Blog Post

Security, Compliance, and Identity Blog
5 MIN READ

Azure Information Protection Documentation Update for June 2018

Carol Bailey's avatar
Carol Bailey
Icon for Microsoft rankMicrosoft
Jun 29, 2018

The Documentation for Azure Information Protection has been updated on the web and the latest content has a June 2018 (or later) date at the top of the article.

 

This month sees another GA release of the client, which resolves the final problem of displaying the Azure Information Protection bar outside the latest Office 2016 (Click-to-Run). If you experience this problem, install this latest GA version. We also have an exciting new preview option in the Azure portal, that lets you set protection for any authenticated user. Consider using this option for any of the following scenarios:

  • You don't mind who views the content, but you want to restrict how it is used. For example, you do not want the content to be edited, copied, or printed.
    You don't need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
    You have a requirement that the content must be encrypted at rest and in transit, but it doesn't require access controls.

To try out this setting for yourself, see the new example, Example 5: Label that encrypts content but doesn't restrict who can access it and click the link at the beginning of the example for more information about the setting.

 

We also have a new article that explains how you can use the metadata from Azure Information Protection labels, with two example mail flow rules that apply protection when a label is identified in an email and also in an attachment. In both cases, the examples use the same condition of sending an email outside the organization, but you can obviously apply your own conditions and exceptions as needed. The examples are to get you started as a proof of concept, which you can then build on for your own business requirements.

 

Hopefully, these documentation updates help you to protect more documents and emails that contain sensitive data. One of the goals in the Azure Information Protection team is that you secure 100% of your sensitive documents and if you're falling short of that goal, let us know why. Your responses to a short survey about document protection, with an opportunity to provide your own comments, can influence the direction of the product: 

 

We listen to your feedback and try to incorporate it whenever possible. In addition to taking the survey, let me know if you have feedback about the technical documentation and I also encourage you to head over to our Yammer site to see what others are discussing. 

 

What's new in the documentation for Azure Information Protection, June 2018

 

Frequently asked questions for Azure Information Protection

- Updated the entry What's the difference between Windows Server FCI and the Azure Information Protection scanner? to clarify the different approaches to protecting all file types: Windows Server FCI protects all file types by default, and the scanner protects just Office file types by default. For both, you can change the default behavior by editing the registry. When you protect files other than Office documents, the file becomes read-only and changes the file name extension. 

 

Secure document collaboration by using Azure Information Protection

- Updated for the following:

  • Information about the labeling experience that users see when the collaborating organizations both have Azure Information Protection.
  • Information about the new protection setting for any authenticated user (currently in preview). 

Planning and implementing your Azure Information Protection tenant key

- Updated the prerequisites section to include Virtual Network Service Endpoints for Key Vault, announced in preview this week.

 

Migration phase 4 - supporting services configuration

- Updated for the following:

Activating Azure Rights Management

- Updated the Do you need to activate Azure Rights Management? section, for the information that the service is being automatically activated for Office 365 tenants with eligible subscriptions. 

 

Configuring usage rights for Azure Rights Management

- Updated for the following:

  • The information in the description for the usage right View, Open, Read (VIEW). Previously, the description said that Edit Content, Edit (EDIT) was need to sort and filter data in Excel. Now updated to say that to sort data in Excel you need Edit Content, Edit (EDIT), but to filter you also need Copy (EXTRACT). 
  • The Encrypt-Only option for emails section includes information about the recently announced configuration option that an automatically protected Office document is decrypted on download. 

 

How to configure a label for Rights Management protection

- Updated the instructions for the new preview option of Add any authenticated user, and when to use it. A new example is also added at the end of the instructions.

 

How to configure a label for visual markings for Azure Information Protection

- Updated for the information that visual markings that are configured for colors always display as black in Excel.

 

Configuring Exchange Online mail flow rules for Azure Information Protection labels

- New article to help you configure mail flow rules in Exchange Online to use Azure Information Protection labels.

 

Deploying the Azure Information Protection scanner to automatically classify and protect files

- Updated the prerequisites section for the following:

  • New entry for sufficient disk space to create temporary files for each file that the scanner inspects, four files per core. The recommended disk space of 10 GB allows for 4 core processors scanning 16 files that each have a file size of 625 MB.
  • Reminder that the service account for the scanner must be included in any onboarding controls that you've configured.
  • New section for alternative configurations if you have to install the scanner in production environments that do not allow servers to have Internet connectivity, or servers have Internet connectivity but service accounts cannot be synchronized to Azure Active Directory. It also covers restrictions for using Sysadmin rights, and service accounts that are not allowed to have the Log on locally right.

 Azure Information Protection client: Version release history and support policy

- Updated for the 1.29.5.0 GA release.

 

Admin Guide: Install the Azure Information Protection client for users

- Updated the Upgrading and maintaining the Azure Information Protection client section for corrections that the client is always automatically upgraded if you are using Windows Update .

 

Admin Guide: Custom configurations for the Azure Information Protection client

- Updated for the following entries:

Admin Guide: Configuring and using document tracking for Azure Information Protection

- Updated to clarify that the Azure AD global administrator for your tenant is required for the Admin mode and that other administrator roles do not support this mode for the document tracking site. 

 

Admin Guide: File types supported by the Azure Information Protection client

- Updated to remove the file name extensions of .xla and .xlam from the list of file types that support classification only. 

 

Admin Guide: Using PowerShell with the Azure Information Protection client

- Updated with a tip to use a new group policy setting if you use the cmdlets with path lengths greater than 260 characters. We've had a few customers run into this limitation recently and were unblocked by using this solution.


 

 

 

 

 

 

Updated May 11, 2021
Version 8.0
  • Red Flag's avatar
    Red Flag
    Iron Contributor

    Thanks for sharing. The new AIP functionality seems to be very practical. I have one unsolved issue with AIP Client: how to make AIP Client an WIP-aware app? It could help to protect content even for resticted users in a more granular way. A restricted user could edit the document but it is not allowed to take the content outside of Office apps. Could you make AIP an enlightned app?