Azure Information Protection retroactive protection - AIP

%3CLINGO-SUB%20id%3D%22lingo-sub-753428%22%20slang%3D%22en-US%22%3EAzure%20Information%20Protection%20retroactive%20protection%20-%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-753428%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22p1%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p2%22%3EHello%20all%2C%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p2%22%3EI%20need%20a%20clarification%20for%20a%20use%20scenario%20of%20AIP.%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p2%22%3Ehypothesis%2C%20using%20a%20label%20called%22highly%20confidential%22%26nbsp%3Bthat%20at%20the%20end%20of%20the%20implementation%20will%20protect%20documents%20with%20the%20protection%20flag%20of%20AIP%20configuration.%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p2%22%3EWhat%20I%20need%20to%20understand%20is%20in%20the%20following%20scenario%3A%3C%2FP%3E%3CP%20class%3D%22p2%22%3E1.%20We%20start%20to%20use%20the%20label%20without%20the%20protection%20flag%20for%20example%20for%20three%20months.%3C%2FP%3E%3CP%20class%3D%22p2%22%3E2.%20During%20this%20time%20period%20a%20total%20of%20100%20documents%20has%20been%20labeled%20as%20%22highly%20confidential%22%20and%20obviously%20only%20labeled%20without%20protection.%3C%2FP%3E%3CP%20class%3D%22p2%22%3E3.%20After%20this%20three%20month%20we%20will%20edit%20the%20label%20enabling%20the%20flag%20of%20protection.%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p2%22%3EThe%20question%20is%20about%20what%20will%20happen%20to%20the%20100%20documents%20labeled%20before%20the%20edit%20of%20the%20label%2C%20will%20be%20retroactive%20protected%20%3F%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p2%22%3Ethanks%20for%20helping%3C%2FP%3E%3CP%20class%3D%22p2%22%3Eif%20something%20is%20not%20clear%20please%20ask%20for%20clarification%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-753428%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProtection%20%26amp%3B%20Recovery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763932%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Information%20Protection%20retroactive%20protection%20-%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763932%22%20slang%3D%22en-US%22%3EFrom%20my%20understanding%20you%20would%20need%20AIP%20plan%202.%20This%20includes%20the%20scanner%20which%20is%20installed%20on%20a%20local%20server%20or%20run%20in%20Azure.%20Please%20see%20the%20quote%20below%20from%20the%20Microsoft%20docs%20page.%20I%E2%80%99ll%20include%20the%20full%20link%20as%20well.%3CBR%20%2F%3E%3CBR%20%2F%3E%E2%80%9CIn%20addition%2C%20all%20files%20are%20inspected%20when%20the%20scanner%20downloads%20an%20Azure%20Information%20Protection%20policy%20that%20has%20new%20or%20changed%20conditions.%20The%20scanner%20refreshes%20the%20policy%20every%20hour%2C%20and%20when%20the%20service%20starts%20and%20the%20policy%20is%20older%20than%20one%20hour.%E2%80%9D%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Finfoprotect-quick-start-tutorial%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Finfoprotect-quick-start-tutorial%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769765%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Information%20Protection%20retroactive%20protection%20-%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769765%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F183000%22%20target%3D%22_blank%22%3E%40Bryan%20Haslip%3C%2FA%3E%26nbsp%3Bthanks%20for%20answering%20but%20my%20question%20si%20more%20complexed%20than%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EImagine%20that%20few%20files%20that%20have%20a%20label%20were%20sent%20to%20external%20recipients%20or%20cloud%20spaces.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20that%20the%20files%20start%20to%20be%20protected%20because%20of%20business%20reasons%2C%20i%20change%20the%20label%20that%20i%20know%20is%20the%20same%20of%20the%20document%20in%20the%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20be%20sure%20that%20all%20the%20document%20with%20that%20label%20will%20be%20protected.%20obviously%20also%20out%20from%20my%20systems%20where%20i%20can%20use%20tha%20aip%20scanner%20eventually%20(is%20not%20in%20the%20case%20btw)%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20purpose%20is%20to%20protect%20documenta%20also%20(and%20especially%20i%20think)%20out%20from%20the%20home%20environment%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771861%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Information%20Protection%20retroactive%20protection%20-%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771861%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20I%20understand%20now.%20From%20my%20experience%20once%20the%20document%20has%20left%20your%20environment%20and%20control%20the%20only%20option%20you%20have%20is%20to%20revoke%20access%20to%20the%20document.%20I%20have%20not%20been%20able%20to%20apply%20the%20updated%20policy%20on%20a%20document%20that%20say%20I%20sent%20via%20email.%20I%20certainly%20can%20revoke%20access%20and%20send%20the%20updated%20document%20with%20the%20updated%20policy.%20Hopefully%20that%20gives%20you%20the%20information%20you%20are%20looking%20for.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F349990%22%20target%3D%22_blank%22%3E%40ThatsSecurity%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

 

Hello all,

 

I need a clarification for a use scenario of AIP.

 

hypothesis, using a label called"highly confidential" that at the end of the implementation will protect documents with the protection flag of AIP configuration.

 

What I need to understand is in the following scenario:

1. We start to use the label without the protection flag for example for three months.

2. During this time period a total of 100 documents has been labeled as "highly confidential" and obviously only labeled without protection.

3. After this three month we will edit the label enabling the flag of protection.

 

The question is about what will happen to the 100 documents labeled before the edit of the label, will be retroactive protected ?

 

thanks for helping

if something is not clear please ask for clarification

3 Replies
Highlighted
From my understanding you would need AIP plan 2. This includes the scanner which is installed on a local server or run in Azure. Please see the quote below from the Microsoft docs page. I’ll include the full link as well.

“In addition, all files are inspected when the scanner downloads an Azure Information Protection policy that has new or changed conditions. The scanner refreshes the policy every hour, and when the service starts and the policy is older than one hour.”

https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-quick-start-tutorial
Highlighted

Hi @Bryan Haslip thanks for answering but my question si more complexed than that.

 

Imagine that few files that have a label were sent to external recipients or cloud spaces.

 

I want that the files start to be protected because of business reasons, i change the label that i know is the same of the document in the case.

 

I can be sure that all the document with that label will be protected. obviously also out from my systems where i can use tha aip scanner eventually (is not in the case btw) ?

 

The purpose is to protect documenta also (and especially i think) out from the home environment

Highlighted

I think I understand now. From my experience once the document has left your environment and control the only option you have is to revoke access to the document. I have not been able to apply the updated policy on a document that say I sent via email. I certainly can revoke access and send the updated document with the updated policy. Hopefully that gives you the information you are looking for. 

@ThatsSecurity