Azure Information Protection and SharePoint Online working together

 

Update August 26th 2017

I was made aware that there are more ways to integrate SharePoint and AzureIP or have them working together. I  did know of these, but decided to work from SharePoint Online and AzureIP and no other platforms.

But it kept nagging, so I do want to add some more information.

Using Microsoft’s incredible (believe me!) Cloud App Security suite, you can use data loss prevention, content search and AzureIP together. Amongst other things (I will cover MCAS in another article, in another time 🙂 ).

For example: use AzureIP labels to set data loss prevention rules. These rules (by the way) go beyond the rules available in Office 365’s security & compliance center.

AIP_MCAS_1
Microsoft Cloud App Security – Data loss prevention

Another example: use AzureIP labels to search relevant content.

AIP_MCAS_2
AzureIP used for content search

Cool stuff! But here’s my original article…..

Original blog article

I’ve been working with Office 365, SharePoint and AzureIP for some time now. And I’m really impressed with the functionality, the manageability and power displayed by Azure Information Protection.

But even somewhere in the beginning (september 2016, how time flies) in this blog I already mentioned the combination of SharePoint and AzureIP. My basic premise was:

As SharePoint has the possibility of encrypting documents (Information Rights Management) and uses Active Directory Rights Management Service and is used to store, share and managed documents, how is AzureIP going to effect this?

Even now I’m still very interested in this question. And the answers are coming. You can now use the AzureIP labels from within SharePoint and have your on-premise SharePoint content scanned, labelled and protected. I expect Ignite 2017 will provide us with more information as-well.

But still….. I was still wondering how SharePoint Online and AzureIP can work together. Or not….. So I will also show you in this blog. Perhaps I wasn’t complete or incorrect, then don’t hesitate to contact me 🙂 And to be safe: the information in this blog is not exactly new. But I wanted to combine several sources into one.

Let’s get started

I’ve tested this functionality with several components. Just to be sure, here’s a list:

  • Office 2016;
  • AzureIP preview client 1.10.52.0;
  • OneDrive client 17.3.6972.0807;
  • Several users with an AzureIP license;
  • Several AzureIP policies, of which I used the one named “HR policy – do not print”. This policy protects documents and shows a visible notice.
  • SharePoint Online (I won’t show the on-premise connector).
AIP_client_info
AzureIP client used

This is my AzureIP label. This one has visible markings and an RMS policy (do not print).

AIP_Policy_HR_donotprint
AzureIP policy used in example

Before we begin, some highlights

If you don’t want to read this entire blog, no problem. Here are some of the highlights.

  • You can synch the AzureIP labels to a SharePoint library. You can even set a default AzureIP label;
  • The AzureIP label will change when you open the Office document;
  • Any (RMS) policy assigned to the AzureIP label will come into effect after you save the document again;
  • When uploading an AzureIP protected document within an IRM protected document library, the IRM settings will not be applied;
  • When you upload an AzureIP (RMS) protected document to a SharePoint library, you will not be able to preview the document, open it in Office Online or use search;
  • If the IRM settings are configured to “Do not allow users to upload documents that do not support IRM”, you cannot upload AzureIP protected documents;
  • Synchronizing AzureIP labels only working with Office documents (for now).

SharePoint Information Rights Management

Before we look at the integration between SharePoint and AzureIP, I want to quickly look at SharePoint’s offering. SharePoint uses Information Rights Management, which is an option within the document library. In order to use this option, IRM needs to be enabled for SharePoint Online.

IRM_settings_tenant
IRM settings SharePoint Online

 

When done, you can start using IRM. The IRM options can be found within the document library settings. The options allow you to configure document access and expiration. You do need administrator rights to do this though.

SharePoint_IRM_Settings
IRM options on document library level

You will need to understand that:

  1. IRM protects content which is downloaded from SharePoint (content is not encrypted in the SharePoint database);
  2. IRM can only be configured per list or document library – not for site (collection);
  3. Access to the content is handled by SharePoint, you can download, share and/or email the content at will. But….
  4. Only authorized persons can open the document and the configured rights will be applied to the document.

Here are two examples. Both documents were stored in the same IRM protected SharePoint library. When opened, Office will show the IRM settings (in yellow).

You will notice that I cannot apply any AzureIP label. In the later part of this blog I will go into that in more detail. The second example shows the same document when opened using the Word App on my iPhone. I did need to login to SharePoint to be able to open it.

Document_IRM_Protected
IRM protected document opened in Office 2016

 

iphone_office
IRM protected document opened in Word iPhone app

Ok. SharePoint IRM is pretty straight forward. It will protect content which is stored in the IRM enabled list or library. Please do note that when you remove the IRM settings of the list/library, the content no longer be encrypted when downloaded.

Storing AzureIP document in SharePoint library

In another scenario we have a SharePoint document library, without IRM. And we will use this library to store AzureIP labeled and protected documents.

No harm there I guess. But because SharePoint cannot decrypt these documents, you will no longer be able to use document previews, Office Web applications and the content will not be retrievable by search. That’s something to take into account.

Change_AIP_Label_from_SharePoint_4_no_preview
Preview error with an AzureIP protected document

But remember, this happens only when a document is labeled by AzureIP and an RMS policy is applied; the document is encrypted. But what if you were to use the AzureIP labels only and want them to show up in SharePoint? Well….. you can!

Synchronizing AzureIP labels using SharePoint

It is possible to use the AzureIP labels within your policy in a SharePoint document library. You can even set a default label and these labels can be synchronized with AzureIP. Let’s see how this is done.

First of all, you will need to add two keys to the advanced properties of the AzureIP policy. You open the AzureIP portal and go to Scoped policies. As I use the default policy, I go to the Global policy and select the Advanced settings.

AIP_Scoped_Policies
AzureIP portal | Global policy

Two properties need to be added to these settings.

  • SyncPropertyName (value: Sensitivity)
  • SyncPropertyState (value: TwoWay)
AIP_Policy_Advanced_Settings
Advanced settings AzureIP policy

After these properties have been added, you will need to add a column to the SharePoint document library in question. This is relatively easy, but you be need to be precise. You add a Choice column with the same name as the SyncPropertyName. In the values you add all AzureIP labels you have configured.

SharePoint_AIP_Label_Column
SharePoint – AzureIP column

These values need to be in the same order. And you need to have the entire hierarchy. These are the values in my column:

Personal
Public
Internal
Confidential
Do not forward
Secret
Secret All Company
Secret International Banking Number (IBAN)
Confidentiality Agreement
HR Informatie
HR Informatie HR – Vertrouwelijk
HR Informatie HR – Niet afdrukken

When done, you can test this by adding a document which is labeled by AzureIP. If everything is set up correctly, you will see the AzureIP label in the library.

AIP_protected_document_in_SharePoint
SharePoint document library – note the Sensitivity column

Because this is a choice column you can even set a default value for the AzureIP label. And this works very well. Just to be sure: you do know that a default label is static right? It doesn’t update content when changed…..

SharePoint_default_AIP_Label
Default value for AzureIP label – SharePoint

Because I have configured the SyncPropertyState as “TwoWay” I can now change the label from inside of SharePoint. This is great and works like a charm, but do mind documents which are labeled and protected by AzureIP……. See the example.

AIP_protected_document_in_SharePoint_change_label
Change AzureIP label from SharePoint
AIP_protected_document_in_SharePoint
Changed AzureIP label

Example: Edit the label from SharePoint

Here I have a document named “And another document.docx”. This document is AzureIP labeled  with the label Internal. There is no RMS policy attached to this label, so the document is not protected and has no visible markings.

Change_AIP_Label_from_SharePoint
Word document, not RMS protected.

From the SharePoint library I will change this AzureIP label to “HR Informatie – Niet afdrukken”. This label has the HR – Do not print policy applied. This policy (as described above) adds a visual marking and does not allow for printing of the document.

Change_AIP_Label_from_SharePoint_1
Word document, AzureIP label changed

When I open the document I notice that the label has been changed. Which is great. The two way sync works. But no RMS policy was assigned. The AzureIP client is probably not aware of the change. So let’s save the document back to the library.

Change_AIP_Label_from_SharePoint_2_label_no_policy
Word document in Word 2016, label changed

And there it is: the protection has been applied (see the header)

Change_AIP_Label_from_SharePoint_3_label_with_policy_after_save
Word document in Word 2016, label and RMS policy applied

So this is something we will need to explain to our users, should this scenario be used.

IRM and AzureIP working together?

In this blog I have shown you how to enable SharePoint IRM and how SharePoint and AzureIP labels can work together. But what if you have SharePoint IRM and start saving AzureIP protected documents in those locations?

Here are some of the things I noticed.

If you configure a SharePoint library with IRM and select the option “Do not allow users to upload documents that do not support IRM”, two things will happen.

  • You will not be able to upload any document which has already be protected by AzureIP (figure a, below)
  • You will not be able to protect any document with AzureIP using either the AzureIP client or Office (figures b and c, below).
Error_uploading_AIP_protected_file
Figure a
IRM_protected_document_cannot_use_AIP_client
Figure b
Document_IRM_Protected
Figure c

What about non-Office documents?

Using the new OneDrive client (version 17.3.6972.0807, with the awesome files-on-demand 🙂 I uploaded a txt, jpg and pdf document. Using the same client, I labeled and protected them using AzureIP.

OneDrive
New OneDrive client with protected documents

As I somewhat suspected, the label information did not synchronize to SharePoint this time. Which kind of makes sence, as the AzureIP label information is stored within the Office document itself and SharePoint can use this.

Also, changing the AzureIP label in SharePoint will not effect the AzureIP labels and protection of these non-Office documents. When opening using OneDrive or after downloading the documents, the original AzureIP label was still there.

Other_documents
No AzureIP labels for non-Office documents

You’ll also notice that these documents do not have a recognisable icon in SharePoint anymore. That’s easy. The mime-types for ppdf, ptxt and pjpg are not available in SharePoint Online.

Just to be sure: SharePoint IRM and AzureIP both encrypt pdf-files. But while the first option does not change the extension, the second one does.

Concluding

Ok, where do we stand on this? I hope this extensive blog gives you a little overview of SharePoint IRM, AzureIP and both working together.

Going through the Yammer groups about information protection and AzureIP I do notice a lot of questions but also a lot of usage of the technology. I expect that the next couple of months we will see more integration between Office 365 and AzureIP. Probably during Ignite 2017 we’ll get a lot more information. So, hopefully, most questions will be answered.

I do appreciate the way Microsoft is moving forward with this kind of technology. I would love to see this kind of technology moving into other areas as well. For instance: non-Office documents and complete SharePoint sites and/or Office Groups.

Imaging the scenario where you create an Office Group, select the sensitivity level “confidential” and all information based in that Group is automatically labeled and protected using AzureIP, has the relevant data loss prevention and data governance labels applied and is automatically archived when closed.

I can see that working 🙂

Hope to hear your thoughts.

6 Comments

    1. Hi Max,

      Right now? Nothing much. Microsoft introduced the classification of Office Groups some time ago and in the beginning you could only use PowerShell to do so. Now you can select the classification during creation of the Group, but it still does nothing. But in the end, I think this will happen;

      You select the classification and Office 365 will select the right data loss prevention and data governance labels. It will also set the right AzureIP classification, (external) sharing option and so on. Well, that’s how I would expect it to work.

      1. Hi Max,

        Yep. I noticed that as-well. As Teams relies heavy on Office Groups, it’s kind of logical. But I still have no idea where Microsoft is going with this. You have many classification options within Office 365 and Azure. Like: data governance labels and Azure Information Protection. And these will merge into one solution.

        I expect that Microsoft will incorporate these labels with Groups (and Teams). So when you create a “Confidential” Group, it will label all content as “Confidential”. Is this going to work? We’ll have to see. Because what if you have highly confidential information stored in a “regular” confidential Group?

        When more information on this subject becomes available, I’m sure to write about it.
        Thanks for commenting!

  1. Great post! I will try it in my dev tenant. But currently I have on question, to apply the labels automatically to SharePoint or even to have the right label policies applied when A document is opened, is it mandatory to have the AIP module installed in my computer? Thanks!

    1. Hi there!

      You will always need the AzureIP client, as this is the client that does the labelling and protection. Integration with Office clients and the online versions is on the Microsoft roadmap.

      Do note that there is no real integration between SharePoint and AzureIP. SharePoint can “read” the AzureIP labels (if there are any) and display them in the library. When you modify the label from SharePoint and download the document, it will still take the AzureIP client to apply the new label.

      Note also that not all document-types are supported. Most are (and the most common of course), but some can only be protected and not labeled. A complete list can be found here:

      https://docs.microsoft.com/en-us/information-protection/rms-client/client-admin-guide-file-types

      Thanks for your comments!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s