First published on CloudBlogs on Feb 08, 2017
In our Dec 7th announcement we were excited to make available a number of new features in Azure Information Protection (AIP). To recap, these included:
The document is then shared. On receiving the document, the recipient is restricted in the actions they can take as shown below:
The group collaboration requires no additional configuration and users can simply protect and share to AAD groups from today. For the company level collaboration, this must be enabled by an administrator using an updated Azure RMS PowerShell module. An example to create a rights definition and template is shown below:
$names = @{}
$names[1033] = "Contoso-Fabrikam Confidential"
$descriptions = @{}
$descriptions[1033] = "This content is confidential for all employees in Contoso and Fabrikam organization"
$r1 = New-AadrmRightsDefinition -DomainName contoso.com -Rights "VIEW","EXPORT"
$r2 = New-AadrmRightsDefinition -DomainName fabrikam.com -Rights "VIEW", "EXPORT"
Add-AadrmTemplate -Names $names -Descriptions $Descriptions -LicenseValidityDuration 5 -RightsDefinitions $r1, $r2 -Status Published
If you haven’t used the Azure RMS PowerShell cmdlets before, start by reading this
documentation
. But if you want more information about specifying a rights definition object for the new collaboration options, see the updated
New-AadrmRightsDefinition
help.
For more details regarding the Azure RMS PowerShell cmdlets, you can access the
documentation here
.
In our Dec 7th announcement we were excited to make available a number of new features in Azure Information Protection (AIP). To recap, these included:
- Scoped Policies so you can make labels available to users based on group membership
- A new, unified Windows client that combines the RMS Sharing app features into the Azure Information Protection client
- An updated viewer for protected files, including protected PDFs downloaded from SharePoint
- Manual (right-click) labeling and protection for non-Office files
- Bulk classification and labeling for data at rest using PowerShell
Scoped Policies
As we covered in the December 7 post , Scoped Policies allow customers to build sets of labels that are only visible and usable to specific employees and groups of employees such as teams, business units or projects. In all instances, a global set of policies is made available to all users. The new scoped policies are layered over this global set, available to just users in the specified security group membership. It is important to note that scoped policies are an admin concept, users will not be aware as they just see a combined set of labels they are assigned. Each set of scoped policies allows for customization, including labels, sub-labels, and settings like mandatory labeling, default label, and justifications. The scoping model is consistent with Azure RMS template scoping, in that it is based on Azure Active Directory users and groups. A few important notes on scoped policies:- Scopes are optional, you don’t have to define a set or group for a policy. If not set, the policy has global scope for everyone in the tenant.
- Policies are ordered by administrators. This order defines which scopes are considered higher than others. Policies are combined into an effective policy, which is given to the client.
A Single, Unified Client
We have listened and worked with our customers closely to learn how we can improve the user experiences and business scenarios for the previous RMS Sharing app and the new AIP client. Today we are making available a single, unified client for classification, labeling and protection. This new client includes the ability to set custom permissions, share data in a protected way, track and revoke files and view protected files (beyond Office files). The existing RMS sharing app is still available on our download center and will be supported for a period of 12 months with support ending January 31, 2018 . The Azure Information Protection user guide can help you get started with the new client and transition from the RMS Sharing app. The new client, which can be downloaded here includes:- The ability to set/remove custom permissions for files (single files, multiple files and files in folders) through the Explorer shell extensions (right click on a file / folder) and select “classify and protect”
- We will shortly enable users to set/remove custom permissions for Office files via the Office Interface (Word, Excel, PowerPoint)
- Users can select contacts from their Global Address Book (requires Outlook)
- Once protected, users can share a file via any method such as mail, SharePoint and cloud sharing apps.
- Set Track and Revoke options for protected documents
Image 1 – Classify and protect a file through the “classify and protect” shell explorer app
Image 2 – Apply custom permissions through the “classify and protect” shell explorer app
Image 3 – View protected content with the lightweight Viewer app
Image 4 – Access Denied message and instructions on how to request permission
Bulk Classification
With the December updates we extended the RMS PowerShell commands to support Label and Protection actions based on Azure Information Protection policies. Administrators and data-owners can label and protect files in bulk on File stores, or query for the file’s status. The PowerShell cmdlets, which are installed as part of the new unified client, are now GA and enable our customers to:- Query for a files Label and Protection attributes
- Set a Label and/or Protection for documents stored locally or on file servers and network shares that are accessible through SMB/CIFS (e.g. \\server\finance\)
Image 5 – Use the PowerShell commands to perform bulk labeling and protection tasks
For examples and help run PowerShell and type “ Get-Help Get-AIPFileStatus -online ” and “ Get-Help Set-AIPFileLabel -online ”. You can also refer to the help documentation for this module.
New Collaboration features – share protected documents with groups and companies
Two top requested features are now available, the ability to share protected documents (Word, Excel, PowerPoint) to:
- A group of people at an organization e.g. finance@contoso.com
- Anyone at a specified organization e.g. [anyuser]@contoso.com
Get started NOW!
It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get started today!- Download the new unified client from our Download Center
- Download the updated Azure RMS module
- Start a trial and kick the tires
- Learn more about Information Protection
- Get deep technical and scenario documentation
- Keep up to date by following our blogs
- Engage with us on Yammer, Twitter or send us an e-mail
- Watch the overview video
- Watch the recordings of our Ignite sessions ( BRK2127 , BRK2128 , and BRK3095 )
- Learn more about the Enterprise Mobility + Security offerings
Published Sep 08, 2018
Version 1.0Azure Information Protection Team
Copper Contributor
Joined September 05, 2018
Microsoft Security Blog
Follow this blog board to get notified when there's new activity