. She, like Abbi, gets the finance and default policy that apply to all users in the tenant merged. To learn more about which Azure Information Protection features are included with Office 365 plans, see Azure Information Protection.

9. Ada will forward the email (Figure 12) (which should not be allowed) to a user in Sales, named Megan. Notice the policy tip telling her she has no permissions

If you’re having problems seeing the templates, try these tips.

Figure 11

Figure 12

10. Megan will be presented with an attachment but will not be allowed to read the original (figure 13). If Megan were to open the document locally or from a share, she would not have access. Abbi is also able to track and revoke permissions on this document further (Figure 14). You have Azure Logging and Cloud App Security to use and further label and classify if needed.

Figure 13

Figure 14

11. Here we see Abbi as an E5 subscriber where she could Apply classify and label data at rest (Figure 15). With the AIP client installed, she can right click and select ‘Classify and Protect’, select the label she needs and hit apply (Figure 16), to have the templates classify and label accordingly. You should always have the latest version of the client.

Figure 15

Figure 16

We saw that having an E5 subscription, Abbi gets the Premium 2 features of Azure Active Directory and Information Protection. As an E3 Subscriber, Ada gets the base features of Premium 1, but they are both able to apply labels and classification. With Abbi, you can also setup automatic classification within templates rather than manual classification in an E3 P1 Subscription. Of course, everything you want to know about Azure Information Protection can be found right here.

Here is a link to setup your own test environment.
Here is a link for use with AIP and Exchange and SharePoint online.
Another feature is to scan and protect with the  Azure Information Protection scanner.
And some videos from Ignite 2018 Here.

That’s it for now. Hope to see you in class!

Recent Posts: