Home
Microsoft

Azure Information Protection Documentation Update for October 2018

The Documentation for Azure Information Protection has been updated on the web and the latest content has an October 2018 (or later) date at the top of the article.

 

This month continues to see supporting documentation for releases that you might have heard about at the Microsoft Ignite conference in Orlando. For example, the preview release of the Azure Information Protection unified labeling client that downloads labels and policy from the Office 365 Security & Compliance Center. And as usual, we have regular updates from your feedback and questions.  

 

Final reminder:  Catch up with the rollup summary for Ignite 2018: Announcing availability of information protection capabilities to help protect your sensitive data

 

We listen to your feedback and try to incorporate it whenever possible. Let me know if you have feedback about the technical documentation and I also encourage you to head over to our Yammer site to see what others are discussing. 

  

What's new in the documentation for Azure Information Protection, October 2018

 

Azure Information Protection Premium Government Service Description

 - New documentation that was published at the beginning of the month, but so important that we also added a quick update for it in last month's post after it was published. The Enterprise Mobility + Security for US Government Service Description is also updated to include information about Azure Information Protection in the Parity with EMS Commercial Offerings section.

 

Frequently asked questions for Azure Information Protection

- New entry to help address any confusion around "Microsoft Information Protection": What's the difference between Azure Information Protection and Microsoft Information Protection?

 

Also updated the entry for using Azure AD conditional access (still in preview for Azure Information Protection), with a new bullet to clarify that if you use MFA in your conditional access policies for collaborating with other organizations ("B2B"), you must use Azure AD B2B collaboration and manually create guest accounts.

 

Applications that support Azure Rights Management data protection

- Updated the table in the RMS-enlightened application section, to remove the PDF column. This information is now moved to the new page, Supported PDF readers for Microsoft Information Protection

 

Azure Information Protection deployment roadmap

- Updated the deployment roadmap for classification, labeling, and protection. The steps now include how you might deploy the scanner using different configurations for different stages of your deployment:

  • Initially, even before you might have confirmed your classification taxonomy and before you have designed and configured labels, consider deploying the scanner to discover all known sensitivity types. We often heard from customers at Ignite that they didn't know what sensitive information might be in which files on their on-premises data stores - and this configuration with the scanner can help answer that.  Knowing what you have is always a good start!  If you need additional help with this configuration, see the following blog post. Cataloging your Sensitive Data with AIP, Even Before Configuring Labels.
  • When you start to configure your labels for classification, run the scanner in discovery mode for automatic classification. In discovery mode, nothing gets labeled so it's safe to use this configuration even when you're still deciding on how to configure your labels.
  • When you're happy that your labels are configured as you need for classification and protection, you're ready to configure the scanner in enforce mode, so that you now classify (and protect where necessary) your documents.

Planning and implementing your Azure Information Protection tenant key

- Updated the Instructions for BYOK to include the Azure portal configuration steps for authorizing the Azure Rights Management service to use the key in Key Vault.

 

Configuring usage rights for Azure Rights Management

- Updated the Encrypt-Only option for emails section, to include this option as a newly available Office 365 DLP action.  

 

Configuring super users for Azure Rights Management and discovery services or data recovery

- New section,  Guidance for using Unprotect-RMSFile for eDiscovery

 

How to configure the policy settings for Azure Information Protection

- Updated the description of the All documents and emails must have a label setting (also known as mandatory labeling) to clarify that this option does not apply to PowerShell.

 

How to configure a label for Rights Management protection

- Updated to remove the preview statements for the Add any authenticated users option, now that the release status for this feature has changed to generally available (GA).

 

How to configure a label for visual markings for Azure Information Protection

- Updated the additional information list with information about maximum string lengths supported, and a warning that Excel's lower string length supported can result in truncated text.

 

Refreshing templates for users and services

- Updated for the Azure Information Protection unified labeling client and Office apps that natively support unified labels by using the Sensitivity feature.

 

How to migrate Azure Information Protection labels to the Office 365 Security & Compliance Center

- New section for organizations who use the Azure AD roles of Security Administrator or Information Protection Administrator, Important information about administrative roles.  If you have users who are granted either of these roles to manage Azure Information Protection, grant them the Compliance Administrator role for the Office 365 Security & Compliance Center if you want them to continue to have access to the labels and policies in the Azure portal. Also added the prerequisite that you must be signed in as a global admin to migrate your labels. 

 

Also updated the Clients that support unified labeling section to include the Azure Information Protection unified labeling client for Windows.

 

Deploying the Azure Information Protection scanner to automatically classify and protect files

- Updated for the following:

  • Added information about deploying multiple scanners.
  • Corrected the information that the scanner service stops when a manual scan cycle is complete. This is no longer the case for the current version of the scanner. Instead, the service remains running, but the scanner is idle.
  • Added information about the new Nodes (Preview) option in the Azure portal that lets you view and manage scanners across your enterprise from a single blade in the portal. From this central location, you can start the scanner for a one-time scan, rescan all files, check the status of a scanner, and view the scan rate.
  • New section for editing the registry, where there's a new example screenshot of how the registry might look if you want to protect PDF files in addition to Office files. This section also clarifies how to edit the registry if you want the same protection behavior of the Azure Information Protection client, to automatically protect all file types.
  •  In the Next steps section, added a link to the newly published Microsoft Showcase, Automating data protection with Azure Information Protection scanner.

 

Central reporting for Azure Information Protection

- Updated the How to modify the reports section, with the information that the logged data is stored in the InformationProtectionLogs_CL table.

 

Supported PDF readers for Microsoft Information Protection

- New page for end users who need to open classified and protected PDFs. This page provides high-level information about the collaboration between Microsoft and Adobe that resulted in the recently released new Adobe reader (in preview), links to download readers that support the ISO standard for PDF encryption, and information about older formats and supported readers for these. 

 

 Azure Information Protection client: Version release history and support policy

- Now that version 1.10.56.0 is out of support, the section for this release is now removed. In addition, the preview release section is updated for known issues with the scanner, and a link to the information about the new preview release of the unified labeling client. 

  

Admin Guide: File types supported by the Azure Information Protection client

- Added a new section for the scanner, To scan .zip files.

 

Azure Information Protection unified labeling client: Version release information

- New article, which covers what's included and excluded in this first preview version of the unified labeling client that downloads policy and sensitivity labels from the Office 365 Security & Compliance Center.

 

Download and install the Azure Information Protection unified labeling client

- New article, with instructions for an interactive user install.

 

User Guide: View and use files that have been protected by Rights Management

- Updated with the clarification that the Save As button in the viewer is available only for protected files.

 

PowerShell: Get-AIPScannerStatus

- Updated the possible values for the current version of the scanner:

  • Running is now replaced by Scanning
  • Finished is removed