Document Protection with Azure Information Protection Ad-hoc permissions

Document protection is a key step in achieving the security standards and policies in an Organization. We can achieve this with AIP by defining policies globally or by giving custom permissions to the document owners.

User Defined Permissions with the label :

Steps to configure in AIP

Navigate to Azure Portal

Search for Azure Information Protection Service and select the label in which we want to configure the user defined permission.

In this case, I selected the ‘Restricted’ label and under protection settings, select the protection action type as ‘set user-defined permissions’. Save the policy after the configuration changes.



Test the functionality:

Open any office application and select the label ‘Restricted’. We see the below prompt for user-defined permissions


Similarly, open a new email in Outlook and select the label ‘Restricted’. The moment you select the label, Do Not Forward protection is applied to the email.


Global Policies in AIP for Document Protection:

unlike the custom permissions, we can configure global policies which are mapped to the labels defined as per the taxonomy. These configurations, gives different protection settings with the option of different user roles for different Groups/Domains

This way, we can impose rights restrictions, based on the recipients domain. In this scenario, I am configuring protection settings in such a way that co-owner role will be assigned to my domain and viewer role will be assigned to external domains like Gmail and yahoo. That way, if I send any attachment which is labelled as ‘Restricted’ , all members within my Organization can read/write/edit, authenticated users  (in O365) can review it  and users in Gmail and Yahoo can only just view


Test the Functionality:

Label a word document to ‘Restricted’.


Attaching to an Email: We see that recommendation to classify an email too as ‘Restricted’

I am sending it to an user within my domain and to an user in Gmail and we can see the prompt from the policy.








Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s