SharePoint and AIP

Copper Contributor

Hi,

 

Does anyone know if there's a way of automatically applying Azure Information Protection policies to all files in a SharePoint document library?

 

Desired Outcome

  • All files dropped in the Finance document library are classified highly confidential
  • Highly confidential files can't be shared outside of the Office 365 tenant - If they are they are prompted to login
  • If any file from the finance document library is misplaced in the wrong location (say Sales document library) the file cannot be opened

 

  1. I know AIP can do this but is there a way of automatically encrypting all documents in a library (other than applying by keyword)
  2. I know you can apply data loss protection to a document library however that does not stop a user from downloading the file then sending
  3. Is Information Rights management the best way to do this? 

 

 

Thanks

14 Replies
I guess IRM for sharepoint online is the way to go if automation is needed

https://support.office.com/en-us/article/apply-information-rights-management-to-a-list-or-library-3b...

AIP and SharePoint don't mix well, still. Yes, you can apply labels to documents and even libraries, but the problem is that any file that is protected by AIP label directly will be rendered inaccessible for any server-side SPO processing. So in effect, you will loose search, co-authoring, Delve, even eDiscovery. Until the two teams sit together and do a proper integration, you're better off using the 10y old IRM implementation instead.

 

More info here: https://docs.microsoft.com/en-us/office365/securitycompliance/protect-sharepoint-online-files-with-a...

Couple of points:

 

1. IRM for SharePoint only applies protection when documents are downloaded from a protected library.

 

2. Rights Management templates are the way to protect information because you can assign rights to individual users (and now to "Any authenticated users" https://office365foritpros.com/2018/11/02/any-authenticated-users-permission/).

 

3. Office 365 users can access templates as Azure Information Protection (AIP) labels or as templates published in a protection policy. 

 

4. Office 365 and AIP are "unifying" labels. What this means is that you can create a new form of sensitivity label in the Security and Compliance Center that is tied to a rights management template and therefore can protect messages and documents through encryption. The unification only refers to being able to manage the labels in one place (the classifications section of the SCC). This work is still in early days and while you can migrate AIP labels to the SCC, some restrictions exist. It's really just suitable for a test tenant today.

 

Encrypted documents protected with rights management have some restrictions too, like no preview or co-authoring. 

 

When Office 365 sensitivity labels are fully operational and generally available, you might be able to use auto-label policies to apply them to documents on the basis of:

 

Keyword search

DLP sensitive data type

 

You will also be able to apply sensitivity labels via a DLP policy.

 

All of this is a long way of saying that the old rights management template technology is being brought into Office 365 in an integrated manner. It's not there yet, but it is coming.

You can sugarcoat it as much as you like, the simple truth is that integration between AIP and SPO is nowhere near where it should've been, considering the number of years both have been available separately, as part of the Microsoft cloud portfolio. I remember talking to some of the AIP folks two years back, they were throwing excuses along the lines of "the SPO folks should contact us". Obviously that can take a while in an organization the size of Microsoft :)

Really Vasil, the "simple truth" is simply "your opinion"...

 

I merely report what's happening and choose not to speculate what might have happened in the past and the discussions that might have occurred between different engineering teams.

Let's run a poll, see if it's just my opinion :)

One of the best things about the community is we can ask Microsoft themselves! This one might be best to start with @Chris McNulty and perhaps I can ask @Mark Kashman to nudge a response too!

Well, in all my interactions with people over the last four Ignite conferences and a bunch of other events, I have never had anyone come up to me to say that they were burning for better integration. I think the fact is that we're now getting to a point where Office 365 is maturing and filling in the gaps between applications that existed in the past. Sure, there's work to be done, but that will always be the case because technology is always behind the desires of humans.

Thanks for the input guys.

 

It does seem like you should be able to auto apply AIP to documents just like you can with IRM. I guess here are the 3 options unless someone has input?

 

  1. Use standard IRM - This will stop confidential documents being misplaced or if sent by email blocked - This is the likely one we will apply
  2. Use AIP and apply by content - Get the Finance staff to write a keyword in their documents (this won't happen)
  3. Use AIP and apply manually - Request the users manually mark all finance documents as confidential (this won't happen)

 

Thanks again everyone.

Thanks for the input guys.

 

It does seem like you should be able to auto apply AIP to documents just like you can with IRM. I guess here are the 3 options unless someone has input?

 

  1. Use standard IRM - This will stop confidential documents being misplaced or if sent by email blocked - This is the likely one we will apply
  2. Use AIP and apply by content - Get the Finance staff to write a keyword in their documents (this won't happen)
  3. Use AIP and apply manually - Request the users manually mark all finance documents as confidential (this won't happen)

 

Thanks again everyone.

One kludgy way would be to synchronize the contents of the Finance libraries to a workstation and then run the Set-AIPFileLabel cmdlet to assign the right template to each file.

 

But I hope to see auto-label policies coming for sensitivity labels in the same way that they are there now for retention labels. It would seem logical for both labels to have the same surrounding deployment functionality.

Thanks. Good suggestion but I think we will avoid workarounds for our clients if there is a viable solution. Great I look forward to more features coming! I really appreciate your input.

You may want to get the EMS E5 (or AIP P2) licenses for your Finance people. This will allow them to automatically classify files that contain sensitive information without regard to the storage location.

 

The fact that a file is stored in a location does not determine it classification, the content of the file is what determines it classification level.

 

You can also use Cloud App Security to apply labels, based on a location https://docs.microsoft.com/en-us/cloud-app-security/azip-integration

 

BTW, sensitivity labels (now available in Office 365 for both E3 and E5 tenants) are supposed to get the auto-label capabilities available in AIP Plan 2 in the future. This will remove the need for any other licenses.

 

Also, sensitivity labels are due to be supported by DLP policies, so you'd be able to apply sensitivity labels (with encryption) based on the presence of a sensitive data type, including one that you define for the tenant.