cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Auditing sensitive data on Windows endpoints using the Azure Information Protection client
By
Kevin McKinnerney
Published May 09 2019 10:12 PM 7,579 Views
Kevin McKinnerney
Microsoft
‎May 09 2019 10:12 PM

Auditing sensitive data on Windows endpoints using the Azure Information Protection client

‎May 09 2019 10:12 PM

Getting an accurate visualization of sensitive data in your environment is a challenge that all companies face. This is even more of a challenge when you have thousands of employees that work remotely and do not connect to the corporate network on a regular basis.  The Azure Information Protection client has a new passive auditing capability that will help with this challenge.

 

In the latest GA version of the Azure Information Protection client (1.48.204.0), you can now discover sensitive information in any document that is opened in Office on a machine with the AIP client installed. This will allow you to do passive data discovery across all your endpoints, even if they are not connected to your corporate network when they are working on that content.  The image below shows a file that was labeled with an unprotected default label of General, yet contains Information Type Matches.

 

EndpointDiscovery.png

 

Once the AIP client is deployed throughout your environment, you will be able to run reports in the AIP Analytics activity pane or directly in Log Analytics to audit sensitive information that exists in unprotected documents.

 

EndpointDiscovery2.png

 

This allows you to identify the types of sensitive information that exist on endpoints so you can create recommended conditions to help guide your users to classify sensitive data appropriately.  You could also use this information to create automatic conditions to protect your mission critical sensitive information.  And the beauty of this is that the AIP client does this without hurting performance the way that active scanners can.

 

Because we are aware that there may be privacy concerns with this, we have made this an opt-in capability that must be configured using an Advanced Setting in the global or a scoped policy in the AIP console. This way you can either turn it on for the full tenant and disable it for areas with privacy concerns, or you can only roll it out to your scoped policy for critical areas like Human Resources, Legal, or Engineering.

 

The steps to enable this are straight-forward and can be found in the official documentation.  I will provide a quick primer below for convenience.

 

  1. Log into the AIP Console in the Azure Portal at https://aka.ms/AIPConsole
  2. In the left-hand blade, under Classifications, click on Policies
  3. In the Policies blade, right-click on either the Global or a Scoped Policy, and click Advanced settings
    Advanced Settings.png
  4. In the Advanced settings blade, under Name, type RunAuditInformationTypeDiscovery, and under Value, type true
    Audit.png
  5. Finally, click Save and close to finish enabling this amazing feature!

The result is analytics like the image shown in the beginning of this article.  Please let us know if you have any questions in the comments below.

 

Thanks,

 

The Information Protection Customer Experience Engineering Team

 

 

5 Comments
wroot
Silver Contributor
‎May 10 2019 12:42 AM
‎May 10 2019 12:42 AM

To clarify, you mean the old AIP client? Not the new unified labeling client? Maybe new one will have the same feature?

0 Likes
Like
Wes Miller
Brass Contributor
‎May 10 2019 02:21 PM
‎May 10 2019 02:21 PM

I assume that deploying this - like scanner - requires that all users on that system have AIP Premium Plan 2?

Kevin McKinnerney
Microsoft
‎May 10 2019 07:58 PM
‎May 10 2019 07:58 PM

Oleg,

 

Both GA clients have the capability but there is not yet an admin interface to configure it for UL. That should be coming soon.

 

Wes,

 

Like the AIP scanner in discovery mode, this is an AIP P1 feature. Having the capability to create recommendations and automatic conditions based on the discovered information is a huge benefit for those with P2, but it is not necessary to use the audit feature described in this blog.

 

Thanks!

Kevin

montgomeryplattner
Copper Contributor
‎Aug 01 2019 09:13 AM
‎Aug 01 2019 09:13 AM

@Kevin McKinnerney - Should this be listed as RunAuditInformationTypeDiscovery or RunAuditInformationTypesDiscovery in the advanced settings of an AIP policy? I am seeing a conflict between this article and the official documentation. I've added both to our Global scope but am still getting "Information Types Matches: None" when looking at the document information protection properties in the Data Discovery blade of AIP. The passive data discovery feature does not seem to be working. The only instance where this correctly populates the matched information types is on an endpoint that was scanned with the AIP scanner.  

AIP_InformationTypesMatches.jpg

Michael Baker
Copper Contributor
‎Aug 16 2019 03:18 AM
‎Aug 16 2019 03:18 AM

so what is it???

RunAuditInformationTypeDiscovery or RunAuditInformationTypesDiscovery

 

also the official documentation doesn't include "True" - thus the official document leads the reader to understand that it is on by default and you need to "OPT OUT"

AS OPPOSED TO THIS ARTICLE THAT STATES OPT IN!

 

0 Likes
Like
Version history
Last update:
‎May 11 2021 02:08 PM
Updated by: