Azure Information Protection is a cloud-based solution that can be used to classify, label and protect data and e-mails. The nice thing about it is that depending on the implementation, this works without the user's intervention. Rules are automatically applied based on metadata, storage location, template on which a document was created or on the content of the document.
Of course, users can also assign classification manually. A combination of both, whereby proposals are displayed to the user based on administrative specifications, can also be implemented.AIP integrates into the Office Client applications Word, Excel and PowerPoint from version 2010 in the Enterprise or Office ProPlus version. With this integration, files can be classified and protected directly from Office applications. Word, Excel and PowerPoint also display the classification of a file directly:
The AIP Client is used to protect and classify non-Office files. This free software is used to classify and protect e.g. PDF documents and other files. The AIP Viewer is also used to open protected non-Office files. This tool is available free of charge for the iOS, Android, macOS and Windows platforms. Details on supported platforms and Office versions can be found here: https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements-applications
Overview of the features of AIP
The AIP feature essentially works with 2 objects:
- A label is used for classification; e.g. CONFIDENTIAL
- A label can contain encryption, but can also be used for classification purposes only
- The following rights can be assigned during encryption: View, Open, Read (VIEW) | View Rights (VIEWRIGHTSDATA) | Edit Content, Edit (DOCEDIT) | Save (EDIT) | Print (PRINT) | Copy (EXTRACT) | Reply (REPLY) | Reply All (REPLY ALL) | Forward (FORWARD) | Change Rights (EDITRIGHTSDATA) | Save As, Export (EXPORT) | Allow Macros (OBJMODEL) | Full Control (OWNER)
- Policies determine which users/groups have which labels available
- Policies also regulate administrative options such as whether a standard label is assigned
Due to the integration into the Outlook client, labels can also be assigned directly when writing an email. The classification then affects documents that are sent as attachments to the mail and the e-mail itself.
In addition to labels and policies there is another useful function. The "Protect with user-defined permissions" function is used to encrypt files individually and make them available with explicit rights for certain users (including external users). This feature can be used in both the AIP Client and Office integration. The following individual options can be configured per file:
- Displaying user: Display only
- Check: Display, Edit
- Co-author: view, edit, copy, print
- Co-owner: All rights
- Only for me
- User / Group: Users or groups by e-mail address, who should have access with the selected right
- Expiration of the access: Date how long the access for the selected users / groups with the configured right should exist
Details on the individual functions of AIP can be found here: https://azure.microsoft.com/en-us/services/information-protection/
Scenario 1: A user creates a document. The user knows which category the document must be assigned to and is responsible for assigning the corresponding label.
Scenario 2: In addition to scenario 1, automatic classification can be used. To do this, we need to define or create own information types. Microsoft provides standard information types such as credit card number, driver's license number, etc. A complete list of standard information types can be found here: https://support.office.com/en-us/article/what-the-sensitive-information-types-look-for-fd505979-76be-4d9f-b459-abef3fc9e86b?ui=en-US&rs=en-US&ad=US
Scenario 3: Classification Based on location. The AIP scanner, which is part of the AIP client, is used to do this. The scanner can encrypt NTFS shares and SharePoint libraries. Example: all files that are stored in a specific folder or in a specific SharePoint library always get the label "Confidential - Contract". The AIP scanner runs as a service on a Windows server. Using PowerShell and a parameterized call, the scanner then checks and encrypts contents in the defined storage locations with the specified label.
Microsoft Azure Information Protection is available as a standalone solution or as part of the Enterprise Mobility + Security Suite, Microsoft 365 Enterprise and Office 365 E5.
AIP is available in three different versions: AIP for Office 365, AIP P1 and AIP P2 Details on the different versions can be found here: https://azure.microsoft.com/en-us/pricing/details/information-protection/
Only the user who protects content needs a license. External users or users who only consume do not need to be licensed.
AIP, RMS and IRM
Definition and dependencies:
- RMS: The Azure Right Management Service is the basic instance for encryption and rules. Word, Excel, PowerPoint, Outlook and the Office Server SharePoint and Exchange provide native support for Azure Rights Management and provides document and email protection.
- AIP: Azure Information Protection is based on RMS and requires the RMS service in the background. With AIP, files can be individually encrypted and classified. File tracking and detailed reporting show who opened an AIP-protected file, when and from where.
- IRM: Information Rights Management is required to connect RMS to Exchange or SharePoint. If we need to connect the on-prem versions of Exchange or SharePoint or an NTFS file server, an RMS Connector is required. IRM integrates seamlessly into Exchange and SharePoint.
IRM with Exchange and SharePoint:
- To protect an e-mail with the "Do not forward" restriction, the Information Rights Management options for Exchange is required. With IRM in Exchange features like DLP can also be used.
- IRM integration can be used to encrypt files stored in SharePoint. This integration does not offer the flexibility and functionality of AIP. Documents in SharePoint are not encrypted until they are downloaded for example. IRM does not provide an option to classify files and permissions must be assigned by an administrator at the site or library level.
Depending on the detailed scenario, either AIP or IRM can be used. Both functions require the RMS service in the background.Details about RMS, IRM and the limitations with SharePoint are described in this article: https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/office-apps-services-support
- AzureInformation Protection Part I – Overview
- Azure InformationProtection Part II – PowerShell
- AzureInformation Protection Part III – AIP Scanner
- AzureInformation Protection Part V – Advanced features