SOLVED

Using Azure Information Protection policies

%3CLINGO-SUB%20id%3D%22lingo-sub-140200%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Azure%20Information%20Protection%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140200%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20response%20Carol%20-%20much%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139992%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Azure%20Information%20Protection%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139992%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F100230%22%20target%3D%22_blank%22%3E%40NEIL%20MARLOWE%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EHi%20Neil%20-%20all%20good%20questions%20and%20I%20encourage%20you%20to%20do%20your%20own%20testing%20as%20well%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E1)%20If%20I%20send%20an%20email%20to%20fred%40mycompany.com%20(no%20attachments)%20with%20a%20protection%20policy%20applied%20that%20fred%20is%20not%20included%20in%2C%20I%20presume%20fred%20will%20not%20be%20able%20to%20open%20the%20email%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnswer%3A%26nbsp%3B%20Correct.%26nbsp%3B%20If%20fred%40mycompany.com%20is%20not%20granted%20any%20rights%2C%20this%20user%20will%20not%20be%20able%20to%20open%20the%20protected%20email.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E2)%20If%20I%20send%20an%20email%20to%20fred%40mycompany.com%20(with%20unprotected%20attachment)%20and%20use%20the%20Do%20Not%20Forward%2C%20I%20presume%20fred%20can%20open%20the%20email%20and%20the%20attached%20but%20presume%20the%20attachment%20is%20not%20protected%20and%20could%20be%20extracted%20%2F%20screen%20grabbed%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnswer%3A%26nbsp%3B%20If%20the%20attachment%20is%20an%20Office%20document%2C%20it%20will%20be%20automatically%20protected%20with%20the%20same%20settings%20as%20the%20protection%20policy.%26nbsp%3B%20Full%20list%20of%20supported%20documents%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Farticle%2Fbb643d33-4a3f-4ac7-9770-fd50d95f58dc%23FileTypesforIRM%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Farticle%2Fbb643d33-4a3f-4ac7-9770-fd50d95f58dc%23FileTypesforIRM%26nbsp%3B%3C%2FA%3E%20If%20the%20attachment%20is%20not%20an%20Office%20document%2C%20it%20is%20not%20protected%20independently%20from%20the%20email.%26nbsp%3B%20That%20is%2C%20when%20the%20protected%20email%20is%20read%2C%20the%20recipient%20can%20save%20that%20document%20and%20it%20can%20be%20ready%20by%20anybody.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E3)%20If%20I%20send%20an%20email%20to%20fred%40mycompany.com%20(with%20a%20mix%20of%20protected%20and%20unprotected%20attachments%20and%20use%20a%20separate%20protection%20policy%20for%20the%20email%20compared%20to%20the%20protected%20attachments%2C%20I%20guess%20the%20unprotected%20documents%20get%20the%20over-arching%20policy%20but%20do%20the%20originally%20protected%20attachments%20retain%20their%20previous%20policy%2C%20get%20a%20replacement%20policy%20or%20a%20composite%20policy%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnswer%3A%26nbsp%3B%20If%20the%20documents%20are%20protected%20before%20they%20are%20attached%20to%20the%20protected%20email%2C%20they%20retain%20their%20original%20protection%20settings.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E4)%20If%20fred%40mycompany.com%20is%20not%20listed%20in%20a%20particular%20policy%20but%20I%20want%20to%20add%20him%2C%20does%20fred%20have%20to%20be%20added%20by%20an%20admin%20in%20the%20policy%20settings%20(i.e.%20add%20to%20Azure%20directory%20as%20contact)%20then%20applied%20to%20the%20policy%20before%20I%20can%20email%20fred%20(I%20know%20that%20this%20can%20be%20done%20using%20the%20AIP%20client%20using%20the%20Classify%20and%20Protect%20feature%20to%20add%20other%20recipients%20but%20I%20can't%20see%20how%20this%20can%20be%20applied%20using%20an%20email%20client%20or%20using%20a%20Word%20document%20if%20stored%20in%20Sharepoint)%3F%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EAnswer%3A%20If%20the%20policy%20being%20set%20is%20from%20an%20Azure%20Information%20Protection%20label%20or%20RMS%20template%2C%20or%20an%20Exchange%20Online%20transport%20rule%2C%20then%20yes%2C%20fred's%20account%20(or%20a%20group%20that%20includes%20his%20account)%26nbsp%3Bneeds%20to%20be%20added%20by%20an%20admin.%20But%20you%20can%20protect%20the%20email%20yourself%20and%20grant%20fred%20rights%20to%20open%20it%20by%20using%20the%20Outlook%20Do%20Not%20Forward%20option.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-135382%22%20slang%3D%22en-US%22%3EUsing%20Azure%20Information%20Protection%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-135382%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20just%20implemented%20the%20new%20OME%20V2%20configuration%20for%20Azure%20Information%20Protection%20and%26nbsp%3B%26nbsp%3BI%20have%20a%20few%20questions%20around%20using%20the%20solution%20with%20external%20recipients%20if%20you%20can%20help%3F%3CBR%20%2F%3E%20%3CBR%20%2F%3E1)%20If%20I%20send%20an%20email%20to%20fred%40mycompany.com%20(no%20attachments)%20with%20a%20protection%20policy%20applied%20that%20fred%20is%20not%20included%20in%2C%20I%20presume%20fred%20will%20not%20be%20able%20to%20open%20the%20email%3F%3CBR%20%2F%3E2)%20If%20I%20send%20an%20email%20to%20fred%40mycompany.com%20(with%20unprotected%20attachment)%20and%20use%20the%20Do%20Not%20Forward%2C%20I%20presume%20fred%20can%20open%20the%20email%20and%20the%20attached%20but%20presume%20the%20attachment%20is%20not%20protected%20and%20could%20be%20extracted%20%2F%20screen%20grabbed%3F%3CBR%20%2F%3E3)%20If%20I%20send%20an%20email%20to%20fred%40mycompany.com%20(with%20a%20mix%20of%20protected%20and%20unprotected%20attachments%20and%20use%20a%20separate%20protection%20policy%20for%20the%20email%20compared%20to%20the%20protected%20attachments%2C%20I%20guess%20the%20unprotected%20documents%20get%20the%20over-arching%20policy%20but%20do%20the%20originally%20protected%20attachments%20retain%20their%20previous%20policy%2C%20get%20a%20replacement%20policy%20or%20a%20composite%20policy%3F%3CBR%20%2F%3E4)%20If%20fred%40mycompany.com%20is%20not%20listed%20in%20a%20particular%20policy%20but%20I%20want%20to%20add%20him%2C%20does%20fred%20have%20to%20be%20added%20by%20an%20admin%20in%20the%20policy%20settings%20(i.e.%20add%20to%20Azure%20directory%20as%20contact)%20then%20applied%20to%20the%20policy%20before%20I%20can%20email%20fred%20(I%20know%20that%20this%20can%20be%20done%20using%20the%20AIP%20client%20using%20the%20Classify%20and%20Protect%20feature%20to%20add%20other%20recipients%20but%20I%20can't%20see%20how%20this%20can%20be%20applied%20using%20an%20email%20client%20or%20using%20a%20Word%20document%20if%20stored%20in%20Sharepoint)%3F%3CBR%20%2F%3E%20%3CBR%20%2F%3ESorry%20-%20a%20lot%20of%20questions%20but%20these%20are%20the%20main%20scenarios%20that%20present%20themselves%20when%20implementing%20the%20solution.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-135382%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20%26amp%3B%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

I've just implemented the new OME V2 configuration for Azure Information Protection and  I have a few questions around using the solution with external recipients if you can help?

1) If I send an email to fred@mycompany.com (no attachments) with a protection policy applied that fred is not included in, I presume fred will not be able to open the email?
2) If I send an email to fred@mycompany.com (with unprotected attachment) and use the Do Not Forward, I presume fred can open the email and the attached but presume the attachment is not protected and could be extracted / screen grabbed?
3) If I send an email to fred@mycompany.com (with a mix of protected and unprotected attachments and use a separate protection policy for the email compared to the protected attachments, I guess the unprotected documents get the over-arching policy but do the originally protected attachments retain their previous policy, get a replacement policy or a composite policy?
4) If fred@mycompany.com is not listed in a particular policy but I want to add him, does fred have to be added by an admin in the policy settings (i.e. add to Azure directory as contact) then applied to the policy before I can email fred (I know that this can be done using the AIP client using the Classify and Protect feature to add other recipients but I can't see how this can be applied using an email client or using a Word document if stored in Sharepoint)?

Sorry - a lot of questions but these are the main scenarios that present themselves when implementing the solution.

2 Replies
Best Response confirmed by NEIL MARLOWE (Occasional Contributor)
Solution

@NEIL MARLOWE wrote:

Hi Neil - all good questions and I encourage you to do your own testing as well:

 

1) If I send an email to fred@mycompany.com (no attachments) with a protection policy applied that fred is not included in, I presume fred will not be able to open the email?

 

Answer:  Correct.  If fred@mycompany.com is not granted any rights, this user will not be able to open the protected email.


2) If I send an email to fred@mycompany.com (with unprotected attachment) and use the Do Not Forward, I presume fred can open the email and the attached but presume the attachment is not protected and could be extracted / screen grabbed?

 

Answer:  If the attachment is an Office document, it will be automatically protected with the same settings as the protection policy.  Full list of supported documents: https://support.office.com/article/bb643d33-4a3f-4ac7-9770-fd50d95f58dc#FileTypesforIRM  If the attachment is not an Office document, it is not protected independently from the email.  That is, when the protected email is read, the recipient can save that document and it can be ready by anybody.


3) If I send an email to fred@mycompany.com (with a mix of protected and unprotected attachments and use a separate protection policy for the email compared to the protected attachments, I guess the unprotected documents get the over-arching policy but do the originally protected attachments retain their previous policy, get a replacement policy or a composite policy?

 

Answer:  If the documents are protected before they are attached to the protected email, they retain their original protection settings.


4) If fred@mycompany.com is not listed in a particular policy but I want to add him, does fred have to be added by an admin in the policy settings (i.e. add to Azure directory as contact) then applied to the policy before I can email fred (I know that this can be done using the AIP client using the Classify and Protect feature to add other recipients but I can't see how this can be applied using an email client or using a Word document if stored in Sharepoint)?

Answer: If the policy being set is from an Azure Information Protection label or RMS template, or an Exchange Online transport rule, then yes, fred's account (or a group that includes his account) needs to be added by an admin. But you can protect the email yourself and grant fred rights to open it by using the Outlook Do Not Forward option.

Thanks for your response Carol - much appreciated.