Azure Information Protection is a cloud service to protect content such as documents. Implementing this is no small task. In this video, Liam discusses how to plan for an AIP deployment.
- [Instructor] So what is AIP, or Azure Information Protection? Well, it's a cloud-based solution that helps you classify and protect documents and emails by applying labels. It allows you to define rules and conditions that will then assign those policies. It integrates into the Office client, and then once protected, the content can then be tracked and controlled through those policies. So, how is data protected with AIP? Well, the protection technology uses Azure Rights Management. It uses encryption, identity and authorization policies. And then the protection is applied using the Rights Management capabilities, which means it stays with the documents and the emails, independently of where that may go. So, from a license perspective, we need to be looking at utilizing the Microsoft 365 Enterprise plans, the Compliance plans, the Business plans, or the Enterprise Mobility. Now, there are four plans for AIP. There's the free version, which is a self-service subscription for users in the organization who want to have some kind of protection. And that's managed as a free service within the tenant. The second is AIP or Azure Information Protection for Office 365. This one is included in the Office 365 E3 plans and above. Then of course, we have the Azure Information Protection Premium, the plans one and plan two. Plan one provides additional rights to use the on-premises connectors to track and revoke shared documents and enable manual classification, and labeling of documents. Plan two, however, builds automated and recommended classification as well as labeling and protection with policy rules, as well as using what's called Hold Your Own Key configuration that maps into Azure Rights Management, and Azure Directory Rights Management too. So, let's talk about the AIP scenarios. What are we trying to solve and fix here? So, the first scenario, a user wants to open and view a document that's been labeled and/or protected by AIP. So, what's the license requirement here? Well, the worker or the person that's trying to open it, does not need an AIP license to open and view a file that's been labeled or protected. The second scenario could be a user wants to open and view a document that's been labeled and protected, as well as view the label that's attached to the file. Now, this is where the license changes. In order to view the label, the user needs an Azure Information Protection client for Office app installed, which then requires the AIP license. Our final scenario here is a user wants to edit or modify content in a document that has a label. Now, this is where we do need to have those licenses. So, any change to the classification, the label or protection, does require either the P1 or the P2 license. So, what are the deployment steps? Well, the first one is to review the subscription that's in the tenant. So, confirm the licensing and then prepare the tenant. So, that means going in and making sure the users and groups have the right protection, account settings, and licenses enabled. Then it's going to be reconfiguring the default Azure Information Protection labels with any changes that you need to make. When those labels have been completed, and are ready to go as a policy, then the users can start labeling documents, and protecting the data itself. And then it will be configuring the final policies for those services. Now, of course, if we want to do some kind of data protection, then again, we have to confirm the licensing, which is to make sure we have the more advanced features of Azure Information Protection. Then, make sure that the user accounts and groups in Office 365 exist, and that they have the right permissions to the service. And then when we install the Azure Information Protection client, which is now part of the newer versions of Office, but there is a client that can be installed. And then, we configure the services for rights management. So, the most important thing here is that there's a tenant set up for the users and groups, a license set up, and then a configuration for those services, as well as the potential of installing a client application onto the machines.
This course maps to the Manage Microsoft 365 Governance and Compliance domain of the Microsoft 365 Mobility and Security (MS-101) exam.