Azure Information Protection – getting started

With the European Union General Data Protection Regulation (GDPR) becoming law in May 2018, in the last year we have seen people becoming much more interested in their data. Without going in to massive detail about GDPR these laws are designed to give back power to individuals over how their data is processed and used, for example “the right to be forgotten” with people being able to request businesses delete information about them. Partners such as risual can still help customers with GDPR through various assessments and workshops and advise on how to get them from where they are now to where they need to be.

Microsoft provide a range of products which can help customers comply with data protection regulation, and Azure Information protection (AIP) is one of these products. AIP is a cloud-based solution that helps organisations classify, label and protect documents and emails. Users can do this manually, or administrators can define rules and conditions to automatically perform classification and labelling. Documents can optionally be protected with rights management.

To make full use of all AIP features, an AIP Premium P2 subscription is required (Also part of Enterprise Mobility + Security E5). To use features that do not include automatic classification and AIP scanner, AIP Premium P1 (Included as part of part of Enterprise Mobility + Security E3 can be used). It is relatively easy to get up and running and labelling documents.

Here is an example of the default labels that are present out of the box:

In reality customers will want to use their own labels. New custom labels can be created and added to the Global policy according to an individual companies’ requirements; be mindful that simplicity is often best and avoid going “label crazy” the fewer labels and sub labels that provide a fit for your requirements the better to avoid user confusion and a good description for the label tool tip is essential. Deciding what labels you have and what they actually mean is a decision to be taken by the relevant areas of the business, we find the labels will usually reflect a company’s information classification policy. The labels at the top of the order in the AIP label list in the global policy are considered least restrictive, with more restrictive lower down. When a label is added to a document it creates metadata properties within it (likewise if a label is added to an email this information goes in to the email headers) so the information travels with the document and due to being in clear text can be utilized by various third-party data loss prevention (DLP) solutions.

From the custom properties of a labelled document in Word we can see metadata:

When configuring the global AIP policy, administrators can set various settings for all users such as a label being required to be set before saving a document, the level of the default label being set, and a user needing to provide a justification should they wish to choose a lower label (these changes can be picked up as events in the client AIP event log).

The follwing screen shot shows the AIP Global policy settings:

Users can see and manually set labels by having the Azure Information Protection client installed on their machine, the AIP label bar will appear post install with least restrictive labels appear on the left, and the most restrictive on the right. Labels can contain custom headers and footers and watermarks to visually mark the document if required. We can also force users to have to apply a label, to have to justify if lowering a label and aligning labels set on an email to match that of a particular document attached.

If there is a group in the company that needs a particular label, but the company does not want everyone else to be aware of this, we can configure another (scoped) policy to apply particular labels only to users in a specified group. The latest version of the Azure Information Protection client can be downloaded from the Microsoft downloads site, beware of making sure your clients have the relevant exclusions set if there is a firewall between them and the internet or some of the client features may not work as expected. Once installed, users will see something like this in Word, Excel, Outlook and PowerPoint (there is currently no functionality to see this bar and apply these labels in Office Online but it is coming hopefully):

In the label properties in the AIP application we can set conditions for automatically labelling documents. AIP can detect well known types of data in documents such as credit card numbers or national insurance numbers. Custom regular expressions can also be used.

If the label contains this data upon saving it will either automatically be labelled with the correct label or the user will be given a recommendation in the Office client. In this case a recommendation is issued:

(AIP is that clever that I cannot put a dummy credit card number in – it has to be a real one to test the functionality!)

Moving on from this, let’s suppose that we have labels configured, but for one label the data which will have that label is so sensitive we want users to have view only access. We can opt to protect the document, specifying groups in the organization to have say sets of pre-defined rights or custom permissions. In this case for the “Top Secret” Label we have set “Viewer” for the company.

A document that has been protected will contain a tool tip advising the user of this when they open it. They can see what permissions they have by looking at “view permissions”

View Only is quite cool as it prevents screen shots being taken of the document and event prevents it from being screen shared – I did a demo of this and everyone thought the meeting TV screen we were casting to had malfunctioned as the document went black on the shared display!

And if I copy the file outside my organisation and try to open the rights go along with it, hence no access for me!

Users can also (if the option is enabled in the Global policy) set their own custom protection permissions on documents through “custom permissions” from the protect icon or from right clicking on a file and choosing “classify and protect” from Windows explorer. There are several non-office document types that can be protected by using classify and protect from windows explorer, the label bar and protect icon currently only appear in Word, Excel, PowerPoint and Outlook.

Documents that are protected can also be tracked using document tracking, we can see who has legitimately accessed the document, when and where from on a world map. We can also see any failed attempts to access the document. The user can log in to or when in a document that they created, access document tracking “track and revoke” from the AIP client icon on the Office ribbon:

The document tracking site:

By clicking on it I can have a look at what is going on here with my document….


If an imposter has attempted to look at my document, they will get access denied as I only gave permissions to my testlab users. They will need to be authenticated with the correct account.

And this person at risual was in the UK (owing to my environment setup my test account shows as in the USA)


If they have not been opened, protected documents can also be revoked from the tracking website; if they have been opened and are then revoked the user who opened can still see them for a period of time depending on the configured use license period for that tenant (default 30 days configurable via PowerShell). We also can set users / groups of users to be exempt from tracking via PowerShell if the requirement is there.

If a user wishes to read a protected document using a mobile device, the AIP Viewer app is available for iOS 8 and Android 4.4 minimum. This app does not let you create protected files but allows you to read them on the device. Using the AIP viewer, users can use their credentials to sign in to the app and then view the document on a mobile. If a document has gone to an external company and they don’t use Office 365 / Azure Active Directory they can register for a free rights management account for individuals to view the document – however this cannot be with a Hotmail / Yahoo / personal email address; it has to be business email. For Office documents, the relevant application to read the files also needs to be installed on the device, e.g. Office / Word for mobile. The following shows a protected document opened on an iPhone using AIP viewer and Word for Mobile.

So far, this blog has dealt with labelling and protecting one document at a time. Supposing you have got many files out there that potentially have certain types of information within them and therefore need labelling? If you have configured labels for automatic classification, the AIP scanner can be installed on a server and configured to look through file server and SharePoint locations. It can examine and work on the following locations:

  • Local folders on the AIP scanner computer.
  • UNC paths for file servers that use CIFS protocol.
  • Sites and libraries for SharePoint 2013 or 2016 libraries.

Scanning is relatively resource intensive and requires a SQL database, I would personally have a dedicated server to perform this function as I’ve seen some servers running it crawling along. Installing the scanner also requires installation of the preview version AIP client and some configuration in the AIP application in Azure for authentication. Once configured you can set the locations to be scanned via PowerShell and using a discovery mode scan can see what files that are out there could be labelled before letting the scanner do anything. It can be configured to label the documents when the scan report has been reviewed.

In terms of accidental data loss, due to the label metadata being present in documents and emails, we can configure Exchange mail flow rules to pick up on these. For example:

  • If an email or document attachment contains a certain label, encrypt with Office 365 message encryption before sending to external recipient.
  • If an email or document attachment contains a certain label, block before sending to external recipient

Hopefully through this blog you have seen some of the neat AIP features that can be configured as an admin, and that an end user can use.

About the author