Azure Information Protection – part one

Posted by

We live in a world where information is readily available and can be shared with a simply press of a button. Protecting intellectual property (especially unstructured information like documents and emails) in this modern world is getting harder and harder for organizations. There are stories abound of employees simply copying files to an USB-stick or storing them on a personal web storage platform (Dropbox, OneDrive, you name them) or attaching documents to an email and mailing it to a personal account.

Or what about the details of the Dutch “State of the union” speech, which always are delivered on the 3rd Tuesday in September. These details are provided to members of parliament at the last minute, with strict orders not to disclose them. But not to worry, because it’s become a Dutch tradition that at least one week beforehand most of these details are published by Dutch journalists.

So it should not come as any surprise that data leakage prevention and dealing with sensitive information is very important to many enterprises. Microsoft is investing heavily in technologies to support prevention and protection. In earlier posts  I covered the aspects of Data Loss Prevention in Office 365. Now it’s time to take a closer look at a new (and as yet preview) offering of Microsoft: Azure Information Protection (or AIP for short).

This blog is part of a two-part series. This part describes the functionality of AIP. The second part will detail how AIP is managed and how it works with Rights Management Service (RMS).

From the user’s perspective

Our user has Office 2016 with the AIP add-in installed. She opens Word to start on a new document. Using her user-account, she’s signed into Office 365 (Azure AD). If single sign-in has not been enabled, our user is prompted to sign-in to RMS.

After sign-in, the AIP add-in will retrieve the relevant labels.


Labelling information

Because she’s working on a company internal document, she selects the label Internal. Based on this label, AIP will apply a policy to the document. For example, a document header is placed on the document and a rights management policy is applied.


Seeing the document header, our user decided to downgrade the document to the Public label. This is possible, but she will need to enter a reason to do so.


On the Info page of the document, she will see information on the policy.


In the end, our user decides to just remove the label all-together. Who bothers with information labelling anyway? See can do this by simply clicking the recycle-bin icon. The sensitivity level will be changed to “Not set”.


Unfortunately for her, the document cannot be saved without a label set as this is mandatory. So before saving, Office will prompt the user to choose a label.


In another scenario, our users has accidentally enters some Social Security numbers within an Excel spread sheet. When working on the document, AIP detects this sensitive information. It prompts the user to change the label. If necessary, the IT management department can adjust the label and have the document labelled correctly and automatically.


Sharing information with AIP

Our user is done with the document and wants to share it with several co-workers. She’s not working from SharePoint Online, so she adds the document as an attachment to an Outlook email.

The AIP add-in also works in Outlook. Our user selects the relevant label and all attachments with support rights management will be protected.

Now comes the tricky bit. The AIP add-in only uses the AIP labels. It will not restrict access to the attachments if the label does not require it to do so. To be able to share documents and restrict actions or access to this document, our user will need the Microsoft RMS client.

Or, put simply.

The secure way of working:

  • Our user sends a document using Outlook and uses the label “Secret”;
  • This label contains a RMS policy;
  • The document is send to a co-worker, who also has the AIP add-in;
  • The document can be opened;
  • Our co-worker forwards the e-mail to a Gmail account;
  • An external party opens the e-mail;
  • The document cannot be opened or previewed.


The less-secure way of working:

  • Our user sends a document using Outlook and uses the label “Internal”;
  • This label does not contain a RMS policy;
  • The document is send to a co-worker, who also has the AIP add-in;
  • The document can be opened;
  • Our co-worker forwards the e-mail to a Gmail account;
  • An external party opens the e-mail;
  • The document can be opened or previewed (and note the footer – based on the label).


Sharing information with RMS

In order to ensure that documents are protected (encrypted) using AIP, AIP needs Azure Rights Management (RMS). AIP and RMS are complimentary to each other, but are still separate functions. Where AIP is used to label documents, RMS is designed to protect them by using encryption. This is not just to make them harder to open; it is also to provide content expiration (for example).

RMS has its own add-in (Share Protected), which works in Office, Windows Explorer and is also available as mobile app. I won’t cover this in here. The AIP add-in uses some of the functions of this RMS add-in. “

When the document has been send using Outlook, it has been added to the track & trace portal. Our user uses this portal to track the document. She notices that the document has been opened multiple times, on different continents, by the same user-id. So she decides to revoke the access.

One of the contacts of our user does not have an account associated with Microsoft RMS. The document can therefore not be opened. In that case, the contact receives a notification from Microsoft and the possibility to create a free RMS account.

In the end

The AIP add-in provides a very easy and understandable way for users to classify information. When a RMS policy is attached, this awareness is also transformed into information protection actions. The AIP platform is still in preview and I believe Microsoft has some backlog items to solve.

For example: how will the AIP and RMS Share Protected clients work together? Or will IT management be notified when users continuously downgrade the labels or even remove them?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s