Classify and protect your data with Azure Information Protection


Azure Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.

A long time ago when Azure Rights Management service was introduced, I was already really excited about the concept. Since data is basically always available for employees, IT is breaking their heads about the security risks that were introduced and there was no really good solution to protect the data.

At that time, Azure RMS was not really user friendly in my opinion, but after Azure Information Protection was introduced a lot has changed and it got way better over time. And since a lot of our customers are struggling with this topic, I have decided to write things down.

Best practice when you start with Azure Information Protection is to start with recommending classification, instead of enforcing it. Research from Microsoft shows that 70% of the people are actually classifying data after implementing Azure Information Protection based on recommendations. I would always start with a pilot group with people who are eager to use new technology and can help you to make your roll out plan even smoother. As a guideline, you can use the following 5 steps Program:

  1. Classify: Take simple steps, it generates high-impact quickly
  2. Label: Test, phase the roll out, and learn! IT can’t know it all
  3. Protect: Control sensitive internal e-mail flow across all devices
  4. Monitor: Share protected files with business partners
  5. Respond: Teach and enable users to revoke access

Classify data – Begin the journey

It would be ideal if your organization already has a Data Management Policy in place so you can align the labels with it. And it would be even better if employees are already familiar with this policy. If not, you can use the default labels in Azure Information Protection: Personal, Public, Internal, Confidential and Secret. Some people may argue that this should be something the business should create, but IT can definitely take the lead in this to create awareness and already facilitate the basics from an IT perspective.

Label the data

You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared. The persistent labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text so that other services (such as data loss prevention solutions) can identify the classification and take appropriate action.

For example, the following document has been classified as “Internal”. The properties contain custom entries so that other applications can inspect this value and could create an audit entry or prevent it from being sent outside the organization.

How data is protected

Azure Information Protection uses Azure RMS by default to protect your data. Azure RMS is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. It can also be used with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises, or in the cloud.

This protection technology uses encryption, identity, and authorization policies. Similarly to the persistent labels, protection that is applied by using Rights Management stays with the documents and emails, independently of the location – inside or outside your organization, networks, file servers, and applications. This information protection solution keeps you in control of your data, even when it is shared with other people.

Next to Azure RMS it is also possible to bring your own key (BYOK) or hold your own key (HYOK).

Share with business partners

In my job as IT consultant, I create a lot of documents that are (part of) a set of deliverables to the customer. Some of these documents are not meant to be available for the public and we have even seen examples where our designs were ‘reused’ in a competitor’s design. Previously it was not possible to simply grant access to a document for a whole domain. You needed to provide basically all the e-mail addresses from the client, but if somebody new joined one of the two organizations, access was not granted automatically.

To support scenario’s like this company collaboration was introduced. This new feature enables content to be protected to all users within a specified organization, for example any user who works at an external company.

What does this look like for users? Very simple and easy, just protect your document and share. For example: If the document is classified as confidential and both organizations should be able to open it, the employee clicks Confidential in the Azure Information Protection bar and selects the trusted organization.

As soon as the label has been provided, the Azure RMS template that provides anyone at either company permissions to the document was applied automatically.

Drive adoption

Like any other cloud service that is being introduced, it is strongly advised to teach employees on how to use the new service. Achieving success means making sure it helps everyone in your organization achieve more with their work and in this particular case: secure!

Before rolling out Azure Information Protection, take a step back and think about why your organization purchased it in the first place. Was it led by specific technical requirements, or did you discover specific needs within the business?

Teach employees about the different labels, what the impact is of labeling and how they for example can track who has accessed their document via the Azure RMS portal.

How to set it up

As soon as you have decided which data classifications you will use, you can start by getting the backend ready. When you login to https://portal.azure.com and browse to Azure Information Protection you will see the default Global policy.

When you click on the policy you will get to the dashboard where you can customize a lot of stuff to your needs, but most important will be what to do for every label: protect or not? On my tenant I have changed Secret to Restricted and I have added company A and B as business partner. I will explain later how I did that.

 

First we will configure the internal label so the data is only available to employees of our own organization. We will need to create an Azure RMS template via PowerShell because the portal does not support adding a whole domain.

You will need the Azure RMS PowerShell cmdlets which you can download from: https://www.microsoft.com/en-us/download/details.aspx?id=30339. After installation you can connect to Azure RMS with Connect-AadrmService.

To create your new template for the whole organization, you can use the code below. Language codes are used to display the policy notification in different languages (i.e. 1033 for English and 1043 for Dutch). The rights parameter is set to owner so everybody can work on the document if it was their own. This includes removing protection.

$names = @{}
$names[1033] = "Internal"
$names[1043] = "Intern"
$descriptions = @{}
$descriptions[1033] = "This information includes a wide spectrum of internal business data that can be used by all employees and can be shared with authorized customers and business partners. Examples for internal information are company policies and most internal communications."
$descriptions[1043] = "Deze data bevat een breed spectrum van interne zakelijke informatie dat kan worden gebruikt door alle medewerkers en kan worden gedeeld met geautoriseerde klanten en zakelijke partners. Voorbeelden van interne informatie zijn het bedrijfsbeleid en interne communicatie."
$r1 = New-AadrmRightsDefinition -DomainName yourdomain.com -Rights "OWNER" Add-AadrmTemplate -Names $names -Descriptions $Descriptions -LicenseValidityDuration 5 -RightsDefinitions $r1 -Status Published

The new policy will be displayed in the old Azure portal (https://manage.windowsazure.com) after running the script. To automatically apply this policy we will need to select it in the Azure Information Protection dashboard in the new portal. Click Internal, select Protect and click Protection. Select the template we created previously with the PowerShell script.

Click Done and save the label. After saving the label you will be prompted to publish your changes so employees can use it.

Creating a company collaboration policy

To create a company collaboration policy you basically repeat the steps that we did for the internal policy. Biggest difference is, of course, an extra domain name and limited rights. The following are available:

Right Description
VIEW Interpreted by most applications as allowed to present the data on the screen.
EDIT Interpreted by most applications as allowed to modify content in the document and save it.
DOCEDIT Interpreted by most applications as allowed to modify the content of the document.
EXTRACT Interpreted by most applications as allowed to copy the content to the clipboard or otherwise extract the content in unencrypted form.
OBJMODEL Interpreted by most applications as allowed to access the document programmatically; for example, by using macros.
EXPORT Interpreted by most applications as allowed to save the file in unencrypted form. For example, this right allows you to save in a different file format that does not support protection.
PRINT Interpreted by most applications as allowed to print the document.
OWNER User has all rights on the document, including the ability to remove protection.
FORWARD Interpreted by most applications as allowed to forward an email message, and to add recipients to the To and Cc lines.
REPLY Interpreted by most applications as allowed to select reply to an email message, without allowing changes in the To or Cc lines.
REPLYALL Interpreted by most applications as allowed to reply to all recipients of an email message, but does not allow the user to add recipients to the To or Cc lines.

To create the policy in Azure RMS and to allow the other organization to work on our documents we run the following code:

$names = @{}
$names[1033] = "<COMPANY>"
$names[1043] = "<BEDRIJF>"
$descriptions = @{}
$descriptions[1033] = "This data includes sensitive business information from EBOOZ and/or <COMPANY>. Exposing this data to unauthorized users may cause damage to the businesses."
$descriptions[1043] = "Deze data bevat gevoelige informatie van EBOOZ en/of <BEDRIJF>. De data toegankelijk maken voor ongeautoriseerde gebruikers kan schade toebrengen aan beide bedrijven."
$r1 = New-AadrmRightsDefinition -DomainName yourdomain.com -Rights "OWNER"
$r2 = New-AadrmRightsDefinition -DomainName company.com -Rights "VIEW", "EDIT","EXTRACT","PRINT","FORWARD","REPLY","REPLYALL"
Add-AadrmTemplate -Names $names -Descriptions $Descriptions -LicenseValidityDuration 5 -RightsDefinitions $r1, $r2 -Status Published

Next, we will add a label to Azure Information Protection so the template can be used. In this example we are applying the template when data where both organizations work on and is classified as confidential. Click the three dots on the right of the Confidential label and click Add a sub-label.

Enter a name for the label, select Protect and select the Azure RMS template. You can also create visual marking for documents that have this label. For example as footer text:

You can also apply conditions for automatic labelling or recommendations to end-users. For example:

Save the label. After saving the label you will be prompted to publish your changes so employees can use it. The end-user experience is exactly the same for other organizations as for your own employees.

Using groups to protect data

Next to domain wide protection, it is also possible to restrict data to certain groups in Azure Active Directory. This group can be created in Azure AD or synchronized from your on-premises Active Directory. The group needs to contain an e-mail address to be available for selection. You can use the old portal to add the group to the RMS template:

Or you can use PowerShell:

$names = @{}
$names[1033] = "Internal – Finance only"
$descriptions = @{}
$descriptions[1033] = " This data contains confidential information that is only available for the finance department."
$r1 = New-AadrmRightsDefinition -EmailAddress G-GDEL-AzureRMS-Finance@yourdomain.com -Rights "OWNER"
Add-AadrmTemplate -Names $names -Descriptions $Descriptions -LicenseValidityDuration 5 -RightsDefinitions $r1 -Status Published

Deploying the client

Protected documents can be viewed in Office by default. To enable users to label data, change the label or use other advanced features the Azure Information Protection Client needs to be installed. This client includes the ability to set custom permissions, share data in a protected way, track and revoke files and view protected files (beyond Office files) and can be downloaded here: https://aka.ms/aipclient. It includes the following features:

  • The ability to set/remove custom permissions for files (single files, multiple files and files in folders) through the Explorer shell extensions (right click on a file / folder) and select “classify and protect”
  • Enable users to set/remove custom permissions for Office files via the Office Interface (Word, Excel, PowerPoint)
  • Users can select contacts from their Global Address Book (requires Outlook)
  • Once protected, users can share a file via any method such as mail, SharePoint and cloud sharing apps.
  • Set Track and Revoke options for protected documents

The client also includes PowerShell cmdlets that enable you to:

  • Query for a files Label and Protection attributes
  • Set a Label and/or Protection for documents stored locally or on file servers and network shares that are accessible through SMB/CIFS (e.g. \\server\finance\)

External recipients who receive a protected document can download a lightweight client app (the Azure Information Protection Viewer) to open and view these docs in a simple way. This app does not require admin rights to be installed and can be downloaded from http://aka.ms/aipviewer.

Installation of the client can be done manually or you can create a silent installation for deployment with SCCM for example. Simply use “AzInfoProtection.exe /install /quiet” to have it installed silently.

When the installation is finished the bar with labels will be displayed in all Office applications and it also integrates with the context menu.

The Classify and protect option in the context menu enables users to set custom permissions or change the label. In our example you see the custom label for the external company we have created previously.

Conclusion

I hope this blog helped you to have a better understanding of Azure Information Protection and that you are ready to start you pilot! Keep it simple at first, define a pilot group and phase your roll-out. A best practice is to create policy that can be used company wide and create policies per department based on specific needs from the business.

There are some differences in the functionality you get with Azure Information Protection Premium P1 and P2. If you don’t require advanced features like HYOK and automatic classification you are good to go with Premium P1, which is also included in Microsoft’s Enterprise Mobility + Security E3 suite.

Feature P1 (EMS E3) P2 (EMS E5)
Manual labeling (user driven)
View labels and watermarks in Office
Apply content marking and RMS protection in Office
Automatic and recommended labeling (conditions)
Classification, labeling and protection with MCAS
HYOK (Hold your own key – multi RMS server support)

Leave a Reply