Get an overview of the Azure Information Protection service.
- [Instructor] Azure Information Protection or AIP is included in the EMS offering and can be used to classify, label, and protect your company's documents and email. Remember way back in the day when everyone and everything was on site and it was easy to control our data? It didn't leave our environment. We knew exactly where it was. But as we all know, that has changed over the last several years. Now, our data can be shared and distributed in a number of ways and this can happen for a number of reasons and data leakage can and will happen.
AIP protects the data no matter where it is, on what service or device. There are several benefits to using AIP. First, it secures your files and emails and this is done through encryption, identity, and authorization policies. And secondly, it is platform independent. It will work on your phones, tablets, and PCs, Mac and Android, as well as Windows. Azure Information Protection uses the technology Azure Rights Management. Therefore, you may hear the term Rights Managements or RMS interchangeably with AIP.
As we have already learned, AIP is platform independent. You can use it on Apple, Windows, or Android devices, whether those are tablets, PCs, or phones. AIP or RMS can be used to protect our Office 365 data including documents in SharePoint and OneDrive as well as our email. You can use AAD or Azure Active Directory Connect to sync your Windows Server Active Directory to Azure Active Directory. Your users can then use a single identity to use AIP, reducing their workload and frustration since they only have to manage one identity.
And AIP is not just for cloud. You can also leverage the technology in your on-premise environment including SharePoint and Exchange On-Premise and you can also tie it in to Windows Server File Services. Now, keep in mind, the on-premise configuration must meet specific requirements and will require additional configuration, which is out of scope for this course. By understanding the Azure Information Protection lifecycle, you can design your policies to meet your needs. The lifecycle starts off with detecting. AIP can detect sensitive data based on the policies that we create.
Next in the Information Protection lifecycle is classification. Here, we can apply labels based on the sensitivity of that data. Probably the most important part of Azure Information Protection is the protection part. This is where we can apply protection and this could include encryption or access restrictions to that data. And finally monitoring, we can see who has or even tried to open up a document. And if necessary, revoke that document, therefore ensuring that the data never falls into the wrong hands.
By default, AIP comes with a global policy. This is Microsoft provided and configured. But sometimes the global policy doesn't work well in all situations, then we can use the scoped policy and we apply scoped policies to specialized teams. For example, a scoped policy could be applied to an acquisition team or a specialized product development team and only members of that team would see the policy. The rest of the company would never see this policy. They may not even know that that team exists.
Let's quickly discuss the policy itself. It will contain labels which are used to classify the data, visual markings to clearly identify that the data is protected, and the policy can also be configured to automatically or recommend labeling to your users and we'll see that in the demo. We've talked a little bit about labels and we'll spend a lesson creating labels a little later in this chapter. But for now, understand that you'll want to make your labels user friendly. You may have several labels in your company and in order for your users to use this correctly, they need to understand your labeling.
Make it as easy for your users as possible. Typically when you're designing labels, you'll come up with one label for each business division. Now, this is not a hard and fast rule and there may be cases or companies where this will not work. You may have it as simple as three labels, one that says everybody can see this, one for internal only, and one label for highly confidential. And in the global policy, Microsoft recommends that you do not change the labels that are already there, but add to it, and you'll see that in the demo shortly.
And when we apply protection to our documents, we can do that by using encryption and this will protect the document in transit and in rest and the document can only be decrypted by authorized users, even if that name is changed so we can be sure that that document is only seen by who it's supposed to be seen by. AIP is a pretty powerful tool, but it must be used with care as it can frustrate your users if you overuse it. In our next lesson, we're going to explore the global policy and some of the configurations required to protect your data.
- Configuring Azure Multi-Factor Authentication
- Configuring conditional access
- Managing roles in Privileged Identity Management
- Using Azure Information Protection to protect Word documents
- Tracking and revoking documents
- Configuring mobile apps
- Configuring device compliance policies
- Reviewing device settings in Intune