The Documentation for Azure Information Protection has been updated on the web and the latest content has an August 2018 (or later) date at the top of the article.
This month sees an updated preview release of the client, with supporting documentation for the changes. The biggest change in this version is that protecting PDF files by using the ISO standard for PDF encryption is now the default rather than a configuration option that you enable with an advanced client setting. You can use the advanced client setting if you need to revert to the GA behavior.
We listen to your feedback and try to incorporate it whenever possible. Let me know if you have feedback about the technical documentation and I also encourage you to head over to our Yammer site to see what others are discussing.
What's new in the documentation for Azure Information Protection, August 2018
Requirements for Azure Information Protection
- Updated the Firewalls and network infrastructure section to reflect the recent redesign of the Office article, Office 365 URLs and IP address ranges. You can read more about the redesign on the Office blog post, New Office 365 IP/URL tables published. If you have questions or feedback about the new design, use GitHub Issues at the bottom of the Office article.
The redesign no longer has a separate section for "Azure Rights Management (RMS)" and the URLs that are marked as Required (which include those needed for Azure Rights Management protection) do not list the relevant services. In line with this strategy, our documentation no longer lists mobile.pipe.aria.microsoft.com because this URL is listed as Required for other services. Azure Information Protection uses this URL to periodically send usage data. Note that unlike other URLs that the client requires, if this one is blocked, the client does work but it affects its performance because it keeps trying to send the data. Other changes to this section:
- Removed api.informationprotection.azure.com: This URL is now included in the Office listing.
- Added informationprotection.hosting.portal.azure.net: This new URL isn't yet included in the Office listing, so it is temporarily listed in this section.
- Clarified that only the aadrm.com URL uses certificate pinning.
Terminology for Azure Information Protection
- Added new entries for Azure Information Protection components, which include the client, scanner, viewer, policy, label, and protection templates.
Planning and implementing your tenant key
- Updated the Instructions for BYOK section with the information that for Azure Information Protection to use the key, all Key Vault operations must be permitted for the key. This is the default configuration and the operations are encrypt, decrypt, wrap, unwrap, sign, and verify. You can use the Key Vault PowerShell cmdlet, Get-AzureKeyVaultKey to verify the key-ops values.
Configuring usage rights for Azure Rights Management
- Updated the Encrypt-Only option for emails section, with information about the new parameter, DecryptAttachmentForEncryptOnly, which removes protection from Office attachments after the protected email message is opened.
How to configure conditions for automatic and recommended classification for Azure Information Prote...
- Remove the note that the new sensitive types that help you find personal data might not be displayed for all tenants in the Azure portal. This deployment is now complete and these new options should be displayed for all tenants.
Deploying the Azure Information Protection scanner to automatically classify and protect files
- Updated the How files are scanned section:
- Because by default, only Office file types are protected by the scanner, clarified the outcome for PDF and Text when these files are scanned.
- When you have the current preview version of the scanner, you can use the * wildcard configuration in the registry to protect all file types
Customer-managed: Tenant key life cycle operations
- Updated the Rekey section to clarify that when you rekey an HSM-protected key that you create on-premises, you can use the same security world and access cards as you used for your current key.
Azure Information Protection client: Version release history and support policy
- Updated for the new preview release, which includes the following new fixes with the latest version:
- When you use the client for right-click in File Explorer, PowerShell, or the scanner, labeling is blocked for files in WebDav locations because this is an unsupported scenario.
- The Delete Label icon does not display in client apps (Word, Excel, PowerPoint, and Outlook) when you configure the policy setting All documents and emails must have a label.
Azure Information Protection client administrator guide
- The Upgrading the Azure Information Protection scanner section is updated with the information that Update-AIPScanner must be run one time after upgrading from the GA version (1.29.5.0) and earlier. In other words, if you are upgrading from the last preview version and previously ran Update-AIPScanner, you do not need to run it again.
Admin Guide: Custom configurations for the Azure Information Protection client
- Updated the following entries:
New entries that require the current preview client:
Admin Guide: File types supported by the Azure Information Protection client
- Added the statement that files in WebDAV locations are not supported. Updated throughout for the new behavior of the preview client when it protects PDF files. In addition, the file types of .msg, .rar, and .zip are added to the list of file types excluded by default for the preview version of the scanner.
AzureInformationProtection PowerShell module:
