Browsed by
Category: Azure IP

Azure Information Protection and Rights Management are now in one portal

Azure Information Protection and Rights Management are now in one portal

Azure Information Protection and Azure Rights Management can now be configured from one central portal. Dan Plastina announced that this is in preview right now. This means that from now on we can configure Azure Information Protection and Azure Rights Managements settings through the same portal on Not everything can be configured jet in the new preview but before the end of July, this year, all configuration can be made at the new location. This is very cool from an administrative perspective.

But what are the possibilities now?

  • It is now possible to have a unified admin experience for Azure Information Protection through;
  • One place where all configuration for labels and all other settings including Rights Management can be done;
  • No need to create RMS templates first;
  • No need to be a Global Admin;
  • UI Based configuration options to protect content to:
    • anyone within your company (e.g.
    • anyone at another company (e.g.
    • a group of people at another company (e.g.

Administrative perspective

First we will look into the administrative perspective of this new possibilities. Go to the Azure Information Protection blade on When opening or creating a label we can enable protection in the section “Set permissions for documents and emails containing this label”. Select protect and the Azure RMS settings will open. In this section it was only possible to assign a previously created RMS template but from now it is possible to select “Custom (preview)” to set security/encryption settings directly on this label.

When selecting “Custom (preview)” the settings blade opens. Three options are available:

  • Set user permissions (internal or external)
  • Content expiration
  • Offline Access

To add user permissions select “Add permissions” and a new blade with settings will open.

First we can add user permissions from the internal organization. We can add All members from the internal organization or select Users or Groups. NOTE: The groups must be mail-enabled!.

When selected the correct groups or users you can set the permissions. This can be done with the pre-defined templates or it can be set custom. 

It is also possible to add external users or domains to labels. To do this select the tab “Custom / External” and add a domain or users email-address.

For the permissions these are the same as for internal users.

When setting up the users and the permissions it will returning to the main settings blade. We setup the next two settings for Content Expiration and Offline Access.

Content Expiration can be set “Never”, “By Days” or “By Date” and Offline Access can be set “Always”, “Never” or “By Days”.

After saving this all it is necessary to “Publish” the labels to the users so they can use this.

User perspective

After the administrative perspective it is now time to see the user perspective.

When the use is opening, for example, a Word document and select the new Azure Information Protection Label not only a watermark is applied but also the custom Azure RMS template.

When the label is applied we see that there are permissions active. These permissions are the permissions defined in the Template / Label.

For users who wants to add extra permissions they can select the Icon for Azure IP in the Ribbon. When selecting this Icon the option for “Custom Permissions” appear. When selecting this one you have the ability to add custom permissions to a document

Custom permissions to a document can be given based on a domain name, groups (Mail enabled) or users. The option for access expiration can be set.


The merge of Azure RMS and Azure Information Protection to one portal is very exiting news. This means that administrators don’t have to use two different portals and switching between the portals is not necessary anymore. This saves time and causes fewer errors during configuration. The Azure Information Protection team did a great job to makes this possible.

Till next time!!

Group based assignment of Azure Information Protection Labels

Group based assignment of Azure Information Protection Labels

Beginning of February the preview updates off December, on the Azure Information Protection environment, where brought to General Availability. Dan Plastina announces this in a post on the Enterprise Mobility Blog. The following updates where announced:

  • Scoped Policies so you can make labels available to users based on group membership
  • A new, unified Windows client that combines the RMS Sharing app features into the Azure Information Protection client
  • An updated viewer for protected files, including protected PDFs downloaded from SharePoint
  • Manual (right-click) labeling and protection for non-Office files
  • Bulk classification and labeling for data at rest using PowerShell

I will give you a quick tour about Scoped Policies (Labels) and will let you see how this works.

First we have a Global Policy with labels which are linked to all users in the environment. All default labels will be created in this policy. This was the only option to deliver labels to users till now. With Soped Policies it will be possible to define a set op Azure Information Protection labels and link it to an Azure AD Group. With this the HRM Users can have other labels then Management, Sales or other groups of users.

But how will we setup this?

To configure the Azure Information Protection Labels we have to go to the Azure Portal and open the blade for “Azure Information Protection”.

In this blade section there is an overview of all policies created in the environment. To modify the current policies select the one who has to be modified. Or if you want to add a new policy with a set of labels just select “Add a new policy”. First we will look at the Global Policy. We select the Global Policy.

When this policy is opened we can see the default labels are created in this policy. These labels are showed to every user in the organization. In this policy we are unable to link this to an User or Group (Grayed out) because this is the default policy. But we have the possibility to change the defaults for the “default label” or the justification settings.

After setting up the defaults in the “Global” Policy select the “Add a new policy”, on the left side, in the menu.

Now we can setup a new policy. Give the policy a name and select the option “Select which users/groups get this policy”. A new blade will open and we can select the users or groups who needs this set of labels. After selecting the correct users/groups for this policy select “Add a new label” to create a new label. The whole process to create a new label is described in a previous post

When configuring this label the options for adding encryption are renewed. It is now possible to set the options for “Not configured”, “Protect” or “Remove Protection”. When select “Protect” we have the ability to select a Rights Management (RMS) template. Select “Protection” and this will open a new blade section.

In this section we have the ability to select a RMS template or select “Do not forward”. The “Do not forward” options is especially for mail templates. With this a mail message can be send and the receiver will not be able to forward this mail message.

In this section we have also the ability to select “HYOK (AD RMS)” which gives us the opportunity to connect an on-premises RMS environment to Azure Information Protection.

For now we have created a normal label with an Azure RMS template and saved this. 

In the overview of the new created policy we see the new label. Look at the third column and we see the difference between the three default labels which are coming from the “Global” policy and the new one which is attached to the new created policy.

To publish all new created policies and labels we have to “Publish” the environment to the users. 

There is also the option to edit the labels cross policy. To do this select the “Crooss policy editor” button.

Now it is possible to see all labels cross policy. In this view we can see the prioritization of the labels.


This new features gives us the ability to distribute labels to users or groups so the end-users will only see the labels that they need. This new feature will give customers more flexibility to deliver the correct labels to everyone in the organization.

Cloud App Security integration with Azure Information Protection

Cloud App Security integration with Azure Information Protection

Cloud App Security integration with Azure Information Protection

Last October I wrote a blog-post about Azure Information Protection and how to setup this. So we can use Azure Information Protection to secure documents. But if we have a document that is labeled with a secure or confidential label, it is possible that we do not want the user to share this outside the company. The question is can we detect this and possibly undo? The answer is YES we CAN.

In November there was an update of Azure Information Protection and Cloud App Security so that it has some integration. This two solutions are combined to “Extend control over your data to the cloud”. The announcement for this update was done by Dan Plastina in this blog. With the integration of Cloud App Security and Azure Information Protection it is now possible to secure your data when it leaves the company. In this blog post I will guide you through the configuration and show you the results of this integration.

The situation is as follow: A user creates a secure document, protected by Azure Information Protection, and shares this externally through a link. In this way there is no control over who has access to this document. Cloud App Security will disable this shared document, put it in quarantine and sends a message to the owner of the document.

Cloud App Security configuration

First we have to setup the Cloud App Security environment to get the information from Office365, OneDrive and SharePoint online. Go to the portal of Cloud App Security via and logon with an user that has appropriate rights to configure the environment.After logon to the portal the following dashboard is shown.

Under the tab “Investigate” we can add another app. In the overview of all connected apps the current connected applications are showing up. You can see that OneDrive and SharePoint are connected. In this case we will use OneDrive to create and share a document.

We will now have to enable the integration of Azure Information Protection with Cloud App Security. This can be done by going to the settings menu and select General Settings.

In the Azure security connectors section we enable the option “Automatically scan new files for Azure Information Protection classifcation labels”. This will Cloud App Security scan all the files for classifcation labels of Information Protection.

After enabling the integration we can create policies. We have created a new policy that will check documents with an specific Azure Information Protection label. We’ve done this to go to “Control” and select “Policies”. After that we we’re able to create a new File Policy. We gave this policy the name “Files Shared – Block”. In this policy we create a filter based on two rules. First rule is “Access level” equals “Public, Public (Internet) and External”. Second rule is “Classification Label” equals “Secure Inovativ – Very Secure”.

When a file equals both rules what must Cloud App Security trigger as action? This is the second part of the policy. We configured for both OneDrive and SharePoint the same settings:

  • Send policy match digest to file owner (a mail message will be send to the owner)
  • Remove External Users (All shared members will be removed)
  • Put in user quarantine (the document will be moved to a quarantine folder)

User in action

Let’s see this in action.

We’ve logged in with a user named “Donald Duck” and opened Microsoft Word 2016 to create a new document. This document will get the label “Secure Inovativ – Very Secure”. This label does only some visual markings and no Rights Management template is attached.

After the creation of the document we save it to OneDrive for Business with the name “This Secure Document”

The document is not shared so we share the document and create a link that we can distribute to any recipient.


The document is now marked as shared in OneDrive

After some time we received a mail message that say that there is a Security notification from Cloud App Security. There is a document called “This secure Document.docx” that is blocked by a policy called “Files Shared – Block”.

When we look in OneDrive there is created a placeholder for the document that says the document is in quarantine.

When opening the quarantine folder the document appears, but this document has an ID in front of the document name. Cloud App Security has placed the document in quarantine so the owner (me) can take action. Also the sharing link is removed from this document so any external user can’t access the document anymore.

Admin in Action

When logging in to the Cloud App Security Portal as an Admin we can see the status of the files we used in OneDrive. Therefore go to “Investigate” and select “Files”.

In this overview we see there are some markers at the file we created and shared publicly.

When clicking the document we can see that this document is labeled with an Azure Information Protection label and that the document matches with a policy (red marker) and that it is in quarantine (grey marker).

For further investigation we open the policy “Files Shared – Block”. When opening the policy, the first tab is showing us all files that are matching now. Here can we see that our document is matching with this rule and that it is put in quarantine.

When looking at the second tab called “History” we see that our document was matched with this policy and some minutes later it was unmatched. This is because Cloud App Security removes the public shared link and because of this the file does not matched anymore with the policy. This is only for the quarantined file.

In above picture we can see there where three actions taken. When clicking on the actions we can see that all actions defined in the policy are taken.

The three action where Send a mail to the owner, put the file in quarantine and remove the sharing options.


In this blogpost I’ve let you seen how the integration between Cloud App Security and Azure Information Protection can be used to secure your data when it is shared externally. There are many ways to use Cloud App Security with or without Azure Information Protection to secure your environment but this can help your organization to secure your data when it has been shared.

See you next time.




First Experience with Azure Information Protection

First Experience with Azure Information Protection

Last week I had the pleasure to do some experience with Azure Information Protection (Azure IP). Azure IP is now in Public Preview like Dan Plastina announced in his blog. Azure IP is based on two technologies. Azure Rights Management Service (Azure RMS) and the acquisition of Secure Islands. With the acquisition of Secure Islands it is now possible to work with classification labels. With these two technologies combined in Azure IP Microsoft is doing a great job because the user experience is much better. So how can we setup and use Azure Information Protection?


Before we start configuring Azure Information Protection there are some requirements.

  • A cloud subscription that includes Azure RMS
  • Azure AD directory
  • Client devices (with minimum .NET Framework version 4.6.5)
    • Windows 10 (x86, x64)
    • Windows 8.1 (x86, x64)
    • Windows 8 (x86, x64)
    • Windows 7 Service Pack 1 (x86, x64)
  • Applications in the following Office Suites support labeling (Word, Excel, PowerPoint and Outlook)
    • Office 2016
    • Office 2013 with Service Pack 1
    • Office 2010

More information can be find on the Microsoft site.

Configuring Azure Rights Management

First we’ve to configure Azure RMS with the right templates. These templates can be used in Azure Information Protection. Go to the old Azure AD Portal and select Active Directory, then Rights Management can be opened to configure the right templates. I’ve created a few templates for different usage. These templates will be used later on.

RMS Templates

Configuring Azure Information Protection

In the Azure Portal the option for Azure Information Protection can be added. When this has been done it can be configured. In the first view there is an overview of all classification labels. These labels can be enabled, disabled, edited or deleted. On this page it is also possible to set that all documents must have a label, the default classification label and if a justification must be provided when lowering the classification label.

Azure IP Config

When creating or editing a classification label the label can be enabled. A name must be provided and a tooltip can be provided. On this page also a visual marking can be enabled. A header, footer or watermark can be configured.

Azure IP Templates 1

In the classification label an Azure RMS or AD RMS templates can be used. This RMS template will be applied when the Classification Label is selected.

Azure IP Templates 2

Automatic classification rules can be created.

Azure IP Templates 3

The classification label can be applied automatically or it can be recommended to the user.

Azure IP Templates 4

After this setup the Classification Labels in Azure Information Protection can be used on the clients. So let’s see how we can use this.

User Experience

First install the Azure Information Protection Software. This can be downloaded here. Download and start the installation. The installation is really straight forward. Install, next and finish.

Azure IP Software 1Azure IP Software 2 Azure IP Software 3







After this we can open Word for example. When we open this we see a new toolbar appearing under the Ribbon.

Azure IP Usage 1

In this toolbar it is possible to classify the document. By default the document is classified as “Personal” and can be shared with everyone.

Also Financial Information can be detected. When financial information is in the document and the document is saved a new classification label and so a watermark is applied.

Azure IP Usage 2

When lowering the classification label there will be a windows where a reason must be given. Azure IP Usage 3


Azure Information Protection licenses will be available in Q4 of 2016. There will be a standalone license and en Azure IP will also be part of Enterprise Mobility Suite (EMS). Azure IP is available in two licenses, namely P1 and P2. The P1 is the Azure RMS license as we know it today with manual classification and labeling from the acquisition of Secure Islands and the P2 license is everything covered in the P1 license and automatic classification and labeling.

Azure IP license

The Enterprise Mobility Suite is also divided in two separate licenses. The EMS E3 license is the current EMS license as we know it today. The EMS E5 license will be the current EMS license with some new additions for security.


In this post I gave an overview of Azure Information Protection. Microsoft has done a great job by integrating Azure RMS and the technology of Secure Island with each other in Azure Ip. With this new product documents can be secured for unauthorized access. And that with a great user experience. It’s really easy to change the classification of documents. In the near future this technology will be more and more adopted so be prepared.