Join Pete Zerger for an in-depth discussion in this video Configure classification and labeling, part of Microsoft Cybersecurity Stack: Securing Enterprise Information.
- [Instructor] Although Azure information protection comes with default labels that you can customize, you can also create your own labels and sub-labels. So we'll begin by browsing to the Azure portal, and I'll log in with my kintECO Energy Azure AD user account. And from the dashboard, I'll select Azure Information Protection. If you've not pinned the Information Protection app, then go to More Services at the bottom left and search. So this will drop me into the Azure Information Protection Global Policy menu, where I can see the default labels.
Now, if I'd like to apply a label that's focused on all users, I'll stay here on Global Policy. If I would like to create a label that applies to a specific subset, then I'll go to Scoped Policies, and I'll create a new label here and specify the group that I would like to target. So for the moment, I'm going to go back to Global Policies. And in Global Policies, I'll actually look at an existing label, so let's take Confidential, and I'm going to right-click and I'm going to add a sub-label, so that's a label that will appear beneath Confidential, in this case.
And I can specify how this label is displayed and how it appears to users, so I'll give it a name, in this case, I'm going to call it Finance, and it will appear under Confidential as a Finance sub-label. The settings for the finance department. You'll notice here I can set permissions for documents. I can configure protection, and remember, classification and protection are separate entities. So I can create labels strictly for classification and apply protection where and when I want.
If I want to have headers, footers, or watermarks, I can specify the visual markings of my choice. When I select a visual marking, I'll be prompted for a value. I can also configure conditions for automatically applying this label. This will take effect if I've subscribed to the premium tier of Azure Information Protection, where auto classification kicks in. There are many out of box default conditions for me that cover a broad range of personally identifiable information, medical, financial, things like social security number, credit card data, I can choose my industry here, as you see, and there's actually a paginator at the bottom here so you can flip through all the pages.
There's a very long list. Should you find that there's not an out of box condition that matches your needs, simply select the Custom option and we can configure regular expressions. So that's really our Swiss army knife in the case that we don't find something out of the box that suits our specific situation. So let's go ahead and we'll give this label a footer, and we'll simply display Confidential - Finance, and we can configure the footer's appearance. Once I've completed all of the required fields, I can hit Save.
And once I've saved my changes, my users are only going to see those changes if I hit the Publish button to make it available to my users, in this case, it's a global policy, so it'll be available to all users, and there is my sub-label. New labels are automatically assigned the color black, but you can choose a distinguishing color from the list of colors or you can supply a hex triplet or RGB code. You can find these codes online or in apps like MS Paint. But again, to make your changes available to users, make sure you hit that Publish button or it's only going to be saved and waiting here in the Azure portal.
So now we're ready to configure protection as a next step, but before we do, in addition to the information protection bar title and tooltip, there's some settings in Azure Information Protection Policy that apply to all users and devices, so we'll again, work on the Azure Information Protection blade. I'm going to stay in this global policies area, and I'm simply going to scroll down. And down near the bottom of this blade, we'll see a few settings that are configurable. For example, all documents and emails must have a label, whether applied automatically or by users.
And I can select a default label for that policy. I can also specify whether I would like users to provide justification when they try to down-classify a document, or in other words, set a lower classification, remove a label, or remove protection. I like to always set this to On, so I get that justification, as it adds accountability to the declassification process. Bear in mind that this option is not available for sub-labels.
Now for email messages with attachments, we can apply a label that matches the highest classification of those attachments. So this is off by default, we can set this value to automatic or configure Azure Information Protection to recommend an option. And once we've configured our desired values here, again, we're going to hit Save. And then to make this available to users, you see the toast notification prompting me to publish. And when I hit Publish, those changes are going to now be pushed out to my users.
In this course—the third installment in the series—Microsoft MVP Pete Zerger demonstrates how to leverage the Microsoft cybersecurity stack to more effectively protect corporate information—on any device and in any cloud. Pete explains how to use Azure Information Protection (AIP) to protect information, as well as how to secure data on mobile devices. Plus, he covers identifying and controlling shadow IT, securing structured data in Azure, and more.
- Securing information on any device
- What is Azure Information Protection (AIP)?
- Configuring classification and labeling
- Classifying and protecting data in bulk
- Challenges of securing data on mobile devices
- Data loss prevention (DLP) on mobile devices
- Identifying and controlling shadow IT
- Securing collaboration and DLP
- Configuring dynamic data masking
- Protecting Azure SQL with SQL Threat Detection