Home
Microsoft

Announcing availability of information protection capabilities to help protect your sensitive data

At the last Microsoft Ignite conference we shared our vision of providing a more integrated and consistent approach to discovering, classifying, labeling and protecting sensitive data. Earlier this year we announced several new capabilities to help you better protect your sensitive information, wherever it lives or travels – across devices, apps, cloud services and on-premises. We remain committed to delivering a comprehensive set of solutions that help you achieve your information security and compliance goals.

EMS_1.png

 

This week we’re taking another big step in the journey, with several announcements and updates: 

  • General availability of centralized management of labels and protection settings in the Security & Compliance Center
  • General availability of the Microsoft Information Protection SDK
  • Preview of labeling functionality in Word, PowerPoint, Excel and Outlook on Mac
  • Preview of labeling in Word and PowerPoint on iOS and Android
  • Endpoint protection based on sensitivity labels using Windows Information Protection (coming October 2018)
  • Preview of viewing labeled and protected PDFs in Adobe Acrobat Reader on Windows
  • Preview of Information Protection analytics

Unified labeling and protection management across Azure Information Protection and Office 365

The new unified labeling experience in the Security & Compliance Center provides a single destination to configure labels and protection policies across Azure Information Protection and Office 365. Today we’re announcing the general availability of this experience – with even more capabilities coming over time. You can create new labels along with policy settings, such as adding encryption and access restrictions, adding visual markings such as watermarks or headers/footers, and controlling external access to labeled sites and groups. These labels can be used by Azure Information Protection, Office apps and Office 365 services. For Azure Information Protection customers, you will be able to use your labels in the Security and Compliance center, and your labels will be synchronized with the Azure portal in case you choose to perform additional or advanced configuration. Learn more about the unified labeling experience and how current Azure Information Protection customers can migrate to the unified labeling experience in our Tech Community blog

 

fixed.pngNew unified labeling and protection management in the Security & Compliance Center 

 

 

Labeling experiences built natively into Office apps

We also want to make it easy and intuitive for users to protect sensitive information – as they are creating or editing documents and emails. To help achieve this, we are integrating classification, labeling and protection capabilities natively into the most commonly used productivity apps and services. Today we’re announcing the start of the public preview (available to Office Insider program participants) of native labeling capabilities in Office apps across platforms, including Mac (Word, PowerPoint, Excel), iOS (Word, PowerPoint) and Android (Word, PowerPoint). These new capabilities enable preview end-users to apply labels and protection to documents and emails – in a familiar manner, similar to what they’re already experiencing if they’re using the Azure Information Protection client on Windows. For example, if working on a Word document on a Mac device, users can choose the appropriate sensitivity label, such as “Highly Confidential”, and protection settings will be applied to the document automatically – based on the company’s label policy. Learn more about the supported Office applications in our documentation. (Note on preview availability: Word and PowerPoint on iOS and Android are scheduled to be available to Office Insiders the first week of October)

 

ems-3.pngNative labeling capabilities built into Office apps on Mac

ems-4.pngNative labeling capabilities built into Office apps on Android

Azure Information Protection labeling and protection on Windows machines

Today we're also announcing a new public preview version of the Azure Information Protection client. This preview version of the Azure Information Protection client supports the new unified labeling experiences described earlier. Customers using the new unified label management in the Security & Compliance Center can use this preview client to manually label and protect documents in Office apps on Windows – Word, Excel, PowerPoint and Outlook. This version also supports default labeling, mandatory labeling and visual markings (headers, footers and watermarks). The general availability (GA) release is targeting Q1 CY2019 and is planned to also support automatic classification, multilanguage, the viewer, right-click actions from File Explorer and PowerShell scripting.

 

ems-5.pngSupport for the new unified labeling experience using the latest Azure Information Protection client (in preview)

View labeled and protected PDFs with Adobe, our preferred PDF provider for Microsoft Information Protection solutions

For 25 years, Adobe has been the leader in PDF – this  makes them a natural fit to be our preferred PDF provider for Microsoft Information Protection solutions. In a few weeks, Adobe will be releasing a public preview of a plug-in to view labeled and protected PDFs directly within Adobe Acrobat Reader on Windows, with support for Acrobat DC and other platforms coming later in the year.

 

Building native labeling capabilities directly into Office apps across the major device platforms helps broaden the coverage of information protection across your environment, and our goal is to also enable other common productivity apps to integrate our labeling capabilities directly into their own apps and services. This will make it even easier for end-users to work with PDFs that contain sensitive information – they can use the familiar Adobe Acrobat experience to view labeled and protected PDFs, without needing a special viewer application. With the preview, you can get started using the Azure Information Protection client and Azure Information Protection scanner to label and protect PDFs in a manner that can be opened by Adobe Acrobat Reader. In the future we plan to enable our other Information Protection solutions to also label and protect PDFs that can be opened by Acrobat. Learn more about our integration with Adobe Acrobat  in our Tech Community blog.

 

 

ems-6.pngView labeled and protected PDFs easily within Adobe Acrobat Reader on Windows

Extend information protection to Windows 10 endpoints

As part of the unified labeling and protection experience, our goal is to ensure that our broad set of information protection solutions can understand labels attached to documents and emails and apply the appropriate policy-based actions. Today we’re announcing that Windows will be able to read, understand and act on sensitivity labels in documents and automatically apply Windows Information Protection (WIP) on work data, no matter how it reaches a managed PC. This extends information protection on managed Windows devices and endpoints and helps protect labeled files from accidental leakage, with or without applying encryption. For example, Windows can understand that a Word document residing on a user’s machine has a label of “Confidential”, and as a result of the policy defined by the organization, apply WIP policy to prevent the copying or sharing of the data to any non-work location from that device (such as personal email accounts, social channels, etc.). We are targeting enabling this capability for customers in the Windows 10 October 2018 Update. Learn more here.

 

ems-7.pngPrevent work data from being copied to non-work locations – based on sensitivity labels

Extend information protection to non-Microsoft apps and services with the Microsoft Information Protection SDK

Earlier this year we announced the public preview of the Microsoft Information Protection SDK, which enables ISVs and service providers to be able to read and apply unified labels and protection to documents – this is particularly useful for files that are beyond the coverage of our information protection solutions. Today we’re announcing the general availability of the SDK for Windows, Mac and Linux – and the public preview of the SDK for iOS and Android. You can get started with all the resources you need here. Using the SDK, you can label and protect content in a way that works with other Microsoft Information Protection apps and services, such as Office apps, Office 365 services, the Azure Information Protection scanner, Microsoft Cloud App Security and several other partner solutions. Learn more about the Microsoft Information Protection SDK on our Tech Community blog.

 

Proactively protect and control sensitive messages with Office 365 Message Encryption

We also have enhancements to Office 365 Message Encryption that will enable organizations to more easily collaborate on and proactively protect sensitive emails. First, to further support collaboration on protected emails with consumer recipients, Office 365 Message Encryption enables organizations to control whether attachments should also be encrypted with the Encrypt-Only template, which means that recipients retain full permissions to share the attachment in the protected email. This update is generally available today. Additional enhancements, such as the ability to protect PDFs and customize branded emails for any recipient, are planned to be delivered by the end of the calendar year.

 

Second, to help organizations better manage and control sensitive emails, IT Admins can monitor and view reports on encrypted messages to proactively apply policies to sensitive emails based on observed patterns. We are also releasing the ability for admins to revoke encrypted emails sent to consumer email accounts. These are just a few new updates in Office 365 Message Encryption that will be available in preview by the end of October. To learn more about these capabilities and more, read theTech Community blog for details.

 

ems-8.pngView reports on encrypted emails in the Security & Compliance Center

Gain visibility into sensitive data across your organization with Information Protection analytics

The information protection lifecycle wouldn’t be complete without the ability to understand the state of your sensitive data – along with the ability to remediate potential issues. Today we’re announcing the public preview of Azure Information Protection analytics, which gives you insights into labeled and protected documents and emails across your organization. The dashboard provides information on the volume and distribution of files by label type, along with where the label was applied. You can also view details on where sensitive data resides, as well as the specific type of sensitive information contained in files (for example, financial info, PII or other information based on content inspection). Learn more about the Information Protection analytics preview here.

 

ems-9.jpgInformation Protection analytics gives you better visibility into your labeled and protected files

Evaluate sensitive data usage and behavioral access activity to help identify advanced threats

Customers also want the ability to quickly identify advanced threats to their sensitive data – and be able to defend their digital estate against evolving cyber threats. Today we’re announcing the public preview of Information Protection alerts, which helps customers detect advanced data-related attacks and insider threats. The new alerts leverage our advanced machine learning engine to profile the behavior of users accessing and working with sensitive information – based on classification and labeling applied to files by Azure Information Protection. Alerts can be accessed using the Microsoft Graph Security API, or you can stream alerts (using Azure Monitor) to a SIEM solution, such as Splunk and IBM Qradar. Learn more about the Microsoft Graph Security API and get started by reading our blog.

 

Getting started

Regardless of where you are in your information protection journey, there’s plenty to explore and start implementing – including the new capabilities described here. If you’re an Azure Information Protection customer or Office 365 customer (with an E3 or E5 plan), start using the unified labeling experience in the Security & Compliance center to create, update or modify your sensitivity labels. Start using the Office apps in preview for Mac, iOS and Android to enable preview users to label their documents and emails. Enable your Windows users to do the same by downloading the preview Azure Information Protection client. Beyond Office files, enable users Gain visibility into sensitive data across your organization with the Azure Information Protection analytics preview. Finally, if you use products or services from one of our ISV partners, connect with them for a demo or preview of their integrated functionality.

 

You can also engage with us and the community on Yammer or Twitter and provide additional feedback on UserVoice.

14 Comments
Occasional Contributor

Is there an ETA for Excel and Outlook labeling for iOS and Android? 

Microsoft

Hi Aaron,

 

We are making continuous improvements and expect to bring Labeling to Excel and Outlook in the next 3-4 months. 

 

Thanks,

Gagan

 

Occasional Visitor

Any news on when AIP for online versions of Office (Word/Excel/Outlook etc)  will be available ?

Microsoft

Hi Julian,

 

I don't have any dates to share for Public Preview or GA yet, but we are actively working on supporting online versions of Office as well.

 

Thanks,

Gagan

Regular Visitor

Hi there

 

Can you please outline the advantages of having the Azure Information Client deployed if you're going to natively build the experience into Office products? Is there a roadmap for where these 2 technologies might converge? I'm about to start a deployment of the AIP client for a large client and it'd be good to know this information.

 

Thanks :) 

Microsoft

Hi Dan, 

Our goal is to bring the native implementation in Office clients as close as possible to AIP client. However that's a bit far away. Office clients on Windows, as of today, don't have labeling available at all - even in inner rings, and it will take quite some time to bring the native functionality equivalence, especially around automated classification. At that time, you will have the opportunity to remove the AIP client, and have your users use the native built in functionality. It will save you the burden of the extra client deployments.

 

For now, please continue with the AIP client deployment.

Thanks,

Gagan

 

Regular Contributor

Unfortunately still don`t see the labelling option in Word for Mac even if I`m using Office Insider Fast. I`m running 16.19
Am I doning something wrong of do I just need to wait any longer?

Occasional Visitor

Its under File / Restrict Permissions [at least it is in V16.19 (181007)]

If you have an AIP policy in place (make sure you are logged in to word with your corporate account) then you should see the policies under the first two options:

No Restrictions

Restricted access...

----------

<you company restrictions>

See screen shot below.

AIP on mac.jpg

Microsoft

@Peter Klapwijk - The functionality was shipped into Insider Fast ring with build 180926.  Please try upgrading to this build.

Regular Contributor

Thanks guys!
Will have a look at this.

Regular Visitor

@Peter Klapwijk

It´s a little tricky. First activate through outlook. Then it will work with all app

Try https://docs.microsoft.com/en-us/azure/information-protection/faqs-rms

Look at the section How do I configure a Mac computer to protect and track documents?

You will see:

Open Outlook and create a profile by using your Office 365 work or school account. Then, create a new message and do the following to configure Office so that it can protect documents and emails by using the Azure Rights Management service:

  1. In the new message, on the Options tab, click Permissions, and then click Verify Credentials.

  2. When prompted, specify your Office 365 work or school account details again, and select Sign in.

    This downloads the Azure Rights Management templates and Verify Credentials is now replaced with options that include No Restrictions, Do Not Forward, and any Azure Rights Management templates that are published for your tenant. You can now cancel this new message.

 

Occasional Visitor

One of the largest issues we've encountered is when protecting labeled data you can no longer open in Office Online and Collaborate in real time. Is this something that will be fixed soon?

Regular Visitor
Microsoft

Yes, it is being actively worked upon. I don't have dates to share yet but I can tell you that its coming!