Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AAD Encryption question.

Iron Contributor

Hey Guys, 

 

I am trying to better understand azure rms encryption and am reading through this page here. https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/what-is-azure-rms

 

The terms i am not familiar with are: 

 

"reasoning over data"

 

I have never heard of that before, and am hoping someone can provide additional explanation or detail. 

 

I searched on google and didn't find much. 

 

Thanks, 

 

Robert 

3 Replies

It means the ability of different systems/components to access this data. Prime example is the Search Index in SharePoint Online - if you protect an document with RMS and upload it to SPO, the document will not be indexed and thus not discoverable. Other operations such as being able to edit the document in the browser will also not be possible.

The way i read this: 

 

But very importantly, authorized people and services (such as search and indexing) can continue to read and inspect the protected data. This capability is not easily accomplished with other information protection solutions that use peer-to-peer encryption. You might have heard this capability referred to as "reasoning over data" and it is a crucial element in maintaining control of your organization’s data.

 

It means that when using Azure RMS (reasoning over data) you can have 3rd party services like sharepoint search indexer access the data? 

 

Have i read that wrong? The page makes it sound like the Microsoft solution bypasses the problem (as described) of using symmetric encryption. (and not being able to access the data, except for by the user). 

 

Robert

No, not exactly right. Exchange works fine with Azure RMS/AIP, but SharePoint only works in specific scenarios. You cannot upload an encrypted doc and expect it just work, as in the example I gave above. You can however enable IRM protection on a per-library basis, with SPO managing the keys and having full access to the data.

 

And this is one of the major complaints about AIP currently, even Microsoft's own solutions have trouble working together with AIP in some cases. This should all get better once we have the unified labeling experience, or at least one can hope so.