User Profile
Esaggese
Former Employee
Joined Oct 26, 2017
User Widgets
Recent Discussions
Re: Azure Information Protection - UL - Sensitivity Labels in Office Web Apps - No Adhering to Controls
Shane_Blake The limitation regarding screen capturing is well-known and accepted since there's no method for a web application to ask a browser to block screen capturing. The limitation you mention about copying is more puzzling since the Office web apps do prevent copying content from protected documents that don't grant this right. Is this something you can reproduce on documents protected by other users? What rights do you have on the document? It must be highlighted that the ability to enforce limited rights on a document is a "best effort" approach, and it is not intended to stop malicious users (since if you give any form of access to a malicious user, there's nothing you can do to prevent them from reproducing the content, worst case they can take a picture of it with their phone or retype it by hand). So if you don't trust a user enough that you can't reasonably assume the user is not malicious, don't grant them rights to the content at all. Learn more about this here: https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/azure-information-protection-securing-data#malicious-users-with-authorization781Views1like0CommentsRe: Address Book in the Classify and Protect Menu Not Showing
bali_tanmay You appear to meet and exceed the minimum pre-requisites for this integration to run, so everything should be working. I would check if disabling any other plugins that may be running in Office in the same machine changes the outcome, some times plugins interfere with each other's workings. I suggest you open a support ticket to have this investigated.1.8KViews0likes1CommentRe: User with full access to shared mailbox can't open protected email in Outlook
Scott Wakeman I'm no longer working on that area but my understanding is that with the updates shipped last year if the user is directly assigned full access permissions to a mailbox, they should be able to view protected content to which the owner of that mailbox has rights. But there are some constraints, for example if rights are granted indirectly through a group that doesn't work. I recommend consulting in the Exchange forums for more details.13KViews0likes0CommentsRe: User with full access to shared mailbox can't open protected email in Outlook
ScottVAMT Access to protected content sent to a shared mailbox is in the market now for users directly being granted access to the mailbox. We still don't have a solution for users that are granted access to the mailbox via a group. We will continue working on it.13KViews0likes5CommentsRe: AIP - turn the label bar on / off by default in Office apps, but let the user decide?
Hi MartinZoller. This setting is not planned for UL. But in the title of your post you say "let the user decide", and this is actually the behavior: the existing advanced setting you found changes the default status, but doesn't prevent the user from showing or hiding the bar. Is your objective to prevent the user form showing or hiding the bar?12KViews0likes1CommentRe: AIP / UL Add-In keyboard shortcuts (especially for Outlook)?
MartinZoller Not a stupid question at all, this should work. There's a bug in the current version of the client with regards to support for keyboard shortcuts. In theory CTRL-Shift-~ allows you to launch the labeling UI, and then you should be able to tab between labels but the second part is not working. We are looking into releasing a fix for this. Apologies for the inconvenience.3.7KViews0likes4CommentsRe: AIP - turn the label bar on / off by default in Office apps, but let the user decide?
MartinZoller Hi. There's an advanced setting to control the persistence of the toolbar status change: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations#permanently-hide-the-azure-information-protection-bar Please let us know if that doesn't address your requirements.12KViews1like4CommentsRe: Integration of IronPort Edge devices with AIP
PeterJNGL Two additional considerations: if a product integrates into the Exchange Server Transport pipeline (most email content scanning solutions do), they should be able to leverage the Transport Decryption functionality in Exchange, through which if their transport agent sits after the Transport Decryption agent and Exchange has Transport Decryption enabled, the third party solution receives decrypted versions of the email (Exchange itself has SuperUser privileges so it can decrypt the email for processing), without the solution having to have SuperUser itself, or use the SDK. This is how most antimalware solutions work, for example: they sit after the transport decryption phase, so they see the content in decrypted form. Content is reencrypted before exiting the transport pipeline. For all this you have to enable Exchange Server to integrate with AIP using the RMS Connector. The other consideration is that this work for outbound protected email, and for inbound emails that are a reply to a protected outbound email. But if a third party protects email with their own key and sends it to you, you do not have the authority to use SuperUser privileges to decrypt someone else's content. So you cannot scan content protected by others at the transport layer (note that this is not the case in Exchange Online, since EXO has global superuser privileges for the purposes of content scanning so it can scan inbound protected content). HTH2.4KViews0likes0CommentsRe: Setting the default AIP classic label on a OneDrive or SharePoint Online: Document Library
Daniel Westerdale Hi. It is correct that the UL client by default doesn't put a Do Not Forward button in the toolbar, but this should pose no obstacle for this scenario since there are multiple ways to address this. You can customize the ribbon to show an Encrypt button right by the Sensitivity button, and configure it to apply Do Not Forward in one click (this can be done via a GPO). Second, you can create a label that applies Do Not Forward. While this option is not shown yet in the UL management console in SCC, you can set it for a label in the AIP management console and if you have enabled Unified Labeling it will show up in the UL client. You can also configure it via SCC PowerShell if you don't want to use the AIP management console. Finally, you can use Unified Labeling while still having deployed the Classic client. Both can coexist if you enable Unified Labeling migration, and they will show the same labels since once you enable migration all labels are sourced from a common repository, even if they can be managed through two different consoles and can be viewed from the UL client, from the AIP client, and from all built-in clients (e.g. Mac, iOS, Android and, as discussed, in the SharePoint preview). I know this last point can be confusing, but it is important to highlight that using Unified Labeling doesn't require moving *everything* to UL, you can continue using the classic client for as long as it meets your needs better, while using UL for what it supports best (e.g. SharePoint). HTH2.8KViews0likes1CommentRe: Setting the default AIP classic label on a OneDrive or SharePoint Online: Document Library
Seth Weddon Unfortunately we have no timelines for a public preview at this point, the SPO team is working on addressing the issues identified during the private preview so far before moving into a broader preview program.2.8KViews0likes1CommentRe: Setting the default AIP classic label on a OneDrive or SharePoint Online: Document Library
Daniel Westerdale The SPO changes are both on the management side (e.g. DLP integration) and the UI (web apps, list views, etc.). It is based on Unified Labeling, so while it right now supports documents protected with either client, the plan is to have everything moved to UL by the time this releases as GA (already the UL client has mostly feature parity to the Classic client, plus some new features).2.8KViews0likes3CommentsRe: Sensitivity Labels without assigned permissions
Patrick Steiner I understand any inconsistency is a nuisance, but these are two different UIs built by different product teams (the UL management interface is part of Office 365, not AIP itself), and the UL UI has additional scenarios to consider, so it is understandable that there are and there will always be differences. That said, there's no specific reason why the UL UI would not have this same ability, so feel free to file a bug or a DCR against the Office 365 SCC portal to request that they add the ability to create a policy with protection but no rights assigned (other than to the owner).1.8KViews0likes0CommentsRe: Address Book in the Classify and Protect Menu Not Showing
MariaYacaman Which version of the client are you using? Is Outlook running? Since the GAL button calls Outlook Outlook must be running for the button to work. Otherwise, can you open a support case? The AIP client logs should show the cause for any failure triggering the GAL window.1.9KViews0likes3CommentsRe: Setting the default AIP classic label on a OneDrive or SharePoint Online: Document Library
Daniel Westerdale AIP label integration with SPO will include this functionality and is currently in private preview. We also have a work-around in the current version by using the Label by Custom Property advanced setting in the AIP client, but given that this will be addressed natively in SPO once we release the version in preview I do not think it is worth implementing a work-around unless you need it implemented today.2.9KViews2likes8CommentsRe: AIP client and WTS?
MartinZoller Hi. We have several customers using AIP in TS and Citrix environments. It works and is supported, but there are some restrictions customers have identified, I include their observations below: Azure Information Protection in VDI deployments Background Azure Information Protection (AIP) is an Information protection software for labeling and protection of classified files, based on a central policy. This is a description of what to consider when deploying AIP in virtualized or remotely accessed environments (as RDP) AIP runs and is supported on virtual environments with no specific requirements by default. AIP client software components AIP client software is composed of Office Add-ons for Word, Excel, PowerPoint, and Outlook from an OS shell extension (provide a right click context menu), the AIP viewer and PowerShell modules. All software component is included in the AIP client software package. For installation instruction of the AIP client refer to the AIP Administrator guide AIP Configuration AIP configuration is retrieved along with the client policy and stored in %localAppData%/Microsoft/MSIP and %localAppData%/Microsoft/MSIPC in a non persistent VDI, the implication is a few seconds delay in the first run in which AIP retrieves the configuration and sets all requirements for normal operation, as long as the user is already logged in into Office 365, no user interaction is required. AIP activity logs AIP activity logs are stored under %localAppData%/Microsoft/MSIP/Logs and %localAppData%/Microsoft/MSIPC/Logs under the user profile and in the windows event logs. If you are required to store the logs between reboots make you can store the user profile in a persistent. The Activity logs are also collected under the windows event log. Logs are also collected also in azure log analytics, which make them independent of the client machine. Persistent vs Non persistent VDI If you are running persistent VM’s AIP should just work, as on any normal workstation, and all controls and configurations are valid. If you are running in a non-persistent environment you can still run AIP, as the client refreshes its policy on every login. However, there are a few recommendations that can minimize the configuration updates required during login to the VDI. Distribute the policy in you VDI image. Update Registry changes using GPO to make sure the are applied at login time If your VDI infrastructure permit, maintain the following locations persistent: %localAppData%/Microsoft/MSIP %localAppData%/Microsoft/MSIPC3.8KViews4likes1CommentRe: Track and revoke - delay in displaying documents in document tracking site?
invalidbit There is already a limited ability to "track" unprotected content in the AIP analytics portal. There's an intent to extend that so it supports more scenarios associated with tracking, including tracking access to content by external users. But anything we do will be very limited since by definition no assurances can be made about access to unprotected content. If it is unprotected it can be opened offline without limitations, moved in the shadows and passed around without notice, so any "tracking" will be a best effort.2.4KViews0likes0CommentsRe: Sensitivity Labels without assigned permissions
Patrick Steiner In the short term, once User Defined Protection is available in Unified Labeling a user should be able to select a label with that option and then choose the "Only me" option in the permissions dialog. This is being worked on. This is slightly different form a label with admin defined permissions that only grants permissions to the owner, since it requires two more clicks for the user, but it achieves the same result. Patrick Steiner wrote: Hi together When configuring AIP Labels in Azure Information Protection, it has been possible to don't select any users and select OK on this blade, followed by Save on the Label blade. The label is configured to apply protection such that only the person who applies the label can open the document or email with no restrictions, which is a use case at a customer. When configuring a sensitivity (universal) label in the Security & Compliane Admin Center, this seems to be not possible. As soon as you choose "Encryption", you kind of have to assign at least one permission to be able to save the label. Is therefore the above "Use Case" not possible anymore with Sensitivity Labels? Or do I miss something?1.8KViews0likes2Comments
