Monthly Archives: December 2019

Document Protection with Azure Information Protection Ad-hoc permissions

Document protection is a key step in achieving the security standards and policies in an Organization. We can achieve this with AIP by defining policies globally or by giving custom permissions to the document owners.

User Defined Permissions with the label :

Steps to configure in AIP

Navigate to Azure Portal

Search for Azure Information Protection Service and select the label in which we want to configure the user defined permission.

In this case, I selected the ‘Restricted’ label and under protection settings, select the protection action type as ‘set user-defined permissions’. Save the policy after the configuration changes.

 

30-1.PNG

Test the functionality:

Open any office application and select the label ‘Restricted’. We see the below prompt for user-defined permissions

30-2

Similarly, open a new email in Outlook and select the label ‘Restricted’. The moment you select the label, Do Not Forward protection is applied to the email.

30-3

Global Policies in AIP for Document Protection:

unlike the custom permissions, we can configure global policies which are mapped to the labels defined as per the taxonomy. These configurations, gives different protection settings with the option of different user roles for different Groups/Domains

This way, we can impose rights restrictions, based on the recipients domain. In this scenario, I am configuring protection settings in such a way that co-owner role will be assigned to my domain and viewer role will be assigned to external domains like Gmail and yahoo. That way, if I send any attachment which is labelled as ‘Restricted’ , all members within my Organization can read/write/edit, authenticated users  (in O365) can review it  and users in Gmail and Yahoo can only just view

31-1

Test the Functionality:

Label a word document to ‘Restricted’.

31-2.PNG

Attaching to an Email: We see that recommendation to classify an email too as ‘Restricted’

I am sending it to an user within my domain and to an user in Gmail

31-5.PNG