02-04-2019 01:36 AM
02-04-2019 09:26 AM
Well, depends. Generally speaking files must be "registered" with the tracking portal by selecting the corresponding option in the client. It does not happen automatically for all files.
10-18-2019 09:16 AM - edited 10-18-2019 09:18 AM
*** For classic AIP client only ***
Only files that have protection applied (i.e. the AIP label used to classify the file includes an RMS template to control access and usage) will show up in the Track & Revoke portal.
Files that are labelled without protection are not tracked because when they are accessed, no authentication happens with Azure RMS so no access attempts can be logged.
(Unified labelling client does not support track & revoke.)
01-13-2020 01:56 PM
@markwarnes - I'm still unsure as to why Unified Labeling doesn't support Track and Revoke? Basically, Microsoft Information Protection (...Unified Labeling) is technically "a step up" from AIP, but this handy feature is no longer included.
Do you have any ideas or can you point me in the direction of why this is, and if it ever will, or what will replace Track and Revoke? I simply can't find much info on why this is.
01-16-2020 03:18 AM
01-16-2020 04:04 AM - edited 01-16-2020 04:05 AMSolution
@cpsecurity, @Joe McGiven Corban - As far as I can tell, the classic "Track & Revoke" functionality that is curently available with the classic AIP client is not coming to the unified labelling (UL) client at any point on the roadmap.
The approach that you should probably be taking now is to make use of central reporting to check for user activities on labelled documents.
From the AIP documentation (https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-client#compare-the-labe...) :
"The document tracking site that's supported by the classic client isn't supported by the unified labeling client. However, without the need to first register the document for tracking, administrators can use central reporting to identify whether protected documents are accessed from Windows computers, and whether access was granted or denied."
This basically means the the UL client on Windows computers will report activity to the configured Log Analytics workspace when a protected document has been accessed. It's not the same as the dedicated T&R portal but it does offer opportunities to alert on particular document access (either through alerts on the analytics workspace or through monitoring using Azure Sentinel if linked up).
@Rafael Dominguez wrote a series of blogs about creating a custom AIP tracking portal that uses the central reporting data -(https://techcommunity.microsoft.com/t5/azure-information-protection/how-to-build-a-custom-aip-tracki.... Definitely worth a look if you've not seen them already.
That said, there is a limitation currently - only the UL and classic clients on Windows devices can report their activity to the central reporting workspace. That means native AIP functionality in Office applications and any activity from MacOS, iOS and Android does not get reported. I'm hoping this is one of the gaps of functionality between the native and UL clients that is going to be closed in the near future.