A couple of quiet releases that you might have missed includes DNS redirection to help you more easily migrate from AD RMS, and the new Information Protection admin role lost its preview disclaimer because it was declared GA. We also have a new client customization option to help you migrate from another labeling solution, such as Secure Islands. We've had very positive feedback from customers using all these recent additions.
As the new Encrypt-Only option rolls out to Exchange Online, we've been getting more customer questions about this and the attached Office documents that become automatically protected. As a result, we've added more information to the description of this option, and how to configure a label for the same set of permissions (although you can't restrict the label to just Outlook and you must specify the recipients or domain in advance). We've also been asked to clarify the inherited permissions for an Office document that's attached to a Do Not Forward email.
Questions about subscriptions and licensing were also higher than usual this month. The technical documentation doesn't list specific subscriptions because these are managed by separate teams who are responsible for deciding what gets included or not in the subscriptions. They are also responsible for creating new subscriptions, and retiring older subscriptions. So the technical documentation links to their information, but we heard it wasn't always clear which features were included in a subscription. We passed that information on and you're invited to provide your own feedback with this Yammer post: https://www.yammer.com/askipteam/threads/1048644961. In the meantime, to help you more easily find the subscription information, we've added links to the Applies to: section at the top of each page.
We listen to your feedback and try to incorporate it whenever possible. Let me know if you have feedback about the documentation and I also encourage you to head over to our Yammer site to see what others are discussing.
What's new in the documentation for Azure Information Protection, March 2018
- Updated in line with the new support statement that this subscription is no longer supported for protecting documents and emails. Instead, use it for authentication only if the user's organization does not have an Azure AD tenant.
The Azure Active Directory section confirms that Azure Information Protection supports single sign-on (SSO) so that users are not repeatedly prompted for their credentials. However, if you use a vendor solution for federation, check with that vendor how to configure it for Azure AD. WS-Trust is a common requirement for these solutions to support single sign-on.
The Applications section has more information about how to confirm whether your Office 365 subscription includes Office 365 Pro Plus, which is the Office edition needed to support protection.
The Firewalls and network infrastructure section is updated with the TCP port 443 to mobile.pipe.aria.microsoft.com. This URL is required for many Office applications and services but doesn't specifically list Azure Information Protection in the Office documentation. If this port is blocked, you might experience performance issues so we recommend checking that this endpoint is allowed on firewalls.
- New section, Client reconfiguration by using DNS redirection. DNS redirection is the new and preferred method for client migration because it is simpler than using registry edits. However, this redirection requires Office 2016 click-to-run desktop apps for Windows computers. To configure this redirection method, you must create a new SRV record, and set an NTFS deny permission for users on the AD RMS publishing endpoint.
Edit Content, Edit (common name): In Word, this usage right isn't sufficient to use all the features associated with Track Changes.
View, Open, Read (common name): In Excel, this usage right isn't sufficient to sort and filter data, or create pivot tables.
Copy (common name): In Skype for Business and similar screen-sharing applications, the presenter must have this usage right to successfully present a protected document. If the presenter does not have this right, the attendees cannot view the document and it displays as blacked out to them.
- Updated to add the warning not to use the character # for a label name, in addition to the other characters that are automatically blocked in the Azure portal. The full list of characters that you should not use for labels because they cannot be used by all services and applications: < > % & / ? ; + \ : # This information is also added to Add-AadrmTemplate and Set-AadrmTemplateProperty.
- Updated with the clarification that you can configure a label for protection without configuring protection settings. This configuration results in a label that applies "Only for me" protection. In other words, only the person who applies the label can open the document or email with no usage restrictions. In some cases, this might be the required outcome, so that a user can save a file to any location and be assured that only they can open it. However, it's also possible to select this configuration in error, when you really want protection settings that support collaboration.
In addition, the Example configuration section is updated for Example 4: Label for protected email that supports less restrictive permissions than Do Not Forward. More detail is added how to create a label with the same usage rights as those in the new Encrypt-Only option.