Protecting documents with Azure Information Protection
Classified
Employees communicate with different people on many levels, ranging from the boss, through the intern, to external service providers. Ideally, not every email or document should be accessible to everyone. Azure Information Protection (AIP) is a cloud-based solution for classifying, identifying, and protecting documents and email. The administrator determines whether this is done manually by the user, automatically, or with a combination of both methods.
Microsoft uses Rights Management Services (RMS) technology to protect documents, which has been around a few years under the Active Directory (AD) RMS short form. Compared with this on-premises version, the advantage of AIP is that no complex server infrastructure is required; instead, Microsoft takes care of the public key infrastructure (PKI) certificates and the servers.
With AIP, you can be up and running as quickly as with AD RMS, including support for mobile devices. In some areas, the feature set goes even further: Templates for departments, for example, help limit the group of users, as does the option of tracking documents and locking them if necessary.
Meshing with Azure AD
To try AIP, you need an Office 365 subscription that includes AIP. If you already have a subscription, see the Azure documentation when you compare the different options [1] to find out which subscription or plan is available and what you need to do. From here, you can purchase a trial subscription directly or extend your existing subscription if you are already a customer of Microsoft's cloud. In both cases, you can test AIP for 90 days.
Each user must be assigned a license from the selected subscription in Office 365. How these users in the cloud access Azure AD – the location for Office 365 user and group identities – does not matter. The most direct way is to use Azure AD Connect to synchronize your on-premises AD with the AD in the cloud, especially if you are using "scoped policies," which can be activated using group memberships; thus, a central AD that sends all changes into the cloud makes sense so that users can be managed centrally in the local AD. Otherwise, it would be necessary to maintain users and groups in parallel in Azure AD, which would result in increased overhead.
The use of information protection is rounded off by integration into end users' workflows. For this purpose, Microsoft provides an AIP client that integrates seamlessly into the Microsoft Office suite and slots into the Office products' menus. Additionally, the client extends the context menu in File Explorer to protect or classify individual files (Figure 1). AIP supports the current Windows and Office versions. If you need special information (e.g., which ports need to be open on the firewall), you can find this information on TechNet [2]. Users outside the company network who do not have a Microsoft account need to register their email addresses with RMS for Individuals, a free self-service subscription for the authentication of user accounts that are not located in Microsoft's cloud cosmos that allows access to files that have been protected by AIP.
Quick Start
AIP can be deployed in several ways: through the classic Azure portal, with PowerShell, or from the Office 365 admin center. Unfortunately, the classic Azure portal exists in parallel to the new Azure portal, and the setting options overlap here and there. This problem is confusing and not transparent to newcomers. Therefore, it is best to avoid using the old portal, which should not be a big problem with AIP, because templates can be managed, for example, with PowerShell. Microsoft itself recommends using the new portal at portal.azure.com . As an admin you are then always certain to find the newest functions.
If you decide to activate AIP in the Office 365 admin center, you will find it in the Services & add-ins settings. Before using AIP in the new Azure portal, you also need to activate it there. You will find AIP under New | Security + Identity . From there you are taken directly to the AIP central admin page. When you get there, you can edit the policies and define what happens when dealing with email and documents on mobile devices.
Finally, you need the previously mentioned AIP client. The setup after downloading [3] is largely unspectacular. Besides the setup executable, an MSI package, which is suitable for software distribution, also is included in the download. Run the AIP client setup, ignoring the ability to create a local policy, which would be overwritten by centrally defined policies from the Azure portal. The portal contains two standard templates and some descriptions that can be used for illustration purposes and adapted if necessary. However, before you change things here, the strategy should be clear in advance as to which levels of protection or classification make sense for your own IT landscape.
Classification Strategy
With AIP, nothing is set in stone, and subsequent adjustments are possible at any time. Nevertheless, it makes sense to prepare a roadmap for the implementation in advance that takes into account the business processes or departmental structures. Document protection at the departmental level makes sense in many cases, so it is best to familiarize yourself with the default policy, which provides illustrative material for your own ideas and can be adapted to your needs.
For a description of the initial settings, see the Microsoft documentation [4] and roadmap [5] for AIP, which provide information that can be helpful when choosing a strategy. In general, AIP is based on terms that contain certain rules. You can see them on the Azure portal on the AIP homepage.
Buy this article as PDF
(incl. VAT)