This month sees an updated preview release of the client, with supporting documentation for the changes. The biggest change in this version is that protecting PDF files by using the ISO standard for PDF encryption is now the default rather than a configuration option that you enable with an advanced client setting. You can use the advanced client setting if you need to revert to the GA behavior.
We listen to your feedback and try to incorporate it whenever possible. Let me know if you have feedback about the technical documentation and I also encourage you to head over to our Yammer site to see what others are discussing.
What's new in the documentation for Azure Information Protection, August 2018
The redesign no longer has a separate section for "Azure Rights Management (RMS)" and the URLs that are marked as Required (which include those needed for Azure Rights Management protection) do not list the relevant services. In line with this strategy, our documentation no longer lists mobile.pipe.aria.microsoft.com because this URL is listed as Required for other services. Azure Information Protection uses this URL to periodically send usage data. Note that unlike other URLs that the client requires, if this one is blocked, the client does work but it affects its performance because it keeps trying to send the data. Other changes to this section:
Removed api.informationprotection.azure.com: This URL is now included in the Office listing.
Added informationprotection.hosting.portal.azure.net: This new URL isn't yet included in the Office listing, so it is temporarily listed in this section.
Clarified that only the aadrm.com URL uses certificate pinning.
- Updated the Instructions for BYOK section with the information that for Azure Information Protection to use the key, all Key Vault operations must be permitted for the key. This is the default configuration and the operations are encrypt, decrypt, wrap, unwrap, sign, and verify. You can use the Key Vault PowerShell cmdlet, Get-AzureKeyVaultKey to verify the key-ops values.
- Updated the Encrypt-Only option for emails section, with information about the new parameter, DecryptAttachmentForEncryptOnly, which removes protection from Office attachments after the protected email message is opened.
- Remove the note that the new sensitive types that help you find personal data might not be displayed for all tenants in the Azure portal. This deployment is now complete and these new options should be displayed for all tenants.
- The Upgrading the Azure Information Protection scanner section is updated with the information that Update-AIPScanner must be run one time after upgrading from the GA version (22.214.171.124) and earlier. In other words, if you are upgrading from the last preview version and previously ran Update-AIPScanner, you do not need to run it again.
Don't protect PDF files by using the ISO standard for PDF encryption (previously called "Protect PDF files by using the ISO standard for PDF encryption") has been updated now that the preview client defaults to protecting PDFs files by using the ISO standard. Configure this advanced client setting only if you want to revert to the GA behavior of creating .ppdf files.
New entries that require the current preview client:
- Added the statement that files in WebDAV locations are not supported. Updated throughout for the new behavior of the preview client when it protects PDF files. In addition, the file types of .msg, .rar, and .zip are added to the list of file types excluded by default for the preview version of the scanner.