SOLVED

AIP Tracking and Revocation

%3CLINGO-SUB%20id%3D%22lingo-sub-330082%22%20slang%3D%22en-US%22%3EAIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330082%22%20slang%3D%22en-US%22%3EWe%20are%20working%20with%20AIP%20tracking%20and%20revocation.%20When%20a%20file%20is%20accessed%20outside%20the%20organization%20it%20is%20not%20being%20logged%20in%20the%20tracking%20portal.%20Is%20the%20behaviour%20normal%3F%20Thanks%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-330082%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAIP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETracking%20and%20Revocation%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330309%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330309%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20depends.%20Generally%20speaking%20files%20must%20be%20%22registered%22%20with%20the%20tracking%20portal%20by%20selecting%20the%20corresponding%20option%20in%20the%20client.%20It%20does%20not%20happen%20automatically%20for%20all%20files.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-780843%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-780843%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20we%20have%20E3%20%2B%20EMS%20licenses%2C%20so%20do%20we%20still%20need%20E5%20for%20track%20and%20Revoke%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20heard%20that%20MS%20is%20going%20to%20launch%20a%20new%20portal%20for%20track%20and%20revoke.%20So%20by%20any%20chance%20would%20it%20available%20by%20enterprises%20with%20E3%2BEMS%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F61456%22%20target%3D%22_blank%22%3E%40James%20Escober%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-908111%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-908111%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F382225%22%20target%3D%22_blank%22%3E%40thesmilingguru%3C%2FA%3EYou%20need%20to%20have%20minimum%20of%20EMS%20E3%20license%20for%20tracking%20and%20revocation%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918823%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918823%22%20slang%3D%22en-US%22%3EOnly%20files%20that%20have%20protection%20applied%20(i.e.%20the%20AIP%20label%20used%20to%20classify%20the%20file%20includes%20an%20RMS%20template%20to%20control%20access%20and%20usage)%20will%20show%20up%20in%20the%20Track%20%26amp%3B%20Revoke%20portal.%3CBR%20%2F%3E%3CBR%20%2F%3EFiles%20that%20are%20labelled%20without%20protection%20are%20not%20tracked%20because%20when%20they%20are%20accessed%2C%20no%20authentication%20happens%20with%20Azure%20RMS%20so%20no%20access%20attempts%20can%20be%20logged.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106171%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106171%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306428%22%20target%3D%22_blank%22%3E%40markwarnes%3C%2FA%3E%26nbsp%3B-%20I'm%20still%20unsure%20as%20to%20why%20Unified%20Labeling%20doesn't%20support%20Track%20and%20Revoke%3F%20Basically%2C%20Microsoft%20Information%20Protection%20(...Unified%20Labeling)%20is%20technically%20%22a%20step%20up%22%20from%20AIP%2C%20but%20this%20handy%20feature%20is%20no%20longer%20included.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20ideas%20or%20can%20you%20point%20me%20in%20the%20direction%20of%20why%20this%20is%2C%20and%20if%20it%20ever%20will%2C%20or%20what%20will%20replace%20Track%20and%20Revoke%3F%20I%20simply%20can't%20find%20much%20info%20on%20why%20this%20is.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%20Joe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112379%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112379%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306428%22%20target%3D%22_blank%22%3E%40markwarnes%3C%2FA%3E%20-%20As%20mentioned%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F139376%22%20target%3D%22_blank%22%3E%40Joe%20McGiven%20Corban%3C%2FA%3E%2C%20the%20track%20and%20revoke%20feature%20was%20a%20great%20feature%20and%20one%20of%20the%20selling%20points%20for%20AIP%20internally.%20Now%20that%20Classic%20client%20is%20no%20longer%20going%20to%20be%20supported%2C%20is%20there%20a%20roadmap%20for%20including%20this%20feature%20in%20UL.%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112441%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Tracking%20and%20Revocation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112441%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F369193%22%20target%3D%22_blank%22%3E%40cpsecurity%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F139376%22%20target%3D%22_blank%22%3E%40Joe%20McGiven%20Corban%3C%2FA%3E%26nbsp%3B-%20As%20far%20as%20I%20can%20tell%2C%20the%20classic%20%22Track%20%26amp%3B%20Revoke%22%20functionality%20that%20is%20curently%20available%20with%20the%20classic%20AIP%20client%20is%20not%20coming%20to%20the%20unified%20labelling%20(UL)%20client%20at%20any%20point%20on%20the%20roadmap.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20approach%20that%20you%20should%20probably%20be%20taking%20now%20is%20to%20make%20use%20of%20central%20reporting%20to%20check%20for%20user%20activities%20on%20labelled%20documents.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20AIP%20documentation%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Frms-client%2Fuse-client%23compare-the-labeling-clients-for-windows-computers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Frms-client%2Fuse-client%23compare-the-labeling-clients-for-windows-computers%3C%2FA%3E)%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22The%20document%20tracking%20site%20that's%20supported%20by%20the%20classic%20client%20isn't%20supported%20by%20the%20unified%20labeling%20client.%20However%2C%20without%20the%20need%20to%20first%20register%20the%20document%20for%20tracking%2C%20administrators%20can%20use%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Freports-aip%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecentral%20reporting%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bto%20identify%20whether%20protected%20documents%20are%20accessed%20from%20Windows%20computers%2C%20and%20whether%20access%20was%20granted%20or%20denied.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20basically%20means%20the%20the%20UL%20client%20on%20Windows%20computers%20will%20report%20activity%20to%20the%20configured%20Log%20Analytics%20workspace%20when%20a%20protected%20document%26nbsp%3Bhas%20been%20accessed.%20It's%20not%20the%20same%20as%20the%20dedicated%20T%26amp%3BR%20portal%20but%20it%20does%20offer%20opportunities%20to%20alert%20on%20particular%20document%20access%20(either%20through%20alerts%20on%20the%20analytics%20workspace%20or%20through%20monitoring%20using%20Azure%20Sentinel%20if%20linked%20up).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102197%22%20target%3D%22_blank%22%3E%40Rafael%20Dominguez%3C%2FA%3E%26nbsp%3Bwrote%20a%20series%20of%20blogs%20about%20creating%20a%20custom%20AIP%20tracking%20portal%20that%20uses%20the%20central%20reporting%20data%20-(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-information-protection%2Fhow-to-build-a-custom-aip-tracking-portal%2Fba-p%2F875849%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-information-protection%2Fhow-to-build-a-custom-aip-tracking-portal%2Fba-p%2F875849)%3C%2FA%3E.%20Definitely%20worth%20a%20look%20if%20you've%20not%20seen%20them%20already.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThat%20said%2C%20there%20is%20a%20limitation%20currently%20-%20only%20the%20UL%20and%20classic%20clients%20on%20Windows%20devices%20can%20report%20their%20activity%20to%20the%20central%20reporting%20workspace.%20That%20means%20native%20AIP%20functionality%20in%20Office%20applications%20and%20any%20activity%20from%20MacOS%2C%20iOS%20and%20Android%20does%20not%20get%20reported.%20I'm%20hoping%20this%20is%20one%20of%20the%20gaps%20of%20functionality%20between%20the%20native%20and%20UL%20clients%20that%20is%20going%20to%20be%20closed%20in%20the%26nbsp%3Bnear%20future.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
James Escober
Occasional Contributor
We are working with AIP tracking and revocation. When a file is accessed outside the organization it is not being logged in the tracking portal. Is the behaviour normal? Thanks
7 Replies
Highlighted

Well, depends. Generally speaking files must be "registered" with the tracking portal by selecting the corresponding option in the client. It does not happen automatically for all files.

Highlighted

@Vasil Michev  we have E3 + EMS licenses, so do we still need E5 for track and Revoke?

 

I have heard that MS is going to launch a new portal for track and revoke. So by any chance would it available by enterprises with E3+EMS

@James Escober 

Highlighted

@thesmilingguruYou need to have minimum of EMS E3 license for tracking and revocation

Highlighted

*** For classic AIP client only ***

 

Only files that have protection applied (i.e. the AIP label used to classify the file includes an RMS template to control access and usage) will show up in the Track & Revoke portal.

Files that are labelled without protection are not tracked because when they are accessed, no authentication happens with Azure RMS so no access attempts can be logged.

 

(Unified labelling client does not support track & revoke.)

Highlighted

@markwarnes - I'm still unsure as to why Unified Labeling doesn't support Track and Revoke? Basically, Microsoft Information Protection (...Unified Labeling) is technically "a step up" from AIP, but this handy feature is no longer included.

 

Do you have any ideas or can you point me in the direction of why this is, and if it ever will, or what will replace Track and Revoke? I simply can't find much info on why this is.

 

Cheers, Joe

Highlighted

 @markwarnes - As mentioned by @Joe McGiven Corban, the track and revoke feature was a great feature and one of the selling points for AIP internally. Now that Classic client is no longer going to be supported, is there a roadmap for including this feature in UL. 

Thanks, 

Highlighted
Solution

@cpsecurity@Joe McGiven Corban - As far as I can tell, the classic "Track & Revoke" functionality that is curently available with the classic AIP client is not coming to the unified labelling (UL) client at any point on the roadmap.

 

The approach that you should probably be taking now is to make use of central reporting to check for user activities on labelled documents.

 

From the AIP documentation (https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-client#compare-the-labe...) :

 

"The document tracking site that's supported by the classic client isn't supported by the unified labeling client. However, without the need to first register the document for tracking, administrators can use central reporting to identify whether protected documents are accessed from Windows computers, and whether access was granted or denied."

 

This basically means the the UL client on Windows computers will report activity to the configured Log Analytics workspace when a protected document has been accessed. It's not the same as the dedicated T&R portal but it does offer opportunities to alert on particular document access (either through alerts on the analytics workspace or through monitoring using Azure Sentinel if linked up).

 

@Rafael Dominguez wrote a series of blogs about creating a custom AIP tracking portal that uses the central reporting data -(https://techcommunity.microsoft.com/t5/azure-information-protection/how-to-build-a-custom-aip-tracki.... Definitely worth a look if you've not seen them already.

 

That said, there is a limitation currently - only the UL and classic clients on Windows devices can report their activity to the central reporting workspace. That means native AIP functionality in Office applications and any activity from MacOS, iOS and Android does not get reported. I'm hoping this is one of the gaps of functionality between the native and UL clients that is going to be closed in the near future.