Azure Information Protection (AIP) is a cloud-based service that allows an organization to defend against data leakage (both internally and externally) by labeling, classifying, protecting, and monitoring both documents and emails. The process of labeling can be automated based on policy rules, user driven, or a combination of both where users are given recommendations. The protection component of AIP leverages Azure RMS and is optional – based on your policy rules and conditions.
AIP is a component of Microsoft’s Enterprise Mobility + Security suite and can also be purchased as a standalone product. More information on pricing can be found here.
Activating Azure Information Protection
If you don’t already have the AIP service activated, follow these steps to set it up:
- Sign in to the Azure Portal as a Global Admin, Information Protection Administrator, or Security Administrator.
- From the left navigation pane (or hub), select Create a resource, and then from the search box type Azure Information Protection and select it from the search results
- On the Azure Information Protection blade, click Create and then Create one more time
- From the Azure Information Protection management blade, select Protection activation, and then Activate. You may have to wait a minute or two for the activation to complete.
- Taking a look at what’s available for you right out of the gate, you’ll notice that there is already a default set of labels and a global policy that applies to All Users. For this post, we won’t be going through them but in a real-world scenario it is highly recommended to edit them for your organization’s needs
Create a new AIP label
Now that we have the service activated, let’s create a new policy. As noted above, there is already a global policy that applies to All Users, but for this demo we are going to create a “scoped” policy that applies to members of the HR department.
- From the Azure Information Protection management blade, click on Labels and then + Add a new label
- For the Label display name, let’s use HR Only
- For the Description, let’s keep it simple with For HR use only – in a real-world scenario you will want to be as descriptive as possible when adding the description
- Now for Color – by default a custom label will use black but you can change it from here
- For Set permissions for documents and emails containing this label, this is where we have the option to set protection and permissions for the documents with this label. For demonstration purposes, let’s select Protect, and then select Protection
- From the Protection blade, make sure you have Azure (cloud key) selected. Azure (cloud key) uses the Azure Rights Management cloud service to protect the document. The other option is Hold your own key (HYOK) protection. HYOK (AD RMS) does not have all the benefits of Azure RMS and brings some limitations. Even though there may be a use case for using HYOK, be prepared for these drawbacks. More information on HYOK can be found here. It is highly recommended to only use HYOK for extra special use cases.
- For the Select the protection action type, we have two options. Set permissions will automatically apply permissions for this particular label. Set user-defined permissions will allow the user creating the document to set permissions manually. For this demo we will select Set permissions and then click + Add permissions
- In the Add permissions blade, under Specify users and groups, click + Browse directory. From the list you can either add individual members of the HR group or select an email-enabled group. If needed you could also set different permissions for different members of the group. Once you are finished, click Select. Notice that we stayed in the Select from the list tab under Specify users and groups – if we wanted to set permissions for external users you can select the Enter details tab.
- Now under the Choose permissions from preset or set custom group we can either use a predefined set of permissions or create our own permissions for this label. Select which permissions you would like to use and click Ok
- Back at the Protection blade, under Content expiration, we can choose if access to these documents expire at a certain time. For this demo we will select Never
- For Allow offline access we will keep the default 7 days
Note: Be very careful while selecting Content expiration and Allow offline access as these two settings may have some undesirable results based on your organizational needs. Read more on these implications from here
- Once we are finished with the Protection settings, click Ok
- Now back at the Label blade, the next set of options are visual markings that will be applied to the document. You have a few options and plenty of customization settings associated with each. I’ll let you decide which one (if any) you want to apply.
- Next we have the Configure conditions for automatically applying this label setting. This is where we can have AIP automatically apply a label on a document or recommend the label to the user based on certain conditions. For this demo, let’s apply one. Select + Add a new condition, and enter social security in the search box. Select USA Social Security Number. You’ll notice there are quite a few predefined conditions and also an option to create a custom condition. You also have an option to set the number of occurrences on a condition, and if multiple occurrences of the same condition count against that number of occurrences setting. Whew. Once you are finished click Save
- Now that we have a new condition applied, we can now define if we want AIP to recommend this label to the user or automatically apply the label. For this demo I will select Automatic and set a descriptive policy tip explaining why this label was applied to the user
- Finally we can add some notes for administrators of AIP and we are ready to deploy our first policy. When you are ready, click Save
Once you click Save, you should now see your new label in the Labels dashboard
Apply a policy to the new label
- Now that we have our new label created, let’s apply the Global policy to it. From the Azure Information Protection management blade, select Policies, and then select the Global policy
- Under the label display names, click Add or remove labels
- From the Policy: Add or remove labels blade, select our HR Only label and click Ok
- Click Save in the Policy: Global blade and you are finished