Classifying Data with Azure Information Protection (AIP) – Introduction

Leave a comment

In my previous post, Benefits of Data Classification, I covered the foundation of data classification.  In this post, I’ll highlight how data classification (labels) can be applied to documents and how you can configure them in Office 365.

Why would you want to classify your data?

As my previous post pointed out “Consistent use of data classification will facilitate more efficient business activities, and lower the costs of ensuring adequate information security.  By classifying data, your organization can prepare to identify the risk and impact of an incident based upon what type of data is involved.”

Most recently, I have been working with Microsoft Azure Information Protection (AIP) to classify and protect data in Office 365. AIP provides classification, labeling, and protection for documents and emails stored in your organization.  Azure Rights Management service (Azure RMS) is the protection technology, and is a component of Azure Information Protection. More information about Azure Information Protection can be found here.

What are Labels?

In AIP, a classification label is used to identify data based on its level of sensitivity and the impact to your business.  Most common sensitivity levels are categorized as restricted, confidential, official use, and public.

AIP can apply labels (classify) to documents and e-mails. The current supported file types for classification according to Microsoft are listed below.  However, in my experience and images use in this post were all done with Office 2016.  Visit this page for the latest information on supported file types.

  • Adobe Portable Document Format: .pdf
  • Microsoft Visio: .vsdx, .vsdm, .vssx, .vssm, .vsd, .vdw, .vst
  • Microsoft Project: .mpp, .mpt
  • Microsoft Publisher: .pub
  • Microsoft Office 97, Office 2010, Office 2003: .xls, .xlt, .doc, .dot, .ppt, .pps, .pot
  • Microsoft XPS: .xps .oxps
  • Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi.png, .tif, .tiff
  • Autodesk Design Review 2013: .dwfx
  • Adobe Photoshop: .psd
  • Digital Negative: .dng

Let’s take a look at how AIP can be used by users and administrators.

Classifying Your Documents

Users can assign predefined or customized labels manually or AIP can automatically apply a default label, depending on the version of AIP deployed with Office 365 (automatic classification requires AIP Plan 2).

This image shows the default labels from AIP that users can apply to their document from within Microsoft Word.

AIP Client Labels


I added a few customized and sub-level labels to the existing default ones.  You can modify the pre-existing ones as well.

AIP Customized Client Labels

You can even configure the labels to display in different languages based on your Office client.  In the image below, I configured my labels to display in Spanish.

AIP Client Labels Spanish

Configuring a default label to be applied to documents and e-mails is as simple as clicking the On or Off switch.

AIP Auto Classify2

How are Labels Created?

From Azure Information Protection Admin Portal, you can administer how labels are published to your users.  These are the default and custom labels I created.

AIP Labels

You can also scope or target labels for users or groups.  Just an example, I created a specific label for one of the users in the tenant.

AIP Scoped Policy

As you can see from the above image, all the labels are marked as ‘Global’ with the exception of one sub-label ‘Partners’ where it’s marked as ‘Ben Walters Only’.  All users will see the ‘Global’ labels, but only Ben will see the additional label.  Obviously, you would want to scope your policies to target multiple users or groups.

These are some of the features in Azure Information Protection.  I will cover more features in my next post.

AIP Client Preview 1.10.52

Leave a comment

With the previous version of AIP client Preview ( (the current GA version is ( if you created many new labels, you would have to scroll to select the label.

AIP Preview

I just installed the latest version of Azure Information Protection (AIP) Client Preview, and was excited to see that you can label e-mail and documents by clicking “Protect” in the main ribbon.

AIP Preview

The new AIP PREVIEW version contains many new features, check out the details here.

Benefits of Data Classification

1 Comment

Organizations are overwhelmed with data, from e-mails to confidential documents.  With increased reliance on cloud services like Office 365, data is no longer locked behind the walls of your organization. Today’s organizations and the nature of connecting users, business partners, and suppliers generate a tremendous amount of data.  How can you ensure that important data is protected, without needing to protect everything?


What is data classification?

Data classification is the process an organization follows to develop an understanding of its information assets, categorize those assets to safeguard information and comply with its information security policies, laws, regulations, and compliance obligations.  This is done by applying labels to documents either manually or automatically based on predefined policies.

A typical data classification policy might define information at four levels:

  • Restricted: Data that is considered most critical to the organization. Disclosure of this data could violate or have severe regulatory impact.
  • Confidential: Highly sensitive corporate and customer data that if disclosed could put your organization at financial risk, loss of customer, or disruption of operations.
  • Official Use: Internal data that is not meant for public disclosure. If the data is compromised, would have minimal impact but does not impact profitability or continuing operations of the business.
  • Public: Data that requires no special protection and may be freely disclosed with the public.

Benefits of classifying your data

The sensitivity of data varies significantly from public information to highly confidential trade secrets.  To ensure proper protection, organizations need to identify and classify data, while defining standards and policies to properly handle each type of data.

Consistent use of data classification will facilitate more efficient business activities, and lower the costs of ensuring adequate information security.  By classifying data, your organization can prepare to identify the risk and impact of an incident based upon what type of data is involved.

Compliance – Classifying data, adding labels, and enforcing policies helps your organization meet legal compliance and regulatory requirements.

Usage Rights – By understanding the sensitivity of the data, you can begin to understand who should or shouldn’t have access to it both inside and outside of your organization.

Awareness – data classification helps to ensure employees are more aware of the type of information they are dealing with and its value, as well as their obligations in protecting it to prevent data loss or compromise intellectual property.

End User Empowerment – Data classification brings security to the front of your organization by empowering its users. Many data leaks could be avoided if a data classification solution is in place. Adding visual labels to headers and footers helps to raise end user awareness and assist them in becoming more security focused and avoid sharing sensitive content on USB drives, via e-mail, or could services like Box or Dropbox.

Getting Started

Getting started with data classification requires understanding your organization’s data compliance and security needs. When you are ready to start classifying your data, keep these in mind:

  • Keep the process of classifying data simple for both users and the data custodians
  • Don’t try to classify everything immediately
  • Work with data owners to focus first on the most business-critical, highly sensitive, critical assets and systems

Securing data is a growing challenge, but incremental steps are keys to an organized and classified data model.  Data classification provides a clear picture of the data within your organization’s control and an understanding of where data is stored, how it’s most easily accessed, and how data is best protected from potential security risks.

In this post, I covered the foundation of data classification.  In my next post, I’ll focus on classifying data in Office 365.