Azure Information Protection Automatic Classification

Leave a comment

Another interesting behavior I came across when adding conditions and the way labels are applied.

My Confidential AIP labels are configured as shown below.


I configured the parent label (Confidential) to automatically classify documents.


I entered the text below to trigger one of the conditions. I noticed that the document was labeled as ‘Confidential \ Restricted’ which is the last child label listed in my AIP portal. Well, this was, obviously, not what I expected.


To further test if it will always default to the last child label, I reordered the child labels. I moved the ‘Restricted’ child label up and now ‘Anyone (not protected)’ is listed as the last child label.


Just as I expected, the new document was labeled as ‘Confidential \ Anyone (not protected)’ automatically.


In this experience, I learned that I need to configure the conditions at the specific child label level to get the anticipated results.

Thanks for reading!



Azure Information Protection Client Preview – Visual Marking Variables

Leave a comment

I had the opportunity to install the latest release of the new Azure Information Protection client PREVIEW, which can be downloaded here.

One of new features included with this client release is the ability to apply different visual markings for Word, Excel, PowerPoint, and Outlook. I’m not sure how business users will take advantage of this, but I had to try it out.

In my Azure Portal, I configured my Confidential \ All Employees label to apply specific watermark to Word and PowerPoint, and a different watermark to Excel. Keep in mind that watermarks are not supported in Outlook.


When a document is classified as Confidential \ All Employees, the watermark is displayed as:

Word: This content is Confidential


PowerPoint: This content is Confidential


Excel: Confidential


Thanks for reading!

Azure Information Protection Administrator Role

Leave a comment

Great news for organizations that have concerns about granting Global Admin or Security Admin rights to users who need to manage Azure Information Protection policy.

The Azure Active Directory team have added a new role named Information Protection Administrator.  Members of this role can manage Azure Information Protection labels and policies using Azure portal, and use RMS PowerShell

Note that the role is currently in public preview.


Great news!!

G Suite Sync with Microsoft Outlook and RMS

Leave a comment

Today I had the opportunity to try out sending RMS protected messages to external recipients who use native Exchange-Outlook and G Suite Sync with Outlook.

I send a message to the external recipients from Outlook.

The external recipient with Outlook (I’ll call her Carmen) already has AIP client installed and RMS enabled in her tenant. The message opens with no issues.

The external recipient with G Suite Sync and Outlook (I’ll call him Ben) receives the message with the following text in the reading pane.

This message with restricted permission cannot be viewed in the reading pane until you verify your credentials. Open the item to read its contents and verify your credentials.

After double clicking on the message, the message below is displayed. Note that the sender is MOD Administrator from the sender tenant.


After the Ben verifies his credentials, the email message is displayed.

So far so good.

Carmen replies all from Outlook; all is normal.

Ben replies all from his Outlook client; the original sender (MOD Administrator) and Carmen see this:


However, when Ben replies all from Gmail via the Web browser, he sees the following message:

“You’ll automatically get an email copy of this message.” along with the label and the owner of the messages.

The original sender (MOD Administrator) and Carmen can view the message with no issues.

Ben, however, sees that the message comes from, not from his email address.


After the Ben verifies his credentials, the email message is displayed.

In summary – if you are using G Suite Sync with Outlook and responding to an encrypted message, be aware that your recipients may not be able to view your responses.

Thanks for reading!

Azure Information Protection (AIP) – Forward Permissions

Leave a comment

This post is another one of those “I found interesting” topics.

In Azure Information Protection, I configured users to use Viewer, one of the preset permissions templates. I accepted the default settings that the users have rights to View content, Reply, and Reply all.


I sent an e-mail with an attachment classified as Restricted. This document is encrypted with Azure RMS.

The recipient of the e-mail could NOT print, edit, copy and paste into a different document. However, the recipient COULD forward the e-mail to a different recipient.

After much testing and researching, I found that the Forward option enables users to forward an e-mail message and to add recipients to the To and Cc lines. This right does not apply to documents; only e-mail messages. This information is referenced here.

I hope this helps in case you need to explain this to users during your AIP rollout.

Thanks for reading!

Encrypt E-mail with Attachments

Leave a comment

As I continue to test different settings in Azure Information Protection, I want to share one that I find interesting.

I configured AIP for e-mail message with attachments to automatically apply a label that matches the highest classification of those attachments.

I created an e-mail where a default label ‘Official Use’ is automatically applied to my e-mail message. I then attached a document classified as ‘Restricted’, the classification of my e-mail message automatic changed to ‘Restricted \ All Employees’. This is the expected behavior.

I then sent the e-mail with the attachment to a trusted partner (in this case myself with a different domain) which I have configured ‘Viewer’ rights to view and reply the e-mail and the attachment.

Below is the e-mail message I sent to the trusted partner.


However, when the trusted partner (again, myself with a different domain) received the e-mail and tried to click on the ‘Read the message’ link (image below shows e-mail message received by the trusted partner), the trusted partner received “You do not have permission to view this message.”


After much testing, in order to allow my trusted partner to read the message, I had to change permissions from ‘Viewer’ to ‘Reviewer’ in Azure Information Protection.

As I continue to work with Azure Information Protection, I find myself learning new things every day.

Thanks for reading!

Protect and Manage Sharing of Sensitive Documents

Leave a comment

In my previous post, Classifying and Protecting Data in Office 365, I created an AIP (Azure Information Protection) label / policy that applied a footer text with “Sensitivity: Confidential”.

In this post, I’ll describe how you can take advantage of the properties stored in the document, by applying a rule to protect information sharing.

For example, to protect documents from being sent to external organizations via e-mail, you can configure a rule in Exchange to detect the document properties with a sensitivity label. Here’s an example of the configuration I created.

Exchange Mail Flow Rule

When a user within your organization attempts to send an e-mail with an attachment labeled with ‘Confidential’, the mail flow rule blocks it and the message sender receives the following delivery failure message as seen below (with the recipients e-mail addresses grayed out).


However, if you need to send to your trusted partners or customers, you can add their specific domains to the exception list in the mail flow rule. In the example below, I added one trusted domain to the rule.


With this exception, I was able to send the document labelled with ‘Confidential’ to the external recipients with the domain specified.

With the latest and greatest changes to AIP, and Office 365 Message Encryption capabilities, announced during the recent Microsoft Ignite Conference, the user experience of protecting and sharing your documents may be different than what is written in this post. I’ll continue provide updates and new information becomes available.

If you’re interested in learning more about data classification and protecting your organization’s information assets, feel free to connect with us at

Older Entries Newer Entries