Azure Information Protection – part two

Posted by

We live in a world where information is readily available and can be shared with a simply press of a button. Protecting intellectual property (especially unstructured information like documents and emails) in this modern world is getting harder and harder for organizations. There are stories abound of employees simply copying files to an USB-stick or storing them on a personal web storage platform (Dropbox, OneDrive, you name them) or attaching documents to an email and mailing it to a personal account.

Or what about the details of the Dutch “State of the union” speech, which always are delivered on the 3rd Tuesday in September. These details are provided to members of parliament at the last minute, with strict orders not to disclose them. But not to worry, because it’s become a Dutch tradition that at least one week beforehand most of these details are published by Dutch journalists.

So it should not come as any surprise that data leakage prevention and dealing with sensitive information is very important to many enterprises. Microsoft is investing heavily in technologies to support prevention and protection. In earlier posts  I covered the aspects of Data Loss Prevention in Office 365. Now it’s time to take a closer look at a new (and as yet preview) offering of Microsoft: Azure Information Protection.

This blog is part of a two-part series. This part details how AIP is managed and how it works with Rights Management Service (RMS). The first part describes the functionality of AIP.

Azure Information Protection

Azure Information Protection (or AIP for short) is a new offering in the Azure stack, although technologies like SharePoint Information Rights Management and Rights Management Services have been around for some time.

But it is not technology which makes AIP new or improved. It’s the way Microsoft tries to make information protection easy for both the user and the IT department.

Most of the time users just want to be able to work on documents and share them easily. Some might be aware of the information which is stored in these documents. But many will probably not recognize the need to be protective, or forget about the company policy regarding sensitive data.

So one of the first steps is to make the user aware about the data sensitivity within those documents. After this, we can protect and monitor the information and respond when necessary. These are the functions AIP provides.

AIP overview.png


 How does this work?

Azure Information Protection is a separate module within Azure. At the moment of writing this blog, it was still in preview. In order to use it , you will need the following (subject to change):

  • An Office 365 E3, E4 or E5 subscription;
  • Azure AD directory;
  • Windows 7 (SP1), 8, 8.1, 10 (x86, x64);
  • Android 4.0.3 and up;
  • iOS 7.0 and up;
  • Windows phone 8.1, 10;
  • Windows 10 Mobile and Windows 8.1 RT;
  • Word, Excel, PowerPoint, and Outlook (Office Professional Plus 2010, 2013 SP1, 2016).

The Office 365 AIP subscription will be divided in two, with a Premium package offering automatic content classification.

When users sign-in to the tenant (Office 365) and have the add-in installed, they can use the labeling functions. The IT department can assign actions to these labels.

Together with Azure Active Directory – Rights Management (RMS) you can also apply additional rights management policies to the document. You can configure this within the label. More about that later.



 Creating a AIP policy

You can access AIP from the Microsoft Azure portal. As it’s still in preview, it will have the “preview” (or in my case “Voorbeeld”) notification. You select Azure Information Protection and the default labels will be shown.


Don’t be alarmed if it takes a few seconds for the labels to show up. They will eventually, but it might take some time. You are shown the labels which are displayed in Office. Out of the box, Azure will provide you with several commonly used labels.

The title is displayed in combination with the selected label. You can edit the available labels and/or add you own labels. At the bottom level you can configure a mandatory level (all documents need to have a label). You can also set a default label. When users change a label (from more sensitive to less sensitive), you can configure AIP to ask for a reason.

When you are done, you publish the policy. After this, it will become available to new documents or update existing documents.

Adding an AIP label

An AIP policy is made up of multiple labels. Let’s take a look at the settings of these labels.

When opening a label, you will be treated to a multitude of options. These options range from:

  • Generic: Status, name, description and color of the label.
  • Visual markings: Header, footer, watermark
  • Complex options: Associated RMS template, automatic detection of content

In addition, you can add a mention to your users and some notes for the IT management people in charge of the label.

When the user selects the label, the document will automatically be modified to reflect the settings of the label. The user just has to make sure he or she selects the right label. To make this even better, you can have the label automatically detected.

Automatic content detection

Automatic content detection is part of the premium offering of AIP. AIP will detect the classification of the content based on predefined policies. Credit card information, for example. You can select your policy from a list or create your own. This is somewhat similar to the Data Loss Prevention policies in Office 365. However, the AIP policies are not as detailed (yet?).


When active, AIP will automatically detect sensitive content. Based on the AIP label, the user will either be asked politely to change the label (see below). Or the label is changed automatically.


Azure Rights Management

Let’s take a few moments to look at Azure Rights Management (RMS).


Azure Rights Management (RMS) is a separate offering within the Azure stack. It is part of Azure Active Directory and it’s also the module which is needed when you want to use SharePoint Information Rights Management. RMS has a dedicated client add-in (working both in Office and the Windows Explorer).  AIP uses RMS to enforce policies to documents.

AIP and RMS work better together. It’s no use to have AIP labels and no RMS policy attached to them. And therefore, you can add RMS policies to the AIP labels. In all, these are the options AIP and RMS will provide.


Just to be sure; AIP offers you multiple labels and RMS offers you multiple RMS policies. Both offer multiple options. It is clear, hopefully, that AIP is mostly concerned with awareness. You see options like a permanent header and watermark. RMS is mostly concerned with actions. You see options like content expiration, the ability to download documents and permission levels.

What about SharePoint?

In Office 365 you can configure SharePoint to use Azure RMS. This way, you control the way documents are used from SharePoint. This functionality has been around some time and is called Information Rights Management (or IRM).

After you configure SharePoint Online to use RMS, you get an extra option within you document libraries. This option lets you set the options for IRM. You can disallow you users to print documents stored within SharePoint or restrict storing document which do not support IRM.


Although SharePoint requires Azure RMS to support IRM, the similarities end there. SharePoint IRM is aimed only at documents which are accessed or downloaded from SharePoint. You will not see any AIP or RMS options either within the library or the management console. I expect that Microsoft will bring these platforms in line.


AIP-RMS-IRM schematic.png

All options put together.


Now what?

Information security is not always at the top of mind with the user community. With Azure Information Protection you can have awareness and compliancy in one. To you user, it’s as easy as clicking a button. The IT department can be outfitted with a large array of information protection features.

But we’re not there yet. I do expect Microsoft to put effort into:

  • Providing one (integrated) solution based on data loss prevention, RMS, AIP;
  • Hybrid solutions based on an existing enterprise PKI (BYOK – bring you own key);
  • Having IRM/RMS on site-collection or tenant level instead of document library level;
  • Integration with the Security & compliance center (for instance for monitor users lessening the labels)
  • Etc.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s