Extended email security and compliance with Azure Information Protection
First published on CloudBlogs on Oct 24, 2017
We made some exciting
at Ignite that help you protect your sensitive information regardless of where it's stored or shared. For detailed information on new capabilities in Office 365 Message Encryption (OME), please read this
Office 365 blog
and watch this
. We’re also hosting an
Ask Me Anything (AMA) session on OME
on Oct 26 that we encourage you to join.
This post dives deeper into some additional email security and compliance scenarios that are enabled with Azure Information Protection.
Exchange Online and Azure Information Protection BYOK
Though Azure Information Protection generates and manages your tenant key, some organizations have expressed a need to use their own key. This scenario of using a “customer-managed” key, is also known as “bring your own key (BYOK)”. While Azure Information Protection provided a BYOK solution (which uses the Azure Key Vault service) a while ago, this was incompatible with Exchange Online. Organizations were then left with a difficult choice.
We are glad to share that we’ve filled that gap. You can now use Azure Information Protection BYOK with Exchange Online. The feature is initially available for tenants who have previously not enabled rights management on Exchange Online – we are working hard to ensure that this is available to all our customers in near future.
For more information about BYOK and how to implement it for Azure Information Protection, see
Planning and implementing your Azure Information Protection tenant key
. For instructions to configure Exchange Online for this scenario, see
Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protecti...
In a lot of cases, organizations would like emails to be automatically protected based on their sensitivity. Let’s see how Azure Information Protection can help in that case.
Automatic protection of emails based on sensitivity labels
As detailed in our recent
, Azure Information Protection enables you to classify, label, and protect your information. When this is clubbed with Office 365 Message Encryption, you now have an intuitive and powerful way to protect any email that flows within your organization, across other organizations, or to any email recipient.
Let’s walk through a couple of examples that highlight the simplicity of the workflow. For this blog, we will assume that the administrator of Contoso.com has already created some labels that are configured to apply protection.
George wants to send a sensitive email to his colleague Allie. George selects
Highly Confidential \ Contoso FTE Only
label, which automatically encrypts the email and applies corresponding permissions.
The protected message can be easily read by Allie across different platforms (Windows, iOS, Android), devices (desktop, web, mobile), and applications (Outlook, Outlook Web Access, iOS native client).
Custom protection templates for external collaboration
We recently introduced new collaboration features in
that enable admins to create custom protection settings for a label. This allows users in one organization to securely collaborate with users or groups in another organization. This is a great addition to the standard Do Not Forward policy.
The snip below shows a sample configuration in the Azure Information Protection blade in the Azure portal. The administrator for Contoso.com has created a
Highly Confidential \ Fabrikam - Partner
which is backed by custom protection permissions. This setting allows Contoso.com users to securely collaborate with their counterparts in Fabrikam.com – without giving them say ‘Print’ permission here.
When a user in Contoso needs to send a protected email to a user in Fabrikam.com, they select the appropriate label
Confidential \ Fabrikam - Partner
), which automatically applies protection.
The recipient (Jenn) can read this email across multiple devices and applications. From a sender’s perspective, the experience of sending an email to an internal user or an external user is the same.
Similarly, senders now have a consistent and easy way to send protected email to a user with a consumer IDs, such as Live or Gmail account. For example, Contoso.com administrator has created
Confidential \ External
recipients label, which automatically protects any content by using the Do Not Forward policy (or any appropriate policy).
The recipient can easily open the email and attachment.
It really is very easy to get started with Azure Information Protection. We have a lot of information available to help you, from great documentation, to engaging with us via
What are you waiting for? Get to it!