cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Force AIP labelling/protection

Michael Whitaker
Copper Contributor

‎Oct 26 2018 11:01 AM - last edited on ‎May 24 2021 03:13 PM by

‎Oct 26 2018 11:01 AM - last edited on ‎May 24 2021 03:13 PM by

Force AIP labelling/protection

I am new to AIP (Azure Information protection). My question is how do I enforce the protection of documents.

 

What I want: any document/email should be assumed to be for internal company only and not available to anyone outside of the org unless the user changes the label.

 

It actually works ok if the user has the AIP client installed; emails and documents they create are automatically labeled "internal" as expected. If the user uninstalls the client then documents work just like they would for anyone creating them, meaning there is no protection and no label is applied so the document can be sent to whomever and they can read it.

 

Questions: 

  1. How can I ensure that every document/email has an automatic label even if the user doesn't have the AIP client installed?
  2. If that's not possible (really?!) then how might I ensure the AIP client gets installed on and remains installed on each user's computer?
6,518 Views
0 Likes
6 Replies
Reply
6 Replies
Eli Shlomo

‎Oct 27 2018 10:06 PM - edited ‎Oct 27 2018 11:27 PM

‎Oct 27 2018 10:06 PM - edited ‎Oct 27 2018 11:27 PM

Re: Force AIP labelling/protection

To allow automatic label you must configure the relevant settings but not all services work with the label, for example in Exchange you must to create Exchange Transport Rule to allow label, but there are some conditions when applying labels with AIP and Exchange.

But before starting with AIP label and Exchange take a quick look with the following URL's: https://docs.microsoft.com/en-us/azure/information-protection/faqs-infoprotect

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-protection

 

For other protection such as RMS, you can apply Secure Email (OMEv2) and protect all content that go externally.

 

Eli.

0 Likes
Reply
Michael Whitaker

‎Oct 29 2018 07:09 AM - edited ‎Oct 29 2018 07:10 AM

‎Oct 29 2018 07:09 AM - edited ‎Oct 29 2018 07:10 AM

Re: Force AIP labelling/protection

Eli, thank you for taking the time to respond to my email and to gather those links; I really appreciate it. Let's set aside emails for the time being. I am chiefly concerned with documents being labeled and protected by default. If no emails at all were protected, but every document was, I would be content with  that.

 

What are these relevant settings you mentioned in your first sentence?

 

I have set a policy and assigned my test user to it. There is a default label, but it only gets automatically applied if the AIP client is installed, which means a malicious user could just uninstall it to get around the labeling requirement.

0 Likes
Reply
Michael Whitaker

‎Oct 31 2018 04:03 PM

‎Oct 31 2018 04:03 PM

Re: Force AIP labelling/protection

After talking to MS support, it seems this is not currently possible. At this time, the AIP client must be installed and remain installed for the default labeling behavior to work properly.

0 Likes
Reply
Peter Klapwijk

‎Nov 01 2018 01:28 AM

‎Nov 01 2018 01:28 AM

Re: Force AIP labelling/protection

Maybe auto labelling of documents inside a SharePoint site is an option for you?

0 Likes
Reply
best response confirmed by Michael Whitaker (Copper Contributor)
Peter Bing Simmons

‎Nov 01 2018 04:11 AM - edited ‎Nov 01 2018 05:47 AM

‎Nov 01 2018 04:11 AM - edited ‎Nov 01 2018 05:47 AM

Solution

Re: Force AIP labelling/protection

Soon enough the Azure Information Protection client will be build into the Office Pro Plus clients, effectively solving one of your issues. Until then I think your best bet is to utilize Azure Information Protection in conjunction with Data Loss Prevention for sensitive data types.

 

In AIP you could enforce that all documents must have a label and ensure that all documents starts with a default label. It won't solve all you headaches, but It's a start I guess.

 

Also you can enforce transport rules through the Exchange Admin center, that will add protection to content that is being sent externally, even if that content is sent from devices or applications that does not support adding labels or protection to content.

https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules

 

You can also enforce Information Rights Management in selected or all SharePoint/OneDrive document library locations, to ensure protection for files located there.

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-irm-in-sp-admin-center 

0 Likes
Reply
Jakob Schaefer

‎Nov 01 2018 07:43 AM

‎Nov 01 2018 07:43 AM

Re: Force AIP labelling/protection

Hi @Michael Whitaker,

have you seen the AIP Scanner? If you use OnPremise Data this tool can help you for automatic labeling and protection for documents.

You should think about combining AIP/Azure RMS with DLP where you can also protect shared documents or block sharing.

Jakob

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Michael Whitaker (Copper Contributor)
Peter Bing Simmons

‎Nov 01 2018 04:11 AM - edited ‎Nov 01 2018 05:47 AM

‎Nov 01 2018 04:11 AM - edited ‎Nov 01 2018 05:47 AM

Solution

Re: Force AIP labelling/protection

Soon enough the Azure Information Protection client will be build into the Office Pro Plus clients, effectively solving one of your issues. Until then I think your best bet is to utilize Azure Information Protection in conjunction with Data Loss Prevention for sensitive data types.

 

In AIP you could enforce that all documents must have a label and ensure that all documents starts with a default label. It won't solve all you headaches, but It's a start I guess.

 

Also you can enforce transport rules through the Exchange Admin center, that will add protection to content that is being sent externally, even if that content is sent from devices or applications that does not support adding labels or protection to content.

https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules

 

You can also enforce Information Rights Management in selected or all SharePoint/OneDrive document library locations, to ensure protection for files located there.

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-irm-in-sp-admin-center 

View solution in original post

0 Likes
Reply