Azure Information Protection setup in Azure
Azure Information Protection is part of the Azure EMS package which includes Azure AD and Intune as well as Azure Information Protection.
Let me simplify the MS' fancy description. What AIP does is basically to monitor and track your MS documents that was classifed and lablled. Basically, you encrypt the file by AIP and send it to certain users. Only users who are identified via AIP can open/modify/etc the file.
The classification and labelling can be done in Azure Portal.
The template add/modification is done in the old form of Azure admin portal with the "Rights Management" option. There might be/will be ways to control the AIP templates, but I had to work on this page.
Once these are done, let's see the client side. Obviously, Azure AD is a pre-requisite as the authentication and authorization are completed Azure Active Directory.
Users out of your organization can also access the file given that you granted appropriate permissions in the template page. The AIP white paper says "
Azure Information Protection client installation
I won't go through how to install the Azure Information Protection client as it is quite short and clear in the link here, https://docs.microsoft.com/en-us/information-protection/rms-client/info-protect-client. You may want to deploy it to computer objects by Intune, SCCM, or GPO depending on your environment, or even PowerShell.The addin is set up in Outlook
In Outlook, you would see an icon called "protection" - sorry it is written in Korean in the screenshot. It should be something called "Protection"
Now that you have the icon, you can display the added bar, "Sensitivity". You can choose one of the labels that you speficied in the Azure Portal.
The email header
If you set up the sensitivity, the email will contain relevant metadata like the screenshot below.
The addin in Word
If you set up a watermark in Azure Portal, it should also reflect on the document as well as the bottom sign.
You just have to save the doc as you choose the sensitivity. You also should choose which template you want to use. e.g.) with whom would you like to share this file with? The receivers should have been listed under "permission(or something similar)" in the old Azure portal. In my case, I granted a viewer permission to one user - see below.
1. Choose a sensitivity
2. Select a template
3. Save
4. Send it to your colleauges or users outside of your organization
Note: If he/she is an external user, and wants to access the file, you can grant the permission in the portal below. You should add it as a Mail-enabled Windows group. The group should have contacts. - I haven't tested this part yet.
Can you open the file on a personal laptop? Yes, you should provide the company azure credential in the word/excel/outlook/others. You will get prompted.
Note: Once the "AzInfoProtection" client is deployed to computers, the AIP protection labeling is "mandatory" on the file when you close the Word. You can save it, but when the office program is closed, you will get asked to select one of the AIP labels - see below; you can't close the word when you click on "cancel".
Trick: kill the process after the save.....
Link
AIP administration tool - https://www.microsoft.com/en-us/download/details.aspx?id=30339It should give you PowerShell cmdlets.
AIP client - https://www.microsoft.com/en-us/download/details.aspx?id=53018
Client installation file.
Thank you,
Yonghoon Shin
No comments:
Post a Comment