AIP Policies - What determines the order fo the policies? Example?

%3CLINGO-SUB%20id%3D%22lingo-sub-417255%22%20slang%3D%22en-US%22%3EAIP%20Policies%20-%20What%20determines%20the%20order%20fo%20the%20policies%3F%20Example%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-417255%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20move%20AIP%20policies%20up%20and%20down.%20So%20it%20seems%20the%20order%20matters.%20What%20is%20an%20example%20where%20I%20would%20need%20to%20pay%20attention%20to%20the%20order%20and%20what%20does%20it%20determine%3F%3C%2FP%3E%3CP%3EFor%20example%20my%20users%20would%20get%203%20policies%3A%3C%2FP%3E%3CP%3E-%20the%20standard%20(global)%20policies%20f%C3%BCr%20all%20company%20users%20(e.g.%20public%2C%20internal%2C%20confidential%2C%20restricted%20(protected))%3C%2FP%3E%3CP%3E-%20a%20department%20policy%20(Sales%20Restricted%20(protected))%3C%2FP%3E%3CP%3E-%20a%20policy%20allowing%20some%20users%20customized%20protection%3C%2FP%3E%3CP%3EWould%20this%20also%20be%20the%20recommended%20order%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%2CFranck%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-417255%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAIP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-418084%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Policies%20-%20What%20determines%20the%20order%20fo%20the%20policies%3F%20Example%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-418084%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F203532%22%20target%3D%22_blank%22%3E%40Franck%20Marteaux%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EGreat%20question!%20See%20this%20article%20here%20on%20AIP%20policies%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy-scope%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy-scope%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20critical%20section%20here%20-%3CBR%20%2F%3E%3CBR%20%2F%3E'Scoped%20policies%2C%20just%20like%20labels%2C%20are%20ordered%20in%20the%20Azure%20portal.%20If%20a%20user%20is%20configured%20for%20multiple%20scopes%2C%20an%20effective%20policy%20is%20computed%20for%20that%20user%20before%20it%20is%20downloaded.%20According%20to%20the%20order%20of%20the%20polices%2C%20the%20last%20policy%20setting%20is%20applied.%20The%20labels%20that%20the%20user%20sees%20are%20from%20the%20global%20policy%20and%20any%20additional%20labels%20from%20scoped%20policies%20that%20the%20user%20belongs%20to'%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20it%20looks%20like%20you%20have%20it%20right%20insofar%20as%20first%20level%20is%20org%20(global)%2C%20second%20level%20is%20department%20and%20third%20level%20is%20users%20in%20that%20department.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20article%20should%20help%20you%20to%20structure%20your%20policies%20according%20to%20your%20organisation.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
Contributor

You can move AIP policies up and down. So it seems the order matters. What is an example where I would need to pay attention to the order and what does it determine?

For example my users would get 3 policies:

- the standard (global) policies für all company users (e.g. public, internal, confidential, restricted (protected))

- a department policy (Sales Restricted (protected))

- a policy allowing some users customized protection

Would this also be the recommended order?


Thanks,
Franck

 

1 Reply
Highlighted
Hi @Franck Marteaux

Great question! See this article here on AIP policies

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-scope

The critical section here -

'Scoped policies, just like labels, are ordered in the Azure portal. If a user is configured for multiple scopes, an effective policy is computed for that user before it is downloaded. According to the order of the polices, the last policy setting is applied. The labels that the user sees are from the global policy and any additional labels from scoped policies that the user belongs to'

So it looks like you have it right insofar as first level is org (global), second level is department and third level is users in that department.

This article should help you to structure your policies according to your organisation.

Hope that answers your question.

Best, Chris