Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Can AIP be used for OneDrive for Business and SharePoint Online?

Brass Contributor

Folks,

 

I understand AIP can be used for MIcrosoft Office compatible document extenstions.

However, cannot find if it overall protect OneDrive for business & SharePoint Online?

 

 

8 Replies

Hi,

 

AIP can protect Office 365 services includes SharePoint Online and OneDrive for Business. AIP provides encryption and permissions for files and you've three tiers of protection for data basic, sensitive and confidential.

Check the following information:

https://docs.microsoft.com/en-us/office365/securitycompliance/protect-sharepoint-online-files-with-a...

https://docs.microsoft.com/en-us/office365/securitycompliance/secure-sharepoint-online-sites-and-fil...

 

Eli.

Make sure that you read the "important notes" section in the articles above though, as you loose a lot of functionality if you protect files with AIP directly:

 

When Azure Information Protection encryption is applied to files stored in Office 365, the service cannot process the contents of these files. Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work. Data Loss Prevention (DLP) policies can only work with the metadata (including Office 365 labels) but not the contents of these files (such as credit card numbers within files).

 

It's the good old "reasoning over data" problem, and it's about time the relevant teams at Microsoft sit together on the same table and give us a better solution...

Vasil,

 

So if AIP enabled in SharePoint Online then all the documents that are protected.

Will lose on:

"Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work."

 

Is my understanding is correct?

If yes, well to stop it would be stop the entire AIP for SharePoint?

 

 

HI,

 

Not exact, with AIP on SharePoint you run only the encryption with IRM options, in such a way that you do not cause implications for the encryption of the files and not causing the process with the contents such as Co-authoring, eDiscovery etc.

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-irm-in-sp-admin-center?redirect...

Eli.

If you protect files individually with AIP and store them in a SPO location, then all the functionalities listed above will not work, as SPO cannot access the content of a protected file. You can use the IRM protection feature for document libraries instead, but unfortunately it's 10 years old and very limited.

Vasil, In general documented using AIP will be stored in SharePoint Online or One Drive for Business for easy sharing.

 

What I`m getting is to apply AIP classification on a document only once its the final copy?

As Co-Authoring is such an important feature while the document is in draft stage.

 

Hope my understanding is correct.

It sounds OK, just wanted to make sure you understand the implications of protecting a file.

In SharePoint Online you can create a data loss prevention (DLP) policy to protect the sensitive documents using regular expression (RegEx) pattern matching. Can use RegEx defaults or customs.
Is that correct?? THANKS