Walk though a demo of setting up a classification policy in Azure and attaching protection to labels.
- Azure Information Protection is configured in the Azure portal, like all the other services that we've looked at so far. You'll just add the Azure Information Protection item to your toolbar on the left, or pin it to your dashboard. On the screen, I have the Azure Information Protection configuration page that we're going to go ahead and go through. Everything we do in Azure Information Protection is going to be done with a policy. We can either have a global policy that applies to all our users, or we can have one or more scoped policies that only applies to certain users. This is useful if you need people in different departments or different parts of the company, to have different labels and different policies that apply to them.
What we'll do, is we'll configure the global policy. The policy is comprised of a couple of different things. Primarily, it's comprised of different labels. The labels that you see here correspond to the labels that were on the screen earlier when we applied protection and labeling to our documents. You notice that the labels here are defined in a specific order. They have their names, they have colors, and they have a hierarchy. This is mirrored exactly in the Office applications that use the AIP client.
If we take a look at the Private label, which we used to apply protection earlier, we'll see about the name and the description, which is shown in the client applications, as well as the color of the label as it shows up on the toolbar. The color that you could apply often corresponds to the sensitivity of the document, so you can provide a visual cue to the end-user, as to which label that they're supposed to choose. That covers the classification, but then there's the permissions that are applied to protecting the document. 'Cause this is private, we've chosen to automatically protect the document.
And to do that, we click Protect, and then configure protection. We can either do this based on users and groups, or we can do it on a more granular level. This one's configured to have everybody in our tenant have access. Although typically, you would add distribution lists, or other groups of people, perhaps all of your employees would have the ability to edit and print the document, but your contractors would only be able to view it. You can also configure content to expire so that after a certain number of days, it simply can't be opened anymore. And then finally, you can allow offline access.
The first time you access a document on a specific machine, you'll get a license to access that document, and you get to say how long that license is good for before the user needs to connect again. This can be useful if you open the document and then you get on an airplane, for example, and you don't have internet access, but still want to continue to work with the document. By default, that defaults to seven days, where you can access the document offline before you'll need to check in again. The visual markings like the header, the footer, and the watermark, are also configured here.
As you might recall, we applied that H-Plus Private watermark, which is configured here. And you can configure things like the font, size, and color, and so forth, as necessary. Finally, one thing that we didn't demonstrate that can be really useful here, is you can also automatically apply labels. For example, you could define a condition that says, any time the document includes the word, private, we'll automatically apply the Private label.
This can be really useful, especially if you use the built-in Information Types and you look for things like a driver's license number or a Social Security number, or another pattern, to automatically apply classifications in protection to meet your compliance needs. Once you've configured your labels, you'll save the policy, then the policy becomes effective as soon as you publish it. You should know that people's machines cache these policies so they won't update it in real-time, but it might take several days before their machine gets the update.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security