Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Microsoft Information Protection now extends beyond Rights Management

Denis Mizetski's avatar
Feb 05, 2019

Overview

Microsoft Information Protection helps you discover, classify, label and protect your sensitive information – wherever it lives or travels. We have typically offered sensitivity-label driven protection of individual files via our Rights Management Service (RMS). RMS offers encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. We have typically offered such protection via both cloud key (Microsoft managed and bring-your-own-key (BYOK) or on-prem managed (HYOK based).

 

Some customers seek a solution that allows them to use this label-based protection capability to implement additional controls and leverage existing encryption and DLP technologies. We’ve heard your feedback and we are now shipping two additional protection capabilities.

 

Label-based S/MIME encryption and signing

With Office 365 Message Encryption (OME), your organization can send and receive encrypted email messages between people either inside or outside of your organization. Office 365 Message Encryption works with Outlook.com, Yahoo!, Gmail, and other email services.

 

While we prefer that you use OME because it’s the simplest and most common secure collaboration solution, we understand that you may have made investments in an S/MIME infrastructure in the past.

 

Starting now, customers that use S/MIME as their email signing or encryption option for email collaboration can replace the act of manually applying S/MIME by using sensitivity labels that automate applying S/MIME encryption within the Outlook app running the Azure Information Protection client. This new capability allows organizations that have already deployed a functional S/MIME infrastructure to provide a more consistent end-user experience by using a standard Microsoft Information Protection label for all their classification and protection needs.

 

For example, organizations can now allow users to send emails to their external partners using a “Confidential\B2B” classification label when the policy behind the label happens to be the application of S/MIME encryption.

 

 

Figure 1. Alice shares a contract using mail and                                         Figure 2. Partner receives an email that is encrypted using
applies “Confidential \ B2B” label that triggers                                          S/MIME  
S/MIME protection

 

When your users are comfortable with the new Microsoft Information Protection labeling experience, you can simply migrate from the existing S/MIME deployment to the seamless secure collaboration based on Office 365 Message Encryption with a single click change in your label policy.

 

More on how you can enable this can be found at Configure a label to apply S/MIME protection in Outlook.

 

Label-based Information Protection on Windows 10

As you may know, we announced the public preview of our Information Protection capabilities on Windows 10 endpoints running Windows Defender ATP in September 2018. As part of the unified labeling and protection experience, our goal is to ensure that our broad set of information protection solutions can understand labels attached to documents and emails and apply the appropriate policy-based actions, even beyond what’s provided by Azure Information Protection or RMS. With this new capability, Windows 10 devices can use Windows Defender ATP to read, understand and act on sensitivity labels in documents and automatically apply Windows Information Protection (WIP) policy on work data, no matter how it reaches a managed PC.

 

This extends information protection on managed Windows devices and endpoints and helps protect labeled files from accidental leakage, with or without applying encryption. For example, Windows can understand that a Word document residing on a user’s computer has a label of “Confidential”, and as a result of the policy defined by the organization, apply a Windows Information Protection (WIP) policy to prevent the copying or sharing of the data to any non-work location from that device (such as personal email accounts, social channels, etc.).

 

Figure 3. M365 Security & Compliance Center – Endpoint data loss prevention configuration page

 

Figure 4. End user attempts to copy a Confidential file to their personal OneDrive
 and the copy action is blocked by Windows Information Protection

 

Figure 5 End user attempts to copy a Confidential file to their personal OneDrive
 and warned by Windows Information Protection

 

To read more about how to enable this feature. see How Windows Information Protection protects files with a sensitivity label.

 

Next steps

We are excited to take Microsoft Information Protection classification, labeling and protection beyond just the traditional Rights Management, and helping customers utilize many different forms of protection.  We would love to get your feedback on these recently introduced capabilities and learn more about other high priority needs that you may have. We encourage you to try the new features  and join our ever growing Yammer community.

 

Updated May 11, 2021
Version 7.0
  • Just the customers that use AIP add-in in outlook. No plans for this being taken to native labeling experience right now.

  • wombat11010's avatar
    wombat11010
    Copper Contributor

    Hi Denis Mizetski ,

    thanks for sharing this update. I'm wondering if the SMIME encryption can also kick in when I attach a labelled document to an e-mail without specifically labelling the e-mail?

  • Yes it can. You can define that mail gets its label from the attachment (if you have number of them the one with the highest sensitivity take precedence) and then set S/MIME as action for this label.

  • "Starting now, customers that use S/MIME as their email signing or encryption option for email collaboration can replace the act of manually applying S/MIME by using sensitivity labels that automate applying S/MIME encryption within the Outlook app running the Azure Information Protection client."

     

    Denis Mizetski Does the above mean that this is exclusively for Outlook on Windows running the Azure IP client? With your broader direction of natively integrating the labeling capabilities of Azure IP into Outlook on Mac, iOS and Android (and with Windows coming), I'm wondering if it is more generally available to those platforms too. Thanks.