Tag Archives: Azure Information Protection

Dynamic enforcement of protection controls to different recipients with Azure Information protection

In any data protection service, end user adoption is imperative for meeting the compliance goals of the organization. Having said this, it is very much essential to get equipped with a solution/service which does not disturb the end user workflow and enables us with rich set of automated controls which will be enforced from the rights management service.

Having this approach of automatic enforced policy controls to sensitive information in documents and emails enables to have the complete control of the data which is being shared to different recipients, because these controls are applied on the fly without the user’s interaction and thus without interfering the user’s productivity.

But, yes a little effort has to be taken before enabling these policies to gather information on the type of restrictions the organization is intended to enforce on other domains and partners.

Business use case: An email and an attachment is sensitive to the organization. It is being sent to different recipients ( shown below ) and we have to mitigate the risk of data leakage.

1. Same department with in the organization – HR as an example

2. External domains – Gmail

3. Different department with in the organization – Finance as an example

4. Any other domain/user which is not part of above 3 – Yahoo as an example

Now, my rights management service should not interfere the users workflow and apply protection to different recipients differently. The document and email when received by same user in same department, he/she should have full control (Read,write,print,reply, forward). When received by user in different department in the same organization, he/she should have limited controls (Read, Print, Save). When received by external parties/vendors who are using Gmail, he/should have all controls except print and save, when received by Yahoo users, he/she should not be authorized to open the email/content.

All these controls have to be applied on the fly without the sender’s interaction, thus giving the flexibility of minimizing the challenges of rights management service user adoption.Ideally, the controls should be applied automatically as per the below table.

Now, let’s get started by configuring policies in Azure Portal. I am not talking much about creating labels and enabling them with protection. If you want to know how to reach this step, Check my previous blog

So, basically I am defining controls and permissions to different recipients and mapping them to the label “Confidential”. I am giving access permissions to HR group, Finance Group and Gmail domain. So, if I send an email to any other user apart from HR and Finance in my organization or any other external domains apart from Gmail, the rights management service will not Authorize them.

Now, let me classify a PDF to confidential. I intentionally took a pdf file instead of a MS office document as I want to check its native rights management capabilities.

As PDF does not support native labelling in AIP, I selected the file, manually selected classify and protect

Selected the label as confidential so that the protection controls are applied to the PDF file.

Now, I am attaching this pdf to an email which is also classified as confidential ( for protection controls of e-mail ), sending this to different departments HR and Finance with in my organization, sending it to Yahoo and Gmail which are external to my organization.

Now let’s check whether the policies are applied automatically on the fly and applied to different recipients.

First let me compare the users within the organization – HR and Finance.

Email restrictions:

Document Restrictions:

I intentionally took pdf as a reference to show you that it prompts for AIP viewer to consume the protected file. As expected, it asks us to download Microsoft Azure Information Protection viewer application. It can be downloaded from playstore for Android and App store for iOS.

For desktop clients, AIP agent can be downloaded from here

After installing AIP viewer, try opening the PDF with it

Now, lets compare the email and document permissions for Gmail and Yahoo recipients


Consuming AIP (Azure Information Protection) protected documents by different recipients

Document protection is an important aspect in data protection and security, which emphasises and empowers the users to control sensitive content to be shared across the enterprises.

With the new enforcements of Global Data Protection Regulation (GDPR) and other regulations in different regions, it is mandatory to have the control and visibility of the sensitive information across the boundaries and to be data compliant. Information Rights Management service enables the enterprises with rich tool sets and functionalities to be compliant with different data protection regulations and laws. Azure Information Protection, which is a SaaS offering from Microsoft will give rich functionalities and tool sets to achieve the goals of data protection.

With Azure Information Protection, we can enable email and document protection with customized controls to restrict the functionalities and capabilities of the recipient. For details on AIP protected email consumption by different recipients, please refer my previous blog

When we consider any rights management service, as the protection carries along with the file, it is essential to educate and create adoption plan for different recipients. This will help them to consume the protected documents seamlessly across different platforms

Given below are the list of some scenarios considered for consuming rights management protected document with AIP

Scenario-1:Office 365 to O365

In this scenario, the sender and recipient, both are hosted in Office 365, let us see the the consumption workflow

Outlook: Seamless with MS Office documents. for other formats like pdf, which is not natively supported, Azure Information Protection client has to be installed.

AIP client can be installed from here

Outlook Web Access: As encrypted documents cannot be consumed with browser based apps, it will prompt to download the document.

Mobile: Seamless with MS office documents. For other formats, AIP mobile client is to be installed. AIP mobile client can be installed from android play store or Apple Appstore.

Scenario-2: External Domains: Yahoo/Gmail

When Gmail or Yahoo mail is accessed using a browser, it will prompt to download the encrypted document to local machine. This protected document can be consumed when AIP agent is installed.

When Yahoo/Gmail is configured in mobiles, the protected documents can be consumed seamlessly with MS Office apps. For other formats, AIP mobile client has to be installed, which can be downloaded from Play store (Android) /Appstore (iOS)

Scenario-3: On-premise Exchange: Seamless when AIP client is installed.

when the recipient is an on-premise Exchange user, he/she has to install AIP client to consume the encrypted document.

AIP client can be downloaded from here.

Outlook Web Access: As encrypted documents cannot be consumed with browser based apps, it will prompt to download the document.

Scenario-4: Sharepoint online– Seamless for MS Office files

When the protected document is uploaded to Sharepoint, authorized recipients can access the MS office documents seamlessly using Sharepoint online portal as it integrated with AIP service.

For other formats like pdf, the recipients have to download the file to local machine and consume it with AIP client.

Scenario-5: OneDrive for Business – Seamless with MS Office files

When the protected document is uploaded to OneDrive for Business, authorized recipients can access the MS Office files seamlessly as OneDrive for Business integrated with AIP service.

For other file formats like pdf, the recipient has to download the document to local machine and consume it with AIP client.


February 3, 2020

Configuring super-user role in Azure Information Protection

Rights management solutions revolves around protection for encrypting and decrypting the content. Each document which is being protected will be issued with a unique content key (private key) and each Organization will be issued with a tenant key(public key) and authorization of the appropriate recipients happens with these keys.  There will be certain scenarios where authorized account(s) have to be given privileges to decrypt any content  for below said reasons

  1. Owner of the protected content leaves the organization
  2. Integration with other Data Protection technologies like DLP ( content analysis ) and Exchange ( Email searches ) to decrypt any protected content
  3. Bulk decryption as a part of Legal and compliance reasons
  4. Decrypting the content during Exit plan

Considering these scenarios, Azure Information Protection (AIP) gives an option to configure an account, superuser, which will have complete access to any protected content.

Steps to configure Super user role in AIP:

Create a user account and add to Global admin group


Create a sample spreadsheet and restrict access only to the owner

Spreadsheet protected rights

Send the spreadsheet to super user

Sending email to superuser

As the super user role is not configured in AIP, the spreadsheet is restricted to view and open

Not able to open the file attachment

Configure Super user role 

Connect to AIP Service using below commandlet.  This will take to organization sign in page for authentication. AIP powershell module can be installed with the below command

Install-module AIPservice

Import-module AIPservice



Configure super user role

Add-aipservicesuperuser -Emailaddress “Email address of the super user account”

Powershell to configure Super user role in AIP

Enable Super user role by executing Enable-AIPServicesuperuserrolefeature

Check if the super user role is enabled



Now, check the access to the restricted spreadsheet which was shared earlier. As we can see, super user account is now able to open the spreadsheet which is restricted only to the owner.

Super user able to open the restricted spreadsheet
super user pening the spreadsheet

Additional permissions mapped to super user:

These additional permissions will give the options to remove/change permissions to the restricted documents, thus unlocking them for further use and sharing

Additional permissions to super user

Auditing Super User Activity