Forum Discussion

Copper Contributor

Feb 04, 2019

Solved

AIP Tracking and Revocation

We are working with AIP tracking and revocation. When a file is accessed outside the organization it is not being logged in the tracking portal. Is the behaviour normal? Thanks

information protection and governance

microsoft information protection

markwarnes
Jan 16, 2020
cpsecurity, Joe McGiven Corban - As far as I can tell, the classic "Track & Revoke" functionality that is curently available with the classic AIP client is not coming to the unified labelling (UL) client at any point on the roadmap.

The approach that you should probably be taking now is to make use of central reporting to check for user activities on labelled documents.

From the AIP documentation (https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-client#compare-the-labeling-clients-for-windows-computers) :

"The document tracking site that's supported by the classic client isn't supported by the unified labeling client. However, without the need to first register the document for tracking, administrators can use https://docs.microsoft.com/en-us/azure/information-protection/reports-aip to identify whether protected documents are accessed from Windows computers, and whether access was granted or denied."

This basically means the the UL client on Windows computers will report activity to the configured Log Analytics workspace when a protected document has been accessed. It's not the same as the dedicated T&R portal but it does offer opportunities to alert on particular document access (either through alerts on the analytics workspace or through monitoring using Azure Sentinel if linked up).

Rafael Dominguez wrote a series of blogs about creating a custom AIP tracking portal that uses the central reporting data -(https://techcommunity.microsoft.com/t5/azure-information-protection/how-to-build-a-custom-aip-tracking-portal/ba-p/875849). Definitely worth a look if you've not seen them already.

That said, there is a limitation currently - only the UL and classic clients on Windows devices can report their activity to the central reporting workspace. That means native AIP functionality in Office applications and any activity from MacOS, iOS and Android does not get reported. I'm hoping this is one of the gaps of functionality between the native and UL clients that is going to be closed in the near future.

markwarnes

Brass Contributor

Oct 18, 2019

*** For classic AIP client only ***

Only files that have protection applied (i.e. the AIP label used to classify the file includes an RMS template to control access and usage) will show up in the Track & Revoke portal.

Files that are labelled without protection are not tracked because when they are accessed, no authentication happens with Azure RMS so no access attempts can be logged.

(Unified labelling client does not support track & revoke.)

Joe McGiven Corban
Brass Contributor
Jan 13, 2020
markwarnes - I'm still unsure as to why Unified Labeling doesn't support Track and Revoke? Basically, Microsoft Information Protection (...Unified Labeling) is technically "a step up" from AIP, but this handy feature is no longer included.

Do you have any ideas or can you point me in the direction of why this is, and if it ever will, or what will replace Track and Revoke? I simply can't find much info on why this is.

Cheers, Joe
- cpsecurity
  Copper Contributor
  Jan 16, 2020
  markwarnes - As mentioned by Joe McGiven Corban, the track and revoke feature was a great feature and one of the selling points for AIP internally. Now that Classic client is no longer going to be supported, is there a roadmap for including this feature in UL.
  Thanks,
  - markwarnes
    Brass Contributor
    Jan 16, 2020
    cpsecurity, Joe McGiven Corban - As far as I can tell, the classic "Track & Revoke" functionality that is curently available with the classic AIP client is not coming to the unified labelling (UL) client at any point on the roadmap.
    
    The approach that you should probably be taking now is to make use of central reporting to check for user activities on labelled documents.
    
    From the AIP documentation (https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-client#compare-the-labeling-clients-for-windows-computers) :
    
    "The document tracking site that's supported by the classic client isn't supported by the unified labeling client. However, without the need to first register the document for tracking, administrators can use https://docs.microsoft.com/en-us/azure/information-protection/reports-aip to identify whether protected documents are accessed from Windows computers, and whether access was granted or denied."
    
    This basically means the the UL client on Windows computers will report activity to the configured Log Analytics workspace when a protected document has been accessed. It's not the same as the dedicated T&R portal but it does offer opportunities to alert on particular document access (either through alerts on the analytics workspace or through monitoring using Azure Sentinel if linked up).
    
    Rafael Dominguez wrote a series of blogs about creating a custom AIP tracking portal that uses the central reporting data -(https://techcommunity.microsoft.com/t5/azure-information-protection/how-to-build-a-custom-aip-tracking-portal/ba-p/875849). Definitely worth a look if you've not seen them already.
    
    That said, there is a limitation currently - only the UL and classic clients on Windows devices can report their activity to the central reporting workspace. That means native AIP functionality in Office applications and any activity from MacOS, iOS and Android does not get reported. I'm hoping this is one of the gaps of functionality between the native and UL clients that is going to be closed in the near future.