Home

AIP Policies - What determines the order fo the policies? Example?

%3CLINGO-SUB%20id%3D%22lingo-sub-417255%22%20slang%3D%22en-US%22%3EAIP%20Policies%20-%20What%20determines%20the%20order%20fo%20the%20policies%3F%20Example%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-417255%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20move%20AIP%20policies%20up%20and%20down.%20So%20it%20seems%20the%20order%20matters.%20What%20is%20an%20example%20where%20I%20would%20need%20to%20pay%20attention%20to%20the%20order%20and%20what%20does%20it%20determine%3F%3C%2FP%3E%3CP%3EFor%20example%20my%20users%20would%20get%203%20policies%3A%3C%2FP%3E%3CP%3E-%20the%20standard%20(global)%20policies%20f%C3%BCr%20all%20company%20users%20(e.g.%20public%2C%20internal%2C%20confidential%2C%20restricted%20(protected))%3C%2FP%3E%3CP%3E-%20a%20department%20policy%20(Sales%20Restricted%20(protected))%3C%2FP%3E%3CP%3E-%20a%20policy%20allowing%20some%20users%20customized%20protection%3C%2FP%3E%3CP%3EWould%20this%20also%20be%20the%20recommended%20order%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%2CFranck%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-417255%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAIP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-418084%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Policies%20-%20What%20determines%20the%20order%20fo%20the%20policies%3F%20Example%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-418084%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F203532%22%20target%3D%22_blank%22%3E%40Franck%20Marteaux%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EGreat%20question!%20See%20this%20article%20here%20on%20AIP%20policies%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy-scope%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy-scope%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20critical%20section%20here%20-%3CBR%20%2F%3E%3CBR%20%2F%3E'Scoped%20policies%2C%20just%20like%20labels%2C%20are%20ordered%20in%20the%20Azure%20portal.%20If%20a%20user%20is%20configured%20for%20multiple%20scopes%2C%20an%20effective%20policy%20is%20computed%20for%20that%20user%20before%20it%20is%20downloaded.%20According%20to%20the%20order%20of%20the%20polices%2C%20the%20last%20policy%20setting%20is%20applied.%20The%20labels%20that%20the%20user%20sees%20are%20from%20the%20global%20policy%20and%20any%20additional%20labels%20from%20scoped%20policies%20that%20the%20user%20belongs%20to'%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20it%20looks%20like%20you%20have%20it%20right%20insofar%20as%20first%20level%20is%20org%20(global)%2C%20second%20level%20is%20department%20and%20third%20level%20is%20users%20in%20that%20department.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20article%20should%20help%20you%20to%20structure%20your%20policies%20according%20to%20your%20organisation.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Franck Marteaux
Occasional Contributor

You can move AIP policies up and down. So it seems the order matters. What is an example where I would need to pay attention to the order and what does it determine?

For example my users would get 3 policies:

- the standard (global) policies für all company users (e.g. public, internal, confidential, restricted (protected))

- a department policy (Sales Restricted (protected))

- a policy allowing some users customized protection

Would this also be the recommended order?


Thanks,
Franck

 

1 Reply
Hi @Franck Marteaux

Great question! See this article here on AIP policies

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-scope

The critical section here -

'Scoped policies, just like labels, are ordered in the Azure portal. If a user is configured for multiple scopes, an effective policy is computed for that user before it is downloaded. According to the order of the polices, the last policy setting is applied. The labels that the user sees are from the global policy and any additional labels from scoped policies that the user belongs to'

So it looks like you have it right insofar as first level is org (global), second level is department and third level is users in that department.

This article should help you to structure your policies according to your organisation.

Hope that answers your question.

Best, Chris
Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies