9. What is Azure Information Protection?
Azure Information Protection is Microsoft’s cloud-based solution to help protect documents not only while they’re at rest or in transit but also when they’ve left the environment and gone somewhere else. With Azure Information Protection, we have the ability to apply protection to documents and emails. And one of the ways that we can actually do that is by using something called labels.
We now have unified labels for Microsoft 365, allowing us to apply the encryption in various areas of the environment. They can be applied automatically based on a rule that we create based on some content or location that the information might be stored in, or you have the ability to manually apply a label to an item in your environment. Now, in order to consume Azure information-protected content, the content has been encrypted. You have to have the ability to read it. Now, in order to read it, Office 2016 and newer apps can actually read that content right out of the box. But even though you can do that, you really want to go out there and install the Azure Information Protection client. Because when you install the full client onto that computer, not only is it going to have the ability to consume the content, but it also gives us more options like protecting content using Azure Information Protection with right-clicks from Windows Explorer, for example. So it makes it very easy for us to go out there and actually have the ability to protect that content.
Now for our on-premises environment, we can actually leverage Azure Information Protection to encrypt on-premises items, whether they be in file shares or an on-premises SharePoint library. You can download and install an Azure information protection scanner and have it scan those locations. And if any of those pieces of content meet certain criteria, you can have those labels applied that encrypt the content if you prefer. So you can go through and actually use a scanner. In addition to that, you have what’s called an RMS connector. If you’re using your on-premises File ServerResource Manager with a file classification infrastructure, for example, you can then use the RMS Connector as your infrastructure protection in the cloud to encrypt things on-premises based on content. Alright, so the connector, instead of using on-premises Active Directory rights management services, actually enables us to use cloud-based rights management services instead.
10. Planning Azure Information Protection
Now, when planning your Azure information protection, you need to think about various things that you need to have in place in order to work with that. Right? First of all, it actually has four different levels of subscriptions that are available with AIP; there’s the free version, and with the free version, you have the ability to actually consume Azure Information Protection-protected content. As long as you’re granted rights to that content, you can get a use licence and have the ability to consume it. If you have AIP, or Azure Information Protection, for Office 365, you get some basic encryption capabilities. You don’t have any classification capabilities at all to work with it, but you can encrypt messages and encrypt documents without classification.
When you go out there and get an AIP Premium Plan 1 or P-1 plan, With the P One plan, I now have the ability to do document classification, and along with that classification, we can do manual application of labels to those documents to apply encryption. When I go to a P-2 plan, an AIP-P-2 plan, now I get the ability to have automated classification and label application, so I don’t have to go out there and manually apply encryption to all of my documents. I can create rules, and if those rules are met, the label will be applied, and the encryption will automatically apply to that document. So it’s a much nicer environment to work in. Now, if you happen to have set up your Microsoft 365 tenant prior to February 2018, you have to actually activate the service. The service is not active by default. You’ll have to go into the portal and actually turn it on. If, however, your tenant is a newer tenant and was created from February 2018 forward, it’s already on. And what it is is that we’re reactivating the Rights Management Service. Right. It’s a very simple process; it’s easy to go into your service settings and actually click on Azure Information Protection and just click on the Activate button. So it’s not a difficult thing, but just know that you have to turn it on if it’s not on by default. Right. And then we actually go out there and create the labels that we want to apply to documents that would apply our protection policies.
And we create those policies, which will distribute those labels to our users in the Azure Portal. OK, we’re not creating them in our environment; we’re actually creating them right in the Azure Portal. There needs to be a way to go out there and do that, and then finally we need to go out there and get the Azure Information Protection Client onto our users’ computers. Now, you can deploy that with whatever software management system you use, whether it be Intune Configuration Manager or something as simple as a GPO. Once we have it deployed out there, we still need to prepare and support the end users. They’ll need to understand how encryption works because, a lot of times, when you deploy this encryption technology, you may have users encrypting a lot of documents, and it will interrupt the workflow when other employees don’t have the ability to gain access to those documents. So it’s highly recommended that you spend some time training your users on how to use AIP before rolling it out.
11. Configuring Super User for AIP
One of the concerns with Azure Information Protection is that you have a lot of users going through the process of encrypting documents. What happens if something were to occur with that user’s encryption key and they could no longer access the document if the user were to leave the organisation and we didn’t decrypt their documents before they left? Fortunately, with Azure information protection, there is a user called the Superuser right. It gives us the ability to make sure that we can get access to documents and that our services can get access to the environment when necessary. It has the ability for anything that’s protected with Azure Rights Management Services, which is utilised by AIP, to be able to be accessed and exposed to the superuser, right.
The superuser does have access to all protected content. So if we’re going to assign somebody that superuser capability, we have to be aware of the fact that any content that was encrypted will be able to be decrypted by the super user, right? It’s not active. By default, there is no super user. Even though you might be the global administrator for your organization, you are not the superuser by default. There is nobody that’s part of that group. You have to actually go out there and activate it. And you can only activate it via PowerShell. So you’ll have to go out there and actually use the “enable the AADRM super user” feature. Okay, now notice the alarm part of that command let. That’s the Azure Active Directory Rights Management module. So you’ll have to download, import, or install the Azure Active Directory Rights Management Module for PowerShell in order to work with these commands. So once you’ve got that installed, you can enable the “super user” feature. After you’ve turned it on, you’ll have the ability to add people to the group. So you can add a user, or you can add a group of people to it if you have a group that you want to assign, and have the ability for them to go out there and be part of that super user environment. So, as you can see, you can add more, and you can set a group to be part of those super users in your environment.
Now that you’ve got super users, the next step is for them to go out there and modify the content in some way. And again, using the Azure Active Directory Rights Management Module for PowerShell, they have the ability to go out there and apply protection en masse to a whole bunch of documents. So if I’ve got an entire library and I need to protect all of those documents, instead of opening each one individually, we could use the Protect RMS file command let and have the ability to protect them all. Or you can go out there and remove the protection and decrypt them so that they become readable by everybody or anybody that has access to that location. But all of these configurations are going to be done via PowerShell.
12. Implementing the AIP Labels and Policies
When you’re using Azure Information Protection, you have a decision to make about where the encryption key is going to come from and who’s going to manage it. And you have some options, the first of which is a Microsoft managed key. Not only is it the simplest, but it is also what most organizations will use with the Microsoft managed key.
Azure is going to take care of managing that key for you. Whenever the key expires, they’ll take care of key rollover and make sure that the new key is available for consumption of documents and encrypting or decrypting documents in your environment. The nice part about this is that the key is actually stored in what’s called an Azure Key Vault. Because of Azure Key Vault, that key is never directly exposed to users. When a user needs to be able to decrypt or encrypt a document, they get access to it via the key vault without it ever leaving the Azure environment.
Now, if your organization happens to be using Active Directory Rights Management Services on premises, you may want to choose to do a “bring your own key” environment where you already have a bunch of documents protected with the key on premises. And rather than having a separate key in the cloud or changing all of those documents over to that new key, you continue using the one you have now in a “bring your own key” environment. You’re going to load your key into that key vault in Azure. But understand that you now have to manage the key. You have to deal with any expirations and key rollovers that occur in that environment.
And absent doing that, you may block users from accessing some of the content that they have that’s protected by it. There is a third option. The third option is to hold your own key. If you are using Active Directory Rights Management Services on premises, but you’re working in a very strict security model, you may want to differentiate between things protected on premises versus things protected in the cloud. In that scenario, you’ll continue to use your own key on premises with your Active Directory Rights Management Services, but you’ll use a Microsoft-managed key for anything protected in the cloud, and now, based on where that key is stored, it will determine where and who can actually decrypt or encrypt the document. So in a stricter security model, holding your own key may be the right choice for your organization.
13. Working with AIP Labels and Policies
In Azure Information Protection, you have the ability to go out there and apply labels to items in order to encrypt them. You can actually create these labels in the Azure Portal. Let’s go take a look at how we might work with them. So I’m going to go over here.
I’m going to go to portal.azure.com and open that up because I’m already logged in as Ethan, and it will allow me into that environment. And now I have the ability to go out there and find Azure Information Protection. We’ll search for everything, Azure. And now you can see Azure Information Protection come up in the search box. What you’ll note here is that there’s this little star here that’s greyed out. If I click on that, it will add this to my Hub menu on the left side. So next time I need to get to it, I won’t have to go looking for it. And instead, I can just find it right there on my Hub menu. It makes life a little bit easier for you. So we’ll go ahead and click that to open up Azure Information Protection.
Now in Azure Information Protection, you have some default labels or templates that are actually built into the subscription. Assuming your subscription included Azure Information Protection from the start, such as an E-3 or E-5 plan, you can see that we have the confidential and confidential view only labels, but we also have the ability to add our own labels. Let’s go ahead and add a new label environment there. This one will be known as the Dock Protect Label. So we want to add some protection to this. So we’re going to use this to encrypt documents. That’s fine. Now you can choose the colour of the label, right? You have the ability to choose from the list here or create a custom color. So let’s just make this one blue, and then we’ll set the permission. What do I want to do with this label? In this case, I want to protect that document. So I want to encrypt that document. So we’re going to click on “Protect.” Now you’ll notice that when I do that, I get a new option here that opens up the Azure Cloud Key. And this is where we decide whether we’ll bring our own key, have you bring your own key, or use the Microsoft managed key.
In this case, we’ll use the Azure CloudKey here, and we can set permissions here. Notice that I can add my permissions here, or I can go out there and set user-defined permissions as well. But for now, we’ll go out there and set permissions, and I’ll click on Add Permissions, and we’ll decide: What do we want somebody to be able to do with this document? You can see that there are some predefined permissions. So, if I grant you access to this document, I’m going to allow you to view it, open it, read it, and edit the content on it, among other things. But if I wanted to, I could come over here to customise and choose exactly what I want you to be able to do. You know what? You can view it, and I’ll let you print it out, but that’s all I’m going to let you do. I’m not going to have you go through and actually copy things here, right? We can go out there and modify whether we need to allow macros or not in that environment, so I can go through and set the individual rights or permissions that I want you to have here.
Or I could just go and say, “You know what? I’m just going to make you a viewer.” We’ll make you a viewer of this document and give you the ability to go out there and actually view it so we can set our permissions here in the environment. Now then, who’s this going to apply to? This is going to apply to all members of the aroma community. I can add just any authenticated user. I could browse the directory and select people. For now, let’s just use everybody that’s part of the Aromar environment, and we’ll click okay there. Now, we’ve got our environment. We’ve set some permissions out there as to what they’re going to be. They’re going to get the viewer permissions if we apply this label to anybody who has permissions to that document. Notice that I can have file content expiration, which means that I can also limit how many days you can have this document. and similar to how we can do so on a SharePoint library, for example.
I could set that up, but we’re not going to let it expire. And we can allow offline access or deny it here as well if we want to. But for now, we’ll just say we’ll do it for seven days. We’ll let you have offline access and click on the protection. Now if we keep scrolling down here, what you’ll see is that we have the ability to add some markings to the document. If I apply this label to the document, we can go out there, for example, and have a header appear. If I enable that, we can say, for example, that this is a view-only mode. We can decide what font size we want here. Let’s make this one; say the font size is 15 out there, and we can even choose the color. And since I made the label, why don’t we use the colour blue in the environment as well? I’ll centre that header, right, and have the ability to do so. Now, I’m not going to do a footer, and I don’t need to do a watermark.
But I could do all of those things if I wanted to in the environment, and I have the ability to do that if your subscription includes the Azure Information Protection P2 plan. You also have the ability to add in conditions to automatically apply the label. So I’d go in and create a new condition, and we could do it based on an information type. So if it’s got a routing number on it, this label would automatically be applied to that. Now, in that environment, once I go through the process of setting this up, we’ll just go ahead and set that out there. Don’t prompt me to save. I know we’re going to make these labels immediately available. And now that I’ve got all my labels set, I can go out there and click the Save button to save the label. Now the next step in this is to go out there and actually create a policy. And the policy allows you to make the labels available for use by distributing them. So if I go click on Policies, I can see you have a global policy. If I create a label and add it to the global policy, it’s accessible to everyone.
You can not change the scope of the global policy. The global policy will always be available to everybody. But I could create my own policy if I wanted to, right? And I could go out there and click “Add a new policy here.” And we’ll just call this one our demo policy, right? For brokers, let’s say, then we select which users and groups get the policy applied to them. So we can go out there, and from our users and groups, we can select a group here, and let’s go ahead and select the brokers group there. So if you’re part of the broker group, you’ll have this label available to you, and then you add the label. So I’m going to click Add or Remove Labels. And what you’ll notice is that the only label I have available to choose from is the Doc Protect label.
Even though there are some other labels in the environment, one of the things you need to be aware of is that a label can only exist in one policy. So if I have multiple policies for different parts of my organisation and I have a label that I want maybe two different groups to have, I either create a policy and apply it to those groups, or I duplicate the label and create it with a slightly different name and have the ability to then apply it to two different groups. So just keep in mind that a given label can only appear in one policy. I can’t have a label on multiple policies out there, so just be aware of that. So I can create the policy here in our environment, and we add it. I could select what the default label was going to be. Since it’s the only label in the policy, we can choose that. We can send audit information and other such things out there. As well, then, I’m going to go ahead and click on Save. So now I’ve created a label. And then I added that label to a policy that I made available to, in this case, the brokers in my organization.
14. What is Windows Information Protection?
Microsoft offers us the opportunity to leverage something called Windows Information Protection. With Windows Information Protection, we have the ability to try to prevent the leakage of data from data leaving our organization accidentally, especially now that we work in this world where we have this “bring your own device” environment where employees are often connecting to and maintaining corporate data on personal devices out there.
Right. The idea is that we have the ability to go out there and distinguish what’s corporate data from what’s personal data by using Windows Information Protection. And by doing that, we can block or warn somebody if they’re going to go out there and take some corporate data and place it in an environment that may be considered untrusted. such as, for example, somebody taking one of our press releases and copying and pasting it into their Facebook page. Right. While the press release in their Word document from our OneDrive environment is certainly something they should be able to read, maybe we don’t want them exposing that, so we’re sharing that to an unsecured location at this point. And Windows Information Protection is in place to give us the ability to do that.
The nice thing about this is that it’s an extension of Windows 10, which means that the ability to do so is built into the Windows 10 environment as long as you’re running Windows 16, Windows 7, or a newer version of Windows 10. But to implement it, I do have to have some type of mobile device management or mobile application management capability. Now, fortunately for us, Office 365 Mobile Device Management or Windows Intune, if you’re using Intune, will also give you the ability to go through and actually do that and implement this Windows Information Protection environment. When we go through and actually work with that, we get the ability to go out there and encrypt corporate data if we wanted to. Whether it’s being stored on a corporate-owned device or on their personal device, We can still make sure that corporate data is stored in an encrypted environment. We can remotely wipe the corporate data off it. I don’t have to go through and do a full wipe of somebody’s phone. So someone approaches and says they’ve misplaced their phone; they don’t believe it was stolen or lost; they just can’t find it right now.
But we’re concerned because it has some of our corporate data on it. Rather than me doing a full wipe of the system, which is what a lot of mobile device management solutions would do, we can have it identify the corporate data and just wipe that. And that way, all of the pictures they have from their child’s birthday party that they haven’t uploaded to the cloud yet are still there. So that if they do find the phone that fell into the couch, they won’t be too upset because their personal information is still safe. But we’ve managed to protect our environment, right? We can choose which apps we want to trust with our corporate data, right?
And we can have these apps be exempt, apps that are allowed to open and access our corporate environment out there and give us the ability to read that stuff, right? Then, of course, we have the ability to go out there and stop a no protected app from being able to access our corporate data this way. If somebody’s going to accidentally move something from our OneDrive for business over to say, for example, their Dropbox, all of a sudden it’s going to be stopped because we have the ability through our mobile device management policies or mobile application management policies with Windows Information Protection to prevent that corporate data from being sent that way. So it makes things a little bit nicer for us to be able to go out there and do that.
Now, the nice part about this is that we do all these things without impacting the way the employee works. So with us having the ability to identify what is corporate data versus what is personal data by doing things such as asking where the data is coming from, Did it come from a network share? Did it come from OneDrive for Business? Or did it come from the user’s My Documents folder so we could delineate what might be considered personal versus workplace data without interrupting the way that they actually work there? And we’re not going to require them to change environments. They will not be required to migrate to a virtualized or VPN environment for protection. They can continue to work without having to go in and sign in to various systems all the time to begin accessing this data because we can apply it right on the device based on the Windows Information Protection policies that you might implement using Intune or Office 365 Mobile Device Management.
15. Planning for Windows Information Protection
If you want to work with Windows Information Protection, there are a few things that you have to have in place in order to do that. These are the prerequisites that you have to meet. And the first thing is that your users need to be using Windows 10, version 1607 or later, so you can’t be using an older version of that. Most people should be on the newer version at this point anyway. Right. You have the ability to create mobile device management or mobile application management solutions. And the applications need to support enterprise data protection.
So if we’re going to use mobile device management with WIP or Ma’am with WIP, it has to be able to support enterprise data protection, system centre configuration manager, and the ability to go out there and use Microsoft intent to do this. Both of them will support enterprise data protection. So you’re good in that regard. Now it has to be enrolled. The actual Windows client has to be enrolled in mobile device management or registered for mobile application management in order for you to institute a Windows Information Protection policy on it. And then you have to figure out which apps are going to be trusted apps and which apps are going to be untrusted apps. Right. With Windows Information Protection, we want to make sure that corporate data is only exposed through trusted apps. So we need to delineate which ones are going to be trusted versus untrusted. We have to think about our websites. Are there going to be websites where you want corporate data to be able to be placed?
For example, if you’re using Microsoft 365, I’m going to want all of the 365 URLs to be considered trusted so that you can load corporate data into SharePoint Online, into a team environment, into Skype for Business, or even into my OneDrive for Business environment. Right? I’ll have to designate those as trusted networks so that we can place work content there. And what are we going to do about enlightened versus unenlightened apps?
An enlightened app is one that has the ability to differentiate between work and personal content, right? It can do that based on where the content came from. Was it offloaded from a corporate network share, or did it come from my Documents folder? For example, did we download it from one drive for the business library? Or did it come from my consumer version of Dropbox? So an enlightened app is going to be able to differentiate that, whereas an unenlightened app won’t. And so we may have to restrict access to apps that do not actually support or are not considered enlightened apps.
16. Implementing Windows Information Protection
So let’s take a look at some of the steps that you would need to complete in order to set up some Windows Information Protection for your systems. You actually need to do this in the Azure Portal, not in the Microsoft 365 Admin Center. So I’m going to switch over to the Azure Portal here, and then I’m going to go into Entune. So we’re going to all of the services. We’ll look for intune here.
Open it up. Now, if you don’t have Intune, you might have Mobile Device Management with Office 365 as an option, and you’d be able to set some of this up in there. One of the things you have to be aware of is that in order to use Windows Information Protection, that Windows 10 device will have to be either mobile device managed or you’ll have to set up a mobile application management rule for that device. But once that device is joined to the environment, then we have the ability to come in and actually set up a client app policy. So let’s go into our client apps here, and in our client apps, we’re going to go into the app protection policies. Now I have the ability to create an app protection policy. So we’ll create the app protection policy here. We’ll give it a name here. This will be referred to as Windows information protection. So we’ll just call it our WIP policy and select the platform that we’re going to go out there and apply it to. In this case, it will be a Windows tablet, and we’ll do it with Mobile Device Management. That means enrolling in our environment.
Now we just have to select what app it is that we want to protect here. In this case, let’s say we’re going to work with the Office 365 data, right? So we’ll go in and we’ll use the Office365 app and select that and add that in. And then if we go in and look at the required settings here, we’re going to say that with Windows Information Protection Mode, we want to block access to data. So if you’re going out there and using something from the Aeromar.com domain at that point in time, that’s going to be considered work product, and it’s going to stop somebody from taking it from, say, the word application and pasting it into some other app, right?
So go ahead and click okay there and create the actual Windows Information Protection policy. Now notice that it says it’s not deployed yet. In order to deploy this, I actually need to go out there and assign it to somebody. I need to go out there and assign it to a group that I want to include in this. And maybe we have a group called “Manage Devices,” which is a dynamic group. And if somebody is enrolled in mobile device management, then that device would be part of that group, and we could have the policy apply to them that way.
Now that we’ve got it implemented, the next step is to actually see what the behaviour would be if a client went in there and used a work product document, right? Assume we have a work document, a project plan, and all of this other information in this location. First off, if I go over here to file and I choose “Save As” and I click on the More Options button here, you’re going to see that this is a protected document. You see that little briefcase there? It lets me know that this is a work-related product. And we’re going to go out there and have that work-related product out there. And because it’s protected, if the user were to come in and say, “Oh, look, they’ve announced when the release date of that new product is,” let me go ahead and copy that. And I want to pace that out there somewhere on the web—maybe on my Facebook page and Instagram. But just to be simple, let’s go out here to YouTube and open that up, put the content in there, and now I’m just going to paste that in, right? Except I’m not, because I can’t use the work content here because Windows information protection is blocking me. Now, again, keeping an honest person honest If I wanted to, there’s nothing to stop me from retyping that information, but I can’t simply copy and paste it to another location. So it’s going to try to give us a little bit more control over our content, regardless of who it’s actually being used by.