Protecting proprietary information and managing company information present challenges to modern organisations. Sensitive data shouldn’t be shared outside of departments, and great care must be taken to allow only authorised personnel either to access or view protected content.
Microsoft Azure Information Protection is designed to augment and improve upon current protection capabilities for documents and emails within an organisation, both internally and in the Azure cloud. It works directly within Office 365 and related apps to help ensure data from unauthorised access is prohibited.
What is Azure Information Protection?
Azure Information Protection (AIP) is a cloud-based service to add another layer of primarily file-level controls to prevent unauthorised access, sharing, or distribution. It is now a key part of the Microsoft Purview Information Protection system, which consolidates AIP and other advanced features for data comprehensive protection.
AIP brings new opportunities to create security taxonomies and added controls by tagging files using classification and labelling. Labels are assigned explicit permissions, depending on what’s required within the department and business.
The Microsoft 365 Enterprise suite of Office apps and the latest retail version of Microsoft Office include the ability to assign labels to files. Other implementations allow either manual assignment, file repository scanning, or automated label assignment to existing files.
Directory/Folder-Level and User-Level Controls
Previously, companies mainly relied on various implementations of folder-level and user-level access controls for file systems. These had various names, including Windows Rights Management Services, and Azure Active Directory Rights Management Services, amongst others.
Broadly speaking, these ensured that files in certain folders – for instance, relating to a specific department – could only be accessed by that team alone. Also, user-level protocols permitted senior managers to access files for the departments or smaller teams they’re responsible for too.
Potential Limitations of Active Directory and Previous Solutions
While Azure Active Directory (now Microsoft Entra) and user-level controls perform well, they have limitations.
For instance, new documents attached to an incoming email, or the introduction of a new Azure platform storage repository of files for users, create new problems.
What labels and permissions should they have? When thousands of incoming files are received daily, how can they be manually assigned rights and folders?
Microsoft Azure Information Protection meets this need by adding an extra layer of security. This primarily works inside the Office 365 apps, Microsoft Teams, SharePoint, and Microsoft 365 groups.
Labelling, Customisation, and Confidentiality
A standard collection of default sensitivity labels exists for labelling and protection in Microsoft Purview. However, these can be extensively modified depending on the organisational needs for which Microbyte can access and implement for you.
Standard labels may include:
- Personal
- Private
- Internal
- Confidential
- Highly Confidential
Publishing Sensitive Labels
Once labels are set, classified, and grouped, they can be published internally as an established label policy.
From that point, they’re enforced on all relevant users and user groups.
Confidential Labels
The pre-existing Confidential label has specific restrictions and controls in place to protect your sensitive data.
Files tagged with this label aren’t allowed to be sent outside of the organisation over email or by any other method. Confidential information such as credit card numbers, passwords, or the source code from software under development is restricted too.
Attempts to contravene these limitations, once the labels have been published to all relevant users and groups they pertain to, produce immediate warnings and are actively prevented. Audit logs are also generated for each occurrence.
Highly Confidential Labels
Files tagged using the pre-existing Highly Confidential label have additional elevated limitations.
These almost always include encryption of all files with this label applied, preventing third-party access, and preventing confidential financial data from being exposed. Taking screengrabs of open files is also blocked due to their confidential nature.
Some files may be emailed using a cloud-based email solution, such as Gmail. However, active Azure Rights Management policies, labelling controls, and file encryption processes ensure that the document or file isn’t accessible to outsiders.
Microsoft 365 Built-in Labelling vs. AIP Add-In
Modern users of the Microsoft 365 suite now have a Sensitivity option where a currently open file is labelled.
This also applies to the newer standalone versions of Microsoft Office too. Forcing users to label every document they produce is possible to avoid categorisation gaps from occurring.
Built-in Labelling Support – Today, modern versions of the Office suite of apps include classification and protection options by default. These receive the latest security updates.
AIP Add-In – For older Office suite versions, an Add-In file from Microsoft was previously installable. However, the AIP Unified Labelling Client has been retired by Microsoft. Therefore, the preferred tag labelling is now exclusively performed via the built-in feature.
Automatic Labelling of Files
Automatic labelling of files is supported for Office apps under specific licensing tiers (such as Microsoft 365 E5 or AIP P2 legacy). This is currently available via service-side auto-labelling.
Auto-labelling is beneficial with files containing sensitive information. Users and users within appropriate groups are prompted to add an appropriate label to their file, or the system does it for them. This helps govern sensitive information without relying solely on user compliance.
Manual Labelling Methods
Microsoft Azure Information Protection uses its unified labelling platform to allow for the labelling, file classification, and permission features.
While the legacy client is retired, built-in features in File Explorer and PowerShell allow an appropriate user to apply labels to relevant files. You can still use modern tools to classify and protect for easy access.
The Microsoft Purview Information Protection Scanner (formerly AIP Scanner) is another labelling method. Administrators can use it to scan on-premises file repositories for unlabelled and unclassified files and to tag files that need a label applied. Additionally, files found to contain sensitive information (credit card numbers, etc.) are highlighted to ensure they have appropriate permissions used there too.
There is also an Information Protection SDK to allow third-party apps, used internally, to apply relevant labels using established labelling policies before the exportation of the file.
Enhanced Email Security
Email security is paramount today. Many email attachments arrive from third parties that not only must be scanned for potential malware and viruses but also require tagging with the most relevant sensitivity label.
AIP ensures that files reaching email servers, including Outlook users, get labelled once received. This ensures that appropriate file security policies are applied in real-time.
Strategic Deployment: Crawl, Walk, Run
Deploying a protection technology like AIP requires a strategic approach to avoid overwhelming users. We recommend a “Crawl, Walk, Run” framework:
- Crawl: Start by discovering your data. Use the scanner in discovery mode to audit your on-premises file servers and identify sensitive content without enforcing changes.
- Walk: Introduce manual labelling. Allow users to classify documents as “Public” or “Internal” to build habit, without applying encryption yet.
- Run: Enforce protection features. Enable Azure Rights Management Service (Azure RMS) encryption for “Confidential” labels and automate rules to protect sensitive data automatically.
Frequently Asked Questions
What is Microsoft Information Protection vs. Azure Information Protection?
Microsoft Information Protection (MIP) is the overarching framework that unifies classification, labelling, and protection across the Microsoft estate. Azure Information Protection (AIP) is the specific cloud-based service that provides the encryption and rights management capabilities (via Azure RMS) that power MIP.
Is the AIP Client retired?
Yes. The Azure Information Protection Unified Labeling client was retired in April 2024. Organisations should now transition to the built-in labelling features native to Microsoft 365 Apps for Enterprise.
Does this include support for PDF files?
Yes. The Microsoft Information Protection SDK and modern viewers allow for the protection of documents beyond just Word and Excel, including PDF files.
Let Microbyte Improve Your File Security Today
Microbyte is highly experienced in setting up improved file security via the features within Microsoft Azure Information Protection. Let our team better protect your files, email usage, and confidentiality of propriety information.
For additional resources or technical support regarding your migration to Purview, Get in touch today.
