Montag, 13. August 2018

Azure Information Protection Part V – advanced features & scenarios

Label an Office document by using an existing custom property

This option allows us to reflect on existing metadata values for example coming from SharePoint or other solutions like for example Secure Islands (which was acquire by Microsoft in 2015).
As a result of this, when a document without an Azure Information Protection label is opened and saved by a user, the document is then labeled to match the corresponding property value.
This configuration requires two settings in the advanced client settings section. The first is named SyncPropertyName, which is the custom property name that has been set from the other classification solution, or a property that is set by SharePoint. The second is SyncPropertyState and must be set to OneWay:
  • Key 1: SyncPropertyName
  • Key 1 Value: <property name>
  • Key 2: SyncPropertyState
  • Key 2 Value: OneWay

Keys and corresponding values are good for one custom property.
Example:
We have a SharePoint column named Classification. Possible values are: Public, Internal and Confidential. SyncPropertyName value is then: Classification.
To make this feature work we need labels with the same name (Public, Internal and Confidential) in AIP. Now, when an Office documents from this SharePoint library is opened and saved and this document is labeled as Public, Internal or Confidential in SharePoint Azure Information Protection applies the corresponding AIP label. If no label with a corresponding name exists in AIP, the document remains unlabeled.


Convert Templates to Labels

When you create a label in AIP under the hood also a new custom template is created. This new template can then be accessed by services and applications also using Rights Management templates. The new template is not shown in Azure AIP portal but can be managed by using PowerShell.
If you delete the label the template will still exists and is then shown in Azure AIP portal. In Azure AIP portal you can convert a template to a label:
If you change the protection settings in this newly created label, you're changing them in the template and any user or service that uses this template will get the new protection settings with the next template refresh.


Cloud App Security to auto apply Labels for scenario / location

Microsoft Cloud App Security lets you apply AIP labels as part of a CAS policies. You can also investigate files by filtering for the applied classification label within Cloud App Security.
Scenarios:
  • Apply classification labels as a governance action to files that match specific policies
  • View all classified files in a central location
  • Perform investigation according to classification level
  • Create policies to make sure classified files are being handled properly

More details:

Encrypting Emails using Exchange Mail Flow Rule

Exchange Mail Flow Rule can be used to automatically apply AIP labels:
This is based on the RMS template associated to the AIP label.
A step-by-step documentation on how to configure a mail flow rule using a RMS template can be found here: https://blogs.technet.microsoft.com/kemckinn/2018/07/09/encrypting-emails-from-anywhere/


Decommissioning and deactivating protection

If AIP is no longer needed you can deactivate it. Make sure that you have a copy of your Azure Information Protection tenant key before you deactivate the Azure Rights Management service. If you deactivate AIP make sure, that you won’t be locked out of content that was previously protected.
You have the following options to deactivate AIP:
  • PowerShell cmdlet Disable-Aadrm to deactivate Rights Management
  • Deactivate Rights Management from Office 365:
    • Go to the Rights Management page for Office 365 administrators
    • On the Rights Management page click deactivate
  • Deactivate Rights Management from the Azure portal
    • On Azure Information Protection blade => Protection activation blade, select Deactivate

Further details about deactivating AIP: https://docs.microsoft.com/en-us/azure/information-protection/deploy-use/decommission-deactivate


Related posts:


Mittwoch, 8. August 2018

Summary about Modern Team Sites, Communication Sites & Hub Sites


Modern Team Sites, Communication Sites & Hub Sites

Modern Team Sites, Communication Sites & Hub Sites are available in SharePoint Online and SharePoint 2019. A modern Site is created from the SharePoint Home App:

Common Stuff

In modern Sites we have a bunch of new Webparts:

One of the initial questions is about using a modern Team Site or a Communication Site. At the end it all about the focus of the site and the question about the usecase for this site. Susan Hanley provides a brilliant overview and matrix to find out what is best for your scenario:
In addition, Mark Kashman also provides a good overview picture about modern Team Site and Communication Site:

Modern Team Site

About Modern Team Site:
  • Focus: Connect, Collaborate, Create
  • Connected to O365 Groups: Creates group email address
  • Privacy settings: Private by default and can be changed to public


In modern Sites we have a so called “New” Dropdown to easy create new objects:
It is also very easy to modify the Quick Launch Navigation based on the modern canvas:

A new feature for modern Team Sites is the Site Info Hover Panel. You can access this panel by mouseover the Site name:

The panel gives you an overview about the site and direct links to the associated resources like the Planer, the Group Calendar etc.


Communication Site

About Communication Sites:
  • Fokus: Showcase, Share Services, Story (broadcast information)
  • 3 different type of a Communication Site are available out-of-the-box:
    • Topic: Designed to present large amount of information such as news, events and other content
    • Showcase: Designed to showcase a product, team, or event using images
    • Blank: Start from scratch


Modern Sites Pros and Cons

Pro:
  • Easy to use
  • Modern canvas
  • Modern branding & responsive design
  • Modern Web Parts
  • Easy to use/configure web parts
  • Connected to a Group
  • Extend using the SharePoint Framework

Contra:
  • Only created as a site collection and no modern sub-sites available
  • No variations until now
  • No extensibility for modern search until now
  • Not all Lists, Libraries and website types have a modern design already (Blogs, Tasks, Calendars, Discussions)
Complete list and further details: http://www.sharepointtalk.net/2018/08/things-to-think-about-when-moving-from.html


Things to think about when moving from classic to modern SharePoint Site
Moving from classic SharePoint Online Sites or from SharePoint on-prem Sites to modern Sites sound easy but can get tricky. There are several pros and cons coming from classic Sites and now plan to use modern Sites. The following to table shows the pros and cons and the topics you have to think about when planning a migration:


Hub Sites

Common info about Hib Sites:
  • Linked sites
  • Consistent branding across all sites
  • Top navigation
  • Search within the hub site will also search all linked sites.
  • Aggregate news from linked sites. This can take 5–15 minutes.
  • Flexible attach & detach a site from a hub
  • Sites can only be associated with one hub site.
  • Hubs can’t be nested
  • Limited to 50 hub sites
  • Association with a hub does not change the permissions on a site
  • A site can only be associate with one hub


Webparts for Hub Sites:
  • News roll-up: News published on a hub site and on any associated sites is automatically aggregated and shown on the home page of the hub site.
  • Associated sites: Display the most active sites associated with the hub site.
  • Highlighted content: Use the Highlighted content web part to dynamically display content from sites associated with the hub.


Admin Stuff

Manage site creation in SharePoint Online Admin:


Subsite Creation in SharePoint Online Admin:

Office 365 Groups Connection Setting in SharePoint Online Admin:

To allow only specific users to create groups, use the PowerShell cmdlet GroupCreationAllowedGroupId or change setting in Azure AD

Connect to a new office 365 group:
Ability to connect existing SharePoint team sites to Office 365 Groups is coming later this year


Branding SharePoint Modern Sites

Out of the box themes, configuration option and custom site themes:
  • The following predefined themes are available by default: Blue, Orange, Red, Purple, Green, Gray, Dark Yellow, Dark Blue
  • Each theme can be customized by selecting “Customize theme”
  • Custom themes can be created and uploaded. To create a custom theme a online theme generator tool is available: https://developer.microsoft.com/en-us/fabric#/styles/themegenerator
  • Classic themes can still be used by choosing the link under the modern themes listed.
    • Because the modern SharePoint UI differs from the classic UI, however, some limitations apply when you use classic themes with modern pages.

Themes are defined in a JSON schema that stores color settings and related metadata for each theme. These capabilities are available to administrators via PowerShell cmdlets, and to developers via the SharePoint client-side object model (CSOM) or the SharePoint REST API.


PNP Starter Kit & Fantastic 40 Web Parts

What is the SharePoint Starter Kit:
  • SharePoint Starter Kit demonstrates how you can extend modern sites.
  • Currently included in the package:
    • Tenant level provisioning logic using PnP Provisioning Engine
    • 3 site collections. One assigned to be a hub site and two associate to the hub site automatically from the provisioning script
    • Contoso Site Designs for group associated team site and communication site
    • 17 client-side web parts demonstrating different capabilities
    • 7 SharePoint Framework extensions
    • Sample LOB service to be hosted in Azure
    • Sample content on the portal to demonstrate news and article capabilities
Source and further details: https://github.com/SharePoint/sp-starter-kit

What is the Fantastic 40 Web Parts:
It is a sample kit of 40 web parts for example visual web parts as carousel, images galleries, custom editors, polls, charts, map, animations, etc. These web parts are free and open source. The webparts are available: English, French, Spanish, German. IMPORTANT NOTE: These web parts are not officially supported by Microsoft.

Montag, 6. August 2018

Things to think about when moving from classic to modern SharePoint Site


Moving from classic SharePoint Online Sites or from SharePoint on-prem Sites to modern Sites sound easy but can get tricky. There are several pros and cons coming from classic Sites and now plan to use modern Sites. Also, some features that we know from classic sites are no longer available in modern Sites. In addition, some features we have in SharePoint on-prem are deprecated in SharePoint online. This is also a topic to think about when planning a migration.
The following to tables showing the pros and cons and the topics you have to think about when planning a migration:

Pros and Cons about modern Sites focusing a migration scenario

Mapping of deprecated / new features und functions


Dienstag, 31. Juli 2018

A quick guide to secure Office 365


“A quick guide to secure Office 365” is a Whitepaper based on simple tiers like Default, Medium, High and Very High. The matrix shows the usability impact and the needed licenses to setup the different scenarios. 
You get a clear overview about the options and the impact of each scenario. In addition the Whitepaper gives you an overview of Microsoft technologies and features to secure your Office 365 tenant. Covered technologies are Office 365 Secure Score, Cloud App Security, Intune & Office 365 MDM, Azure AD Premium features, Office 365 Advanced Threat Protection & Office 365 Threat Intelligence and the Security & Compliance Reports.

Download a free copy of A quick guide to secure Office 365

A quick guide to secure Office 365 ist ein Whitepaper, das auf einfachen Stufen aufbaut: Standard, Medium, High und Very High. Die Matrix zeigt die Auswirkungen auf die Useability und die benötigten Lizenzen, um die verschiedenen Szenarien umzusetzen.
Sie erhalten einen klaren Überblick über die Möglichkeiten und Auswirkungen der einzelnen Szenarien. Darüber hinaus gibt Ihnen das Whitepaper einen Überblick über Microsoft Technologien und Features die zur Absicherung Ihres Office 365 Tenants zur Verfügung stehen. Im Einzelne werden die Technologien Office 365 Secure Score, Cloud App Security, Intune & Office 365 MDM, Azure AD Premium Features, Office 365 Advanced Threat Protection & Office 365 Threat Intelligence und die Security & Compliance Reports beschrieben.

Laden Sie sich eine kostenlose Kopie von A quick guide tosecure Office 365 herunter.

Donnerstag, 19. Juli 2018

Azure Information Protection Part IV - Work with AIP

Azure Information Protection is a cloud-based solution that can be used to classify, label and protect data and e-mails. The nice thing about it is that depending on the implementation, this works without the user's intervention. Rules are automatically applied based on metadata, storage location, template on which a document was created or on the content of the document.
Of course, users can also assign classification manually. A combination of both, whereby proposals are displayed to the user based on administrative specifications, can also be implemented.
AIP integrates into the Office Client applications Word, Excel and PowerPoint from version 2010 in the Enterprise or Office ProPlus version. With this integration, files can be classified and protected directly from Office applications. Word, Excel and PowerPoint also display the classification of a file directly:
The AIP Client is used to protect and classify non-Office files. This free software is used to classify and protect e.g. PDF documents and other files. The AIP Viewer is also used to open protected non-Office files. This tool is available free of charge for the iOS, Android, macOS and Windows platforms. Details on supported platforms and Office versions can be found here: https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements-applications  

Overview of the features of AIP

The AIP feature essentially works with 2 objects:
Labels:
  • A label is used for classification; e.g. CONFIDENTIAL
  • A label can contain encryption, but can also be used for classification purposes only
  • The following rights can be assigned during encryption: View, Open, Read (VIEW) | View Rights (VIEWRIGHTSDATA) | Edit Content, Edit (DOCEDIT) | Save (EDIT) | Print (PRINT) | Copy (EXTRACT) | Reply (REPLY) | Reply All (REPLY ALL) | Forward (FORWARD) | Change Rights (EDITRIGHTSDATA) | Save As, Export (EXPORT) | Allow Macros (OBJMODEL) | Full Control (OWNER)

Policies:
  • Policies determine which users/groups have which labels available
  • Policies also regulate administrative options such as whether a standard label is assigned

Due to the integration into the Outlook client, labels can also be assigned directly when writing an email. The classification then affects documents that are sent as attachments to the mail and the e-mail itself.

In addition to labels and policies there is another useful function. The "Protect with user-defined permissions" function is used to encrypt files individually and make them available with explicit rights for certain users (including external users). This feature can be used in both the AIP Client and Office integration. The following individual options can be configured per file:
  • Displaying user: Display only
  • Check: Display, Edit
  • Co-author: view, edit, copy, print
  • Co-owner: All rights
  • Only for me
  • User / Group: Users or groups by e-mail address, who should have access with the selected right
  • Expiration of the access: Date how long the access for the selected users / groups with the configured right should exist

Details on the individual functions of AIP can be found here: https://azure.microsoft.com/en-us/services/information-protection/

Typical scenarios

Scenario 1: A user creates a document. The user knows which category the document must be assigned to and is responsible for assigning the corresponding label.

Scenario 2: In addition to scenario 1, automatic classification can be used. To do this, we need to define or create own information types. Microsoft provides standard information types such as credit card number, driver's license number, etc. A complete list of standard information types can be found here: https://support.office.com/en-us/article/what-the-sensitive-information-types-look-for-fd505979-76be-4d9f-b459-abef3fc9e86b?ui=en-US&rs=en-US&ad=US

Scenario 3: Classification Based on location. The AIP scanner, which is part of the AIP client, is used to do this. The scanner can encrypt NTFS shares and SharePoint libraries. Example: all files that are stored in a specific folder or in a specific SharePoint library always get the label "Confidential - Contract". The AIP scanner runs as a service on a Windows server. Using PowerShell and a parameterized call, the scanner then checks and encrypts contents in the defined storage locations with the specified label.

Licensing

Microsoft Azure Information Protection is available as a standalone solution or as part of the Enterprise Mobility + Security Suite, Microsoft 365 Enterprise and Office 365 E5.
AIP is available in three different versions: AIP for Office 365, AIP P1 and AIP P2 Details on the different versions can be found here: https://azure.microsoft.com/en-us/pricing/details/information-protection/
Only the user who protects content needs a license. External users or users who only consume do not need to be licensed.

AIP, RMS and IRM

Definition and dependencies:
  • RMS: The Azure Right Management Service is the basic instance for encryption and rules. Word, Excel, PowerPoint, Outlook and the Office Server SharePoint and Exchange provide native support for Azure Rights Management and provides document and email protection.
  • AIP: Azure Information Protection is based on RMS and requires the RMS service in the background. With AIP, files can be individually encrypted and classified. File tracking and detailed reporting show who opened an AIP-protected file, when and from where.
  • IRM: Information Rights Management is required to connect RMS to Exchange or SharePoint. If we need to connect the on-prem versions of Exchange or SharePoint or an NTFS file server, an RMS Connector is required. IRM integrates seamlessly into Exchange and SharePoint.

IRM with Exchange and SharePoint:
  • To protect an e-mail with the "Do not forward" restriction, the Information Rights Management options for Exchange is required. With IRM in Exchange features like DLP can also be used.
  • IRM integration can be used to encrypt files stored in SharePoint. This integration does not offer the flexibility and functionality of AIP. Documents in SharePoint are not encrypted until they are downloaded for example. IRM does not provide an option to classify files and permissions must be assigned by an administrator at the site or library level.

Depending on the detailed scenario, either AIP or IRM can be used. Both functions require the RMS service in the background.
Details about RMS, IRM and the limitations with SharePoint are described in this article: https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/office-apps-services-support


Related posts:


Dienstag, 3. Juli 2018

Me and the Microsoft Awards

The Microsoft MVP Award is given on a yearly based to people who are engaged in technology and community. MVPs are independent from Microsoft but they play an important role in explaining and improving the use of Microsoft products and technologies. In 1993 Microsoft introduced the MVP Award. All starts with about 30 people. Today there are more than 3000 MVPs worldwide. You can get more details about the MVP Award here: https://mvp.microsoft.com/

Since 2013 I am an MVP. I start with being an MVP for SharePoint and since the last reorganization I am an MVP for Office Server and Services. Being an MVP means meeting great people all over the world in the community sharing the same passionate about technology and helping others. You cannot buy the MVP award or download braindumps to get it. You get it by working hard and earning the respect of the community and Microsoft.

Since 2018 I am a Microsoft Reginal Director, too. The program is established also in 1993 and is about 150 people word wide. Neither an MVP or a Reginal Director is an Microsoft employee. The difference between the MVP and Regional Director program is that the MVP program is more focused on communities - Regional Directors are more focused on evangelizing the business. Of course, there are more differences in detail. But from my perspective this is one of the most significant. For more details about the Reginal Direct Programm see this page: https://rd.microsoft.com

Both awards have also some topic in common. Both are focusing on giving value to others and keep on discussing actual and future innovations together with Microsoft.

Therefore, I love being an MVP & RD

Best
Nicki

Mittwoch, 27. Juni 2018

What is the Microsoft 365 license package?

From Office 365 to Microsoft 365

As if the topic of licensing in the Microsoft environment is not complex enough, we will now have a license package called Microsoft 365. Microsoft 365 was announced last year at the partner conference in July 2017. The first two versions (Business and Enterprise) were available from the beginning of August 2017.
" A complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely." With this claim Microsoft advertises the license package. But what exactly is behind it and why is it interesting for customers?
Microsoft 365 is the logical continuation of the license package SPE (Secure Productive Enterprise). SPE includes Office 365, Windows 10, Enterprise Mobility + Security and on-prem licenses for SharePoint, Exchange and Skype for Business Server. This provides customers in a transition phase or hybrid model with an optimized license package for security and compliance, Office 365 licensing, Windows licensing and on-prem Office Server licenses. Microsoft 365 now offers this combination for customers who already work completely in the cloud with their processes and solutions.

Okay, and why should I care as a customer?

Not only because of GDPR, the topic of data protection and data security is very interesting in these days. Many Office 365 projects have seen the light of day, focusing on functionality, IT and architectural aspects. In the course of the project, the works council, the data protection officer or IT security usually came to the conclusion that a building block was still missing. Since everyone can now access company data from anywhere and with any end device, compliance and security aspects must also be addressed. The functions & features to implement such requirements are of course available with Microsoft services such as Intune, Cloud App Security or the Azure AD Premium Features. However, it quickly becomes clear that these features are not included in a standard Office 365 E1 or F1 license.
The "Wannacry" attack is still in all our memories. This attack on Windows operating systems has not least sharpened the awareness of how important it is to install current Windows patches and to have an up-to-date virus scanner. To address scenarios like this Windows Defender Advanced Threat Protection as part of Windows 10 Enterprise or for example Microsoft Advanced Threat Analytics are also included in Microsoft 365, depending on the license package.
From a business perspective, Microsoft 365 covers the following scenarios (depending on licensing details):
  • Identity and access control
  • Manage mobile devices and apps
  • Protect and encrypt data
  • Protection against cyber attacks
  • Office 365 licensing (SharePoint, Exchange, Skype for Business, Microsoft Teams, Yammer, etc.)
  • Windows 10 Licensing

From a technical point of view, the following products and functions (depending on licensing details) are part of M365:
  • Azure Active Directory (AD) Premium
  • Cloud App Security
  • Microsoft Intune
  • Azure Information Protection
  • Microsoft Advanced Threat Analytics
  • Windows Defender Advanced Threat Protection
  • Windows 10
  • Office 365 Licensing

What do I need to know to use Microsoft 365?

The license package Microsoft 365 is available in different versions. The functions listed above depend in detail on the respective license level. The following table gives an overview:

  • Microsoft 365 Enterprise is suitable for companies with approximately 300 employees or more. This version is available in E3 or E5 and includes Office 365, Windows 10 Enterprise and the EMS features.
  • Microsoft 365 Business is suitable for small and medium-sized businesses. Windows 10 Pro, Office 365 and the EMS functions are included.
  • Microsoft 365 F1 focuses on firstline workers. This version includes Windows 10 Enterprise, Office 365 F1 and EMS.
  • Microsoft 365 Education is intended for schools and universities and is available in A1, AE and A5 versions.
More details can be found on the official Microsoft 365 page, and all products that are part of Microsoft 365 can still be licensed separately.

What will change with the use of Microsoft 365?

Traditionally, even in medium-sized companies a split into Exchange Team, AD Team, SharePoint Team, Client & Server Team, etc. is normal. With Office 365 all departments have to work much more closely. If the extended functions of Microsoft 365 are now added, close coordination with the IT security department, the data protection officer and the works council must be supplemented.
In addition, as part of the IT strategy, this new Microsoft 365-Team, as part of company IT department, must now have knowledge of all the products involved. Microsoft 365-Team needs to know about Intune, Cloud App Security, Windows Defender etc. and their dependencies, interfaces and interaction options. Education and training are a must.

And what do I need to know as a developer?

At first glance, Microsoft 365 seems to be only for the license manager and the IT administrator. That would have been a little too short. Microsoft gave an outlook on the Graph API roadmap at the Build Conference in May 2018. It can be deduced from this that the services involved in Microsoft 365 are also integrated in this API in the future. Already today, the common API for online services such as Exchange, SharePoint, Office 365 Groups and Teams etc. play an important role for developers. The Microsoft Graph API will become the central endpoint for all cloud services.

Freitag, 15. Juni 2018

Azure Information Protection Part III – AIP Scanner

The AIP Scanner is part of the AIP Client download. After you have downloaded and installed the AIP Client you can start the installation and configuration. But bevor we start the installation let’s have a look at some requirements:
  • A Windows Server 2012 R2 or 2016 Server to run the service (For test and demo you can install it on a Win10 machine)
  • A SQL Server 2012+ local or remote instance (Any version from Express or better is supported)
  • Sysadmin role needed to install scanner service
  • Service requires Log on locally right and Log on as a service right
  • AIP Scanner is an AIP Premium P2/EMS E5 feature for more details review this article: https://azure.microsoft.com/en-us/pricing/details/information-protection/ 

A really good steep-by-steep description about install and configure AIP Scanner is done by Kevin McKinnerney and can be found here: https://blogs.technet.microsoft.com/kemckinn/2018/03/23/easy-configuration-of-the-azure-information-protection-scanner/

As you see in Kevins steep-by-steep guide the scanner runs as a service and uses App Authentifiction to connect with the AIP Service. So we do not need to authenticate to use the scanner.
The scanner has two main configurations which we need to configure using PowerShell:
  • Add-AIPScannerRepository or Set-AIPScannerRepository -> it is about the locations and the conditions for this location
  • Set-AIPScannerConfiguration -> it is about what the scanner should do during the scan

Add-AIPScannerRepository

This cmdlet adds a so called data repository to be scanned and creates a profile of settings. For example, you can specify a default label for unlabeled files, and whether to override an existing label or not. We can specify local folders, UNC paths, and SharePoint Server URLs for SharePoint sites and libraries. The scanner can handle more than one data repository. So you can configure a mix of local folders, UNC paths and SharePoint Server URLs with different setting covered by one AIP Scanner installation.
To change this settings we can use: Set-AIPScannerRepository cmdlet. To remove a data repository use: Remove-AIPScannerRepository cmdlet.
Example:
Set-AIPScannerRepository -Path C:\Temp2 -SetDefaultLabel UsePolicyDefault -MatchPolicy On

To review the settings, we can use Get-AIPScannerRepository. As you can see in my example I have configured two repositories with different settings:


Set-AIPScannerConfiguration

Set-AIPScannerConfiguration cmdlet is used to configure settings for the AIP Scanner. These settings include:
  • Discovery mode or applies labels
  • File will be relabeled YES or NO
  • File attributes are changed YES or NO
  • What is logged in the reports
  • Scanner runs once or continuously
  • Justification message used when required
  • Rights Management owner for protected files

Example:
Set-AIPScannerConfiguration -Enforce On -Schedule OneTime -Type Full -DiscoverInformationTypes All

Set-AIPScannerScannedFileTypes


This cmdlet is used to let the scanner know which files types should be scanned.

The cmdlet sets a list of file types to scan or exclude from scanning. To scan all file types, use *. To scan only specific file types use *.<file name extension>. To exclude specific file types from being scanned use -*.<file name extension>. And to reset the list back to default use @().



If no data repository is specified the setup applies to all data repositories that do not have their own list specified.
To get more examples and details review the official documentation: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipscannerscannedfiletypes?view=azureipps

Scenarios

The scanner can typically be used for the following scenarios. Reports are stored in this location: %localappdata%\Microsoft\MSIP\Scanner\Reports

Scan for sensitive information types
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2

#Configure Scan: Scan for all known sensitive types
Set-AIPScannerConfiguration -Enforce Off -Schedule OneTime  -Type Full -DiscoverInformationTypes All

#Start Scan
Start-Service AIPScanner

Label / Protect files
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -DefaultLabelId ae7eaeb0-cfdf-4217-a895-32a6b41311d9 -MatchPolicy Off

#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule OneTime -ReportLevel Debug -Type Full

#Start Scan
Start-Service AIPScanner

Scan for sensitive information types and labels and protect files that match
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -MatchPolicy On

#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule OneTime  -Type Full -DiscoverInformationTypes All

#Start Scan
Start-Service AIPScanner

Related posts:

Montag, 21. Mai 2018

Azure Information Protection Part II – PowerShell


This article is on overview about the functions and scenarios using PowerShell in the context of Azure Information Protection. Everything in this article is based on the official Microsoft documentation.
Microsoft published a brilliant Admin Guide about using PowerShell with Azure Information Protection containing all details and scenarios: Admin Guide: Using PowerShell with the Azure Information Protection client.

Overview

In Azure Information Protection we can use PowerShell to:
  • Administering Azure Information Protection
  • Configuration for the super user feature
  • Using Azure Information Protection
  • Work with the AIP Scanner

Azure Information Protection knows two PowerShell modules.
  • AADRM: These cmdlets are used to administer the protection service (Azure Rights Management) for Azure Information Protection.
  • AzureInformationProtection: These cmdlets are used to protect files, label files, and get information about files.

First step is to install the AADRM PowerShell module. To do this open PowerShell and use: Install-Module -Name AADRM. For more details and requirements about how to install AADRM PowerShell modules read this article: Installing the AADRM PowerShell module
To get an overview of all cmdlets use: Get-Command -Module AADRM or look at this list: Cmdlets grouped by administration task
The AzureInformationProtection cmdlets are part of the Azure Information Protection client. These cmdlets can be used with Azure Information Protection, the protection service (Azure Rights Management), and Active Directory Rights Management Services (AD RMS).
To get an overview of all cmdlets use: Get-Command -Module AzureInformationProtection

Main scenarios and some examples

We can use PowerShell for AIP for classification and protection. Let’s have a deeper look on some typical scenarios:

Scenario 1: remove protection from files for others using your own account

In this scenario we need PowerShell to configure the “super user feature”. In addition, we need to configure your account to be a super user for Azure Rights Management. To enable the super user feature, use the PowerShell cmdlet Enable-AadrmSuperUserFeature To assign your user or a groups we can use the Add-AadrmSuperUser cmdlet.

To get a complete overview about the super user feature in AIP refer to this official article: Configuring super users for Azure Rights Management and discovery services or data recovery
The super user feature is also needed if we need to index mailboxes for search operations or if DLP solutions. CEG or anti-malware products can also use the super user to inspect files that are protected by AIP.


Scenario 2: protect or unprotect files without user interaction

First step in this scenario is to connect to Azure Rights Management Service by using this cmdlet: Connect-AadrmService. To login enter your Azure Information Protection tenant administrator credentials.
To get an overview about the ARM instants and to verify that the login was successful use: Get-AadrmConfiguration. The result will be something like this for example:
In the next step we will use PowerShell to get a list of all available Labels using this cmdlet: Get-RMSTemplate. In my example it looks like this:
Now we can to several things:
  • Protect a file: Protect-RMSFile -File C:\Test.docx -InPlace -TemplateId e6ee3481-26b9-45g5-b33a-f774escd43b0
  • Protect all files in a folder: Protect-RMSFile -Folder \ServerABC\Docs -InPlace -TemplateId e6ee3481-26b9-45g5-b33a-f774escd43b0
  • Get the status of a file: Get-RMSFileStatus -File \Server1\Documents\TestABC.docx
  • Remove protection: Unprotect-RMSFile C:\testDoc1.docx -InPlace


Related posts: