Microsoft Information Protection (MIP)

Leave a comment

While I’m at Microsoft Ignite in Orlando this week, many new announcements were made including AI integration, mixed reality, and of course, cloud technology across Office 365. My area of focus today is Security and Compliance.

With the current version of Azure Information Protection, you can create an AIP label and apply Rights Management to classify and protect data. In order to apply retention to data, you would need to access Security and Compliance Center, create label and a retention policy.

Microsoft announced a new product called Microsoft Information Protection (MIP). This new product consolidates Azure Information Protection (AIP) and Security Retention Labels into one.

Here are a couple of screenshots I took during the sessions I attended.

MIPProtection

MIPVisualMarkings

As you can see from these screenshots that you can apply protection and visual markings to documents from Security and Compliance Center where these features are only available in Azure Information Protection Portal today. For those who have already created labels in Azure Information Protection, no worries, they will automatically synchronize to MIP, so you do not need to recreate them.

Other new features include event based retention where you can associate specific events, e.g. employee termination, contract expiration, etc. when configuring the retention settings.

This screenshot shows the roadmap of what will be available this year and next.

MIPRoadmap

I will continue to share as I learn more about Microsoft Information Protection product.

Advertisements

Classifying and Protecting Data in Office 365

Leave a comment

In my previous post, I introduced how to classify data with Azure Information Protection (AIP). In this post, I’ll introduce how to create a policy / label and additional data classification features you can use to enhance and protect your data.

Creating Azure Information Protection Policy (Label)

You can access Azure Information Portal from the Microsoft Azure Portal. With each AIP label, you can further protect your data by applying any or all of the additional features:

  • Create visual markings (header, footer watermark). Watermarks are applied to Word, Excel, and PowerPoint only.
  • Associate Azure Rights Management (RMS) policies
  • Define conditions that could detect data patterns for automatic classification. Custom conditions can be either words, phrases, patterns, and even regular expressions.

Create New Label: The process of creating a new label is pretty straight forward. You will need to provide a label name, and description. Optionally, you can change the color of the label, and add visual markings such as header, footer, and watermark to the documents.

AIP Visual Markings

In this example, I created a label called ‘Confidential Project’, a footer text of ‘Sensitivity: Confidential’, and added ‘Contoso Confidential’ for its watermark. After the label is saved and published, when the user selects the above label, the document displays as shown in the following image.

AIP Document Visual Marking

Note that visual markings are not applied to documents when the label is applied by using File Explorer and the right-click action, or when a document is classified by using PowerShell.

Associate Azure Rights Management (RMS) Policy: Azure RMS is the protection technology used by Azure Information Protection. Azure RMS allows you to set permissions and automatically applies protection for documents and emails.

You can protect your data within AIP by selecting one of the available options:

  • Do not forward – allows recipients to read the message, but cannot forward, print, or copy content.
  • Select a predefined template – must use PowerShell (New-AadrmRightsDefinition) to create templates for the entire organization
  • Set (custom) permissions

By selecting ‘Set permissions’, you can select users or groups from your tenant. You also have an option to select users or domains from outside your organization, and apply different permissions as necessary.

AIP RMS

Define Conditions: Within AIP, you can define one or more conditions within a label. You can select from one of the default conditions or create custom conditions. When a document or email matches the condition associated with the label, you can automatically apply the label to the document or email, or visually show the user a recommendation.

AIP Conditions

These are just a few examples of how you can extend AIP and RMS features to protect your documents and email.

Establishing and maintaining an effective security and information management program involve people, process and technologies working in concert. From the technologies standpoint, IT administrators can start by enforcing rules to ensure documents are classified and protected by using tools available in Office 365.

These are some of the features in Azure Information Protection and Exchange Online. In my next post, I will cover how you can protect your data when sharing with external organizations by integrating the footer information used in this post.

Classifying Data with Azure Information Protection (AIP) – Introduction

1 Comment

In my previous post, Benefits of Data Classification, I covered the foundation of data classification.  In this post, I’ll highlight how data classification (labels) can be applied to documents and how you can configure them in Office 365.

Why would you want to classify your data?

As my previous post pointed out “Consistent use of data classification will facilitate more efficient business activities, and lower the costs of ensuring adequate information security.  By classifying data, your organization can prepare to identify the risk and impact of an incident based upon what type of data is involved.”

Most recently, I have been working with Microsoft Azure Information Protection (AIP) to classify and protect data in Office 365. AIP provides classification, labeling, and protection for documents and emails stored in your organization.  Azure Rights Management service (Azure RMS) is the protection technology, and is a component of Azure Information Protection. More information about Azure Information Protection can be found here.

What are Labels?

In AIP, a classification label is used to identify data based on its level of sensitivity and the impact to your business.  Most common sensitivity levels are categorized as restricted, confidential, official use, and public.

AIP can apply labels (classify) to documents and e-mails. The current supported file types for classification according to Microsoft are listed below.  However, in my experience and images use in this post were all done with Office 2016.  Visit this page for the latest information on supported file types.

  • Adobe Portable Document Format: .pdf
  • Microsoft Visio: .vsdx, .vsdm, .vssx, .vssm, .vsd, .vdw, .vst
  • Microsoft Project: .mpp, .mpt
  • Microsoft Publisher: .pub
  • Microsoft Office 97, Office 2010, Office 2003: .xls, .xlt, .doc, .dot, .ppt, .pps, .pot
  • Microsoft XPS: .xps .oxps
  • Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi.png, .tif, .tiff
  • Autodesk Design Review 2013: .dwfx
  • Adobe Photoshop: .psd
  • Digital Negative: .dng

Let’s take a look at how AIP can be used by users and administrators.

Classifying Your Documents

Users can assign predefined or customized labels manually or AIP can automatically apply a default label, depending on the version of AIP deployed with Office 365 (automatic classification requires AIP Plan 2).

This image shows the default labels from AIP that users can apply to their document from within Microsoft Word.

AIP Client Labels

 

I added a few customized and sub-level labels to the existing default ones.  You can modify the pre-existing ones as well.

AIP Customized Client Labels

You can even configure the labels to display in different languages based on your Office client.  In the image below, I configured my labels to display in Spanish.

AIP Client Labels Spanish

Configuring a default label to be applied to documents and e-mails is as simple as clicking the On or Off switch.

AIP Auto Classify2

How are Labels Created?

From Azure Information Protection Admin Portal, you can administer how labels are published to your users.  These are the default and custom labels I created.

AIP Labels

You can also scope or target labels for users or groups.  Just an example, I created a specific label for one of the users in the tenant.

AIP Scoped Policy

As you can see from the above image, all the labels are marked as ‘Global’ with the exception of one sub-label ‘Partners’ where it’s marked as ‘Ben Walters Only’.  All users will see the ‘Global’ labels, but only Ben will see the additional label.  Obviously, you would want to scope your policies to target multiple users or groups.

These are some of the features in Azure Information Protection.  I will cover more features in my next post.

AIP Client Preview 1.10.52

Leave a comment

With the previous version of AIP client Preview (1.9.21.0) (the current GA version is (1.7.210.0) if you created many new labels, you would have to scroll to select the label.

AIP Preview 1.9.21.0

I just installed the latest version of Azure Information Protection (AIP) Client Preview 1.10.52.0, and was excited to see that you can label e-mail and documents by clicking “Protect” in the main ribbon.

AIP Preview 1.10.52.0

The new AIP PREVIEW version contains many new features, check out the details here.