Document Protection with Azure Information Protection Ad-hoc permissions

Document protection is a key step in achieving the security standards and policies in an Organization. We can achieve this with AIP by defining policies globally or by giving custom permissions to the document owners.

User Defined Permissions with the label :

Steps to configure in AIP

Navigate to Azure Portal

Search for Azure Information Protection Service and select the label in which we want to configure the user defined permission.

In this case, I selected the ‘Restricted’ label and under protection settings, select the protection action type as ‘set user-defined permissions’. Save the policy after the configuration changes.



Test the functionality:

Open any office application and select the label ‘Restricted’. We see the below prompt for user-defined permissions


Similarly, open a new email in Outlook and select the label ‘Restricted’. The moment you select the label, Do Not Forward protection is applied to the email.


Global Policies in AIP for Document Protection:

unlike the custom permissions, we can configure global policies which are mapped to the labels defined as per the taxonomy. These configurations, gives different protection settings with the option of different user roles for different Groups/Domains

This way, we can impose rights restrictions, based on the recipients domain. In this scenario, I am configuring protection settings in such a way that co-owner role will be assigned to my domain and viewer role will be assigned to external domains like Gmail and yahoo. That way, if I send any attachment which is labelled as ‘Restricted’ , all members within my Organization can read/write/edit, authenticated users  (in O365) can review it  and users in Gmail and Yahoo can only just view


Test the Functionality:

Label a word document to ‘Restricted’.


Attaching to an Email: We see that recommendation to classify an email too as ‘Restricted’

I am sending it to an user within my domain and to an user in Gmail and we can see the prompt from the policy.







Sponsored Post Learn from the experts: Create a successful blog with our brand new courseThe Blog is excited to announce our newest offering: a course just for beginning bloggers where you’ll learn everything you need to know about blogging from the most trusted experts in the industry. We have helped millions of blogs get up and running, we know what works, and we want you to to know everything we know. This course provides all the fundamental skills and inspiration you need to get your blog started, an interactive community forum, and content updated annually.

Creating Classification Labels and Policies in Azure Information Protection

Information Rights Management is a subset of Digital Rights Management technologies which prevents sensitive information from the risk of accidental, unauthorized modification, deletion and misuse

Azure Information Protection ( AIP ) is a Service offered by Microsoft which gives the features and functionalities of Information Rights Management. With AIP, an organization can classify, label  and protect the sensitive information, which enables them to  have visibility over the different types of Sensitive data across the locations

Steps to Configure Policies in Azure Portal

Before we configure the Global polices, it is always recommended to get the Taxonomy crisp and clear. Do not create too many labels and sub-labels

Here in this example, I am keeping the taxonomy straight forward

Restricted – For highly sensitive content

Confidential – For Sensitive content

Internal – For the content within the Organization

Public – For all other content

Steps to configure Labels and Policies in Azure Portal 

Login to Azure Portal 

Search for Azure Information Protection



Add new label 


Give a name to the label and add description. Navigate to Protect and add the users/members for consuming the permissions

Protection Settings: Select Azure Key/HYOK  as per the organization structure, give file expiration settings and add permissions based on the AD group or individual recipient addresses. Set the permissions(co-owner, co-author, reviewer, viewer etc.) as appropriate



I created four labels as Internal, Public, Confidential & Restricted



Create a policy to map this label

Select the policies under classifications and hit on ‘ Add a new Policy’


Give a name to the policy and select the label from the drop down list to which this policy to be applied.


Now, as we created labels and polices in Azure portal, let us verify if these are getting reflected in the clients machines.

Prerequisites for installing AIP Agent in Clients:

  1. Azure Active Directory : Make sure the on-premise identities are in sync with Azure identities. Azure AD Connect is used to sync the identities. If the users are in O365, they can directly download the office apps from
  2. Supported client platforms: Windows 7 (SP1), Windows 8, Windows8.1, Windows10 with .Net Framework 4.6.2
  3. Office Applications: Office 365 Pro plus, Office Professional Plus  2019/2016/2013(SP1)/2010(SP2)
  4. Connectivity to Azure Services over internet: Make sure that the URL’s are allowed and necessary ports are open as per Network Prerequisites
  5. Download AIP client from here


Installing AIP client





Sign into Office apps with the Organization account which is enabled with AIP License and as you open them, you see the labels appearing in the apps






Now, the labels when selected, the policies configured for each label will be applied to the content and the sender of the email or author of the document will have visibility on the content life cycle











Load Balancing SCOM sdk service with Microsoft NLB Cluster

In SCOM, High Availability can be achieved at Management Server, Gateway Server and Agent level. If we drill down further more, we can even find ways to configure HA for SCOM console for uninterrupted monitoring

The sdk clients which connect to SCOM console can be made continuously available with Network Load Balancing. So, even in case of Management Server failure, the SCOM console will be operational

The SCOM Operations Console connections can be Highly available with Microsoft Network Load Balancing ( NLB ) , or using hardware Load Balancers or DNS aliases.

In this demo, I have chosen to use Microsoft Network Load Balancing



  1. Assign Static IP address instead of DHCP  to the SCOM Management Servers
  2. Microsoft Network Load Balancing feature to be enabled in the Management Servers
  3. Create NLB Cluster
  4. Add Nodes to the  Cluster
  5. Add cluster DNS-record to DNS zone


Primary Management Server:

Secondary Management Server:

Enable Microsoft Network Load Balancing Feature in both the Management Servers






After successful installation of NLB feature, open Network Load Balancing Manager from Administrative Tools and create NLB Cluster


Add Primary Management Server as Host



Give Cluster IP address


Give a Name to the Cluster




Connect Host to Cluster

Add Secondary Management Server to the Cluster





Add Cluster DNS records to DNS-Zone in DNS Server

Login to the DNS Server

Create “A” record for the Cluster





Access SCOM Console with NLB Name



Now, we see that SCOM Console is operational with the NLB Cluster Name


Test the Functionality:

To test this functionality, I have stopped the Data Access Service in Secondary Management Server. This SDK Service is the core for accessing the SCOM console

SCOM console is connected to


Let us stop the SDK Service



We can see that the SCOM Console is still operational





Installing Root Certificate Authority and Creating SCOM Template

System Center Operations Manager can manage the domain joined servers/machines using the default Kerberos protocol when the port 5723 is open. The machines which are not joined to the domain ( workgroup computers ) or the ones which are in a domain which doesn’t trust  Ops Manager can be managed by importing certificates in both Gateway/Management Server and the client machine

This blog features the configuration of Certificate Authority role and creating Certificate Template

CA Server :

Login to the Active Directory Server as a domain Admin and configure the CA role

Navigate to Server manager and select add roles and features

Select Active Directory Certificate Services role


Select Certificate Authority, Certificate Enrollment Web Service, Certification Authority Web Enrollment.


Specify credentials to configure AD CS Role




Select Enterprise CA


Specify the CA type as Root CA



Select the option create a new private key



Select the default options for Cryptiographic provider and Key Length and select SHA256 as hash algorithm


Specify the name to the Certificate Authority


Specify the validity period as per the Company Policy


Choose the  default database locations


verify the selected options




Configure the additional role services


Specify credentials to configure role services




Select the authentication type as windows integrated authentication


Specify the service account for CES




Select Certificate Authority from the Tools menu in Server Manager


Click on Certificate Templates and select Manage


Select the template Ipsec Offline request and select duplicate template


Leave the compatibility tab to default

Give the appropriate Template Name under general Tab

Select the validity period as per the Security Policy


Under Request Handling, check Allow Private Key to be exported


Under Cryptography Select as Providers Microsoft RSA SChannel Cryptographic Provider and Microsoft Enhanced Cryptographic Provider v 1.0



Navigate to Extensions tab and select Application Policies , click edit and select


Select Client Authentication and Server Authentication


Navigate to security tab, select Authenticated users and click on Add


Select Object types as computers


Search for  SCOM Management Servers


Grant Read and Enroll permissions to the Management Servers


Go back to the Certificate Authority Console, Select Certificate Template, Click on New Certificate Template to Issue


Select the Template which was created before


Launch https://ad/certsrv (https://adservername/Certsrv) from Management Server and select advanced certificate request


The certificate Template should be visible here







System Center Operations Manager 2016 High Availability – Configuration

High Availability is an important service for any application and it is highly recommended for a monitoring application. HA solution for a monitoring solution makes sure that the monitoring is always on and the service is available with out interruptions.

From System Center 2012, HA is made easier with the concept of Resource pool, where each member of the pool will synchronize the SQL data and make themselves available during a failure and the same principle applies in System Center 2016 too

Scenarios of HA in System Center Operations Manager

  1. Agent Server fail over to a Management Server from  Resource Pool
  2. Gateway Server Failover to Management Server
  3. Gateway Agent ( domain joined ) Failover
  4. Gateway Agent ( Work-group ) Failover

In order to test this fail-over functionality, I have configured the below servers in my Lab

  • Domain:
  • SCOM Primary Management Server :
  • SCOM Secondary Management Server:
  • Gateway Server 1 :
  • Gateway Server 2 :
  • Domain joined Client Server :
  • Workgroup Computer : Client
  1. Agent Server fail-over to Management Server from a Resource Pool

In this scenario, the agent servers will be reporting to Management Server Resource pool and when one  Management server goes down, the agents reporting to that will fail-over to the other Management Server available in the pool

Test Fail-over


Primary Management Server:

Failover Management Server :

Client Server:





Shutdown the Management Server to test the agent failover


SCOM2 showing grey in SCOM console



Event Logs from SCOM2016.kartik.com4


Logs from


Logs from


Logs from

Here, we see that the server successfully failed over to

9 showing healthy in SCOM console



2. Gateway Server Fail-over

Gateway Server:

Primary Management Server:

Failover Management Server:



  • Powershell Commands to configure Gateway Server failover


$primaryMS = Get-SCOMManagementServer –Name “”

$failoverMS = Get-SCOMManagementServer –Name “”

$gatewayMS = Get-SCOMGatewayManagementServer –Name “”

Set-SCOMParentManagementServer –Gateway $gatewayMS –PrimaryServer $primaryMS

Set-SCOMParentManagementServer –Gateway $gatewayMS –FailoverServer $failoverMS


Powershell Commands to verify Gateway Server Fail-over 

$GWs = Get-SCOMManagementServer | where {$_.IsGateway -eq $true}

$GWs | sort | foreach {

       Write-Host “”;

       “Gateway MS    :: ” + $_.Name;

       “–Primary MS  :: ” + ($_.GetPrimaryManagementServer()).ComputerName;

       $failoverServers = $_.getFailoverManagementServers();

       foreach ($managementServer in $failoverServers) {

              “–Failover MS :: ” + ($managementServer.ComputerName);



Write-Host “”;


Verify Gateway Server Fail-Over

Shutdown the primary management Server

Logs from


Event generated in SCOM console for


Logs from saying that it is successfully failed over to

18 showing healthy in SCOM console



3. Gateway Agent ( domain-joined ) failover


Primary Gateway Management Server:

Failover Gateway Management Server: 20 reporting to Gateway



Powershell commands to configure Gateway Agent failover

$primaryMS = Get-SCOMManagementServer | where {$_.Name –eq ‘’} 
$failoverMS = Get-SCOMManagementServer | where {$_.Name –eq ‘’} 
$agent = Get-SCOMAgent | where {$_.PrimaryManagementServerName -eq ‘’} 
Set-SCOMParentManagementServer -Agent: $agent -PrimaryServer: $primaryMS 
Set-SCOMParentManagementServer -Agent: $agent -FailoverServer: $failoverMS


Powershell commands to verify Gateway Agent failover


$Agents = Get-SCOMAgent | where {$_.PrimaryManagementServerName -eq ‘Server1.Kartik.COM’} 
$Agents | sort | foreach { 
Write-Host “”; 
“Agent :: ” + $_.Name; 
“–Primary MS :: ” + ($_.GetPrimaryManagementServer()).ComputerName; 
$failoverServers = $_.getFailoverManagementServers(); 
foreach ($managementServer in $failoverServers) { 
“–Failover MS :: ” + ($managementServer.ComputerName); 

Write-Host “”;



Event generated in SCOM console for


Event Log from Management Server

25.png successfully failed over to other gateway server

Event log generated in

26.png showing healthy in scom console


4. Gateway Agent ( workgroup ) failover

Workgroup computer:

Primary Gateway Management Server:

Failover Gateway Management Server:


Note: For the workgroup computer to failover , the certificate used for client authentication should be imported into personal store of failover Gateway Management Server too

Workgroup client reporting to the gateway


Certificates imported in personal store of both the Gateway Servers and


Powershell commands to verify Gateway Agent failover




Event logs generated from Management Server


Event Log generated in workgroup computer for successful failover