Learn about the differences in protected data.
- [Instructor] So, if you're wondering how this works, let's walk through the steps that happens when the user classifies the document and applies protection to it. The first thing that happens is the user applies the classification or the label. In this case, they marked a document as confidential. That label is embedded in the document in the properties as we saw. Then, to protect that document, the user's computer reaches out to the Azure Information Protection service to get a certificate. This certificate is what the user is going to use to communicate with the AIP service.
The user's computer generates a random key, and that key is used to encrypt the document. Next, based on the use rights, which is what's attached to the protection that the label will apply, the user's machine generates a policy. That policy has the use rights and the copy of the encryption key. The user also has a copy of the AIP public key. Every organization that's set up with Azure Information Protection has a separate key, and of course, the user has a copy of the public key. And so, what they can do is they can encrypt that policy with the public key, and then to verify that they generated it, they sign it with their certificate.
Finally, that policy is embedded in the top of the file, so that's the part of the file that's not encrypted in the same way as the rest, and at this point we now have a document or a file that's been protected by Azure Information Protection. For the user that's going to consume it, the process is a little bit different. They open the protected file, and the two things they have is the encrypted part of the file, which they have no way to access at this point, and they have a copy of the policy. The user's machine sends a copy of that policy, as well as their certificate to the Azure Information Protection service.
And what the service is able to do is because that policy was encrypted with the organization's public key, the service has the private key, which can decrypt the policy and extract the content key which was used to encrypt the document. Based on the user's rights, based on who the user identify themselves as, they get what's called the use license, which includes their rights, and the content key gets encrypted with the user's public key, and embedded in the use license. That license is sent back to the user's machine, and the Azure Information Protection client decrypts the content key using their certificate, and uses that to decrypt the document.
The AIP client also takes those use rights from the use license, and then forces what the user can do with the document. This is whether or not they can do things like even open it or edit the document, or copy and paste, or print, and so forth.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security