Browsed by
Category: EMS

Azure Information Protection and Rights Management are now in one portal

Azure Information Protection and Rights Management are now in one portal

Azure Information Protection and Azure Rights Management can now be configured from one central portal. Dan Plastina announced that this is in preview right now. This means that from now on we can configure Azure Information Protection and Azure Rights Managements settings through the same portal on Not everything can be configured jet in the new preview but before the end of July, this year, all configuration can be made at the new location. This is very cool from an administrative perspective.

But what are the possibilities now?

  • It is now possible to have a unified admin experience for Azure Information Protection through;
  • One place where all configuration for labels and all other settings including Rights Management can be done;
  • No need to create RMS templates first;
  • No need to be a Global Admin;
  • UI Based configuration options to protect content to:
    • anyone within your company (e.g.
    • anyone at another company (e.g.
    • a group of people at another company (e.g.

Administrative perspective

First we will look into the administrative perspective of this new possibilities. Go to the Azure Information Protection blade on When opening or creating a label we can enable protection in the section “Set permissions for documents and emails containing this label”. Select protect and the Azure RMS settings will open. In this section it was only possible to assign a previously created RMS template but from now it is possible to select “Custom (preview)” to set security/encryption settings directly on this label.

When selecting “Custom (preview)” the settings blade opens. Three options are available:

  • Set user permissions (internal or external)
  • Content expiration
  • Offline Access

To add user permissions select “Add permissions” and a new blade with settings will open.

First we can add user permissions from the internal organization. We can add All members from the internal organization or select Users or Groups. NOTE: The groups must be mail-enabled!.

When selected the correct groups or users you can set the permissions. This can be done with the pre-defined templates or it can be set custom. 

It is also possible to add external users or domains to labels. To do this select the tab “Custom / External” and add a domain or users email-address.

For the permissions these are the same as for internal users.

When setting up the users and the permissions it will returning to the main settings blade. We setup the next two settings for Content Expiration and Offline Access.

Content Expiration can be set “Never”, “By Days” or “By Date” and Offline Access can be set “Always”, “Never” or “By Days”.

After saving this all it is necessary to “Publish” the labels to the users so they can use this.

User perspective

After the administrative perspective it is now time to see the user perspective.

When the use is opening, for example, a Word document and select the new Azure Information Protection Label not only a watermark is applied but also the custom Azure RMS template.

When the label is applied we see that there are permissions active. These permissions are the permissions defined in the Template / Label.

For users who wants to add extra permissions they can select the Icon for Azure IP in the Ribbon. When selecting this Icon the option for “Custom Permissions” appear. When selecting this one you have the ability to add custom permissions to a document

Custom permissions to a document can be given based on a domain name, groups (Mail enabled) or users. The option for access expiration can be set.


The merge of Azure RMS and Azure Information Protection to one portal is very exiting news. This means that administrators don’t have to use two different portals and switching between the portals is not necessary anymore. This saves time and causes fewer errors during configuration. The Azure Information Protection team did a great job to makes this possible.

Till next time!!

Group based assignment of Azure Information Protection Labels

Group based assignment of Azure Information Protection Labels

Beginning of February the preview updates off December, on the Azure Information Protection environment, where brought to General Availability. Dan Plastina announces this in a post on the Enterprise Mobility Blog. The following updates where announced:

  • Scoped Policies so you can make labels available to users based on group membership
  • A new, unified Windows client that combines the RMS Sharing app features into the Azure Information Protection client
  • An updated viewer for protected files, including protected PDFs downloaded from SharePoint
  • Manual (right-click) labeling and protection for non-Office files
  • Bulk classification and labeling for data at rest using PowerShell

I will give you a quick tour about Scoped Policies (Labels) and will let you see how this works.

First we have a Global Policy with labels which are linked to all users in the environment. All default labels will be created in this policy. This was the only option to deliver labels to users till now. With Soped Policies it will be possible to define a set op Azure Information Protection labels and link it to an Azure AD Group. With this the HRM Users can have other labels then Management, Sales or other groups of users.

But how will we setup this?

To configure the Azure Information Protection Labels we have to go to the Azure Portal and open the blade for “Azure Information Protection”.

In this blade section there is an overview of all policies created in the environment. To modify the current policies select the one who has to be modified. Or if you want to add a new policy with a set of labels just select “Add a new policy”. First we will look at the Global Policy. We select the Global Policy.

When this policy is opened we can see the default labels are created in this policy. These labels are showed to every user in the organization. In this policy we are unable to link this to an User or Group (Grayed out) because this is the default policy. But we have the possibility to change the defaults for the “default label” or the justification settings.

After setting up the defaults in the “Global” Policy select the “Add a new policy”, on the left side, in the menu.

Now we can setup a new policy. Give the policy a name and select the option “Select which users/groups get this policy”. A new blade will open and we can select the users or groups who needs this set of labels. After selecting the correct users/groups for this policy select “Add a new label” to create a new label. The whole process to create a new label is described in a previous post

When configuring this label the options for adding encryption are renewed. It is now possible to set the options for “Not configured”, “Protect” or “Remove Protection”. When select “Protect” we have the ability to select a Rights Management (RMS) template. Select “Protection” and this will open a new blade section.

In this section we have the ability to select a RMS template or select “Do not forward”. The “Do not forward” options is especially for mail templates. With this a mail message can be send and the receiver will not be able to forward this mail message.

In this section we have also the ability to select “HYOK (AD RMS)” which gives us the opportunity to connect an on-premises RMS environment to Azure Information Protection.

For now we have created a normal label with an Azure RMS template and saved this. 

In the overview of the new created policy we see the new label. Look at the third column and we see the difference between the three default labels which are coming from the “Global” policy and the new one which is attached to the new created policy.

To publish all new created policies and labels we have to “Publish” the environment to the users. 

There is also the option to edit the labels cross policy. To do this select the “Crooss policy editor” button.

Now it is possible to see all labels cross policy. In this view we can see the prioritization of the labels.


This new features gives us the ability to distribute labels to users or groups so the end-users will only see the labels that they need. This new feature will give customers more flexibility to deliver the correct labels to everyone in the organization.

First Experience with Azure Information Protection

First Experience with Azure Information Protection

Last week I had the pleasure to do some experience with Azure Information Protection (Azure IP). Azure IP is now in Public Preview like Dan Plastina announced in his blog. Azure IP is based on two technologies. Azure Rights Management Service (Azure RMS) and the acquisition of Secure Islands. With the acquisition of Secure Islands it is now possible to work with classification labels. With these two technologies combined in Azure IP Microsoft is doing a great job because the user experience is much better. So how can we setup and use Azure Information Protection?


Before we start configuring Azure Information Protection there are some requirements.

  • A cloud subscription that includes Azure RMS
  • Azure AD directory
  • Client devices (with minimum .NET Framework version 4.6.5)
    • Windows 10 (x86, x64)
    • Windows 8.1 (x86, x64)
    • Windows 8 (x86, x64)
    • Windows 7 Service Pack 1 (x86, x64)
  • Applications in the following Office Suites support labeling (Word, Excel, PowerPoint and Outlook)
    • Office 2016
    • Office 2013 with Service Pack 1
    • Office 2010

More information can be find on the Microsoft site.

Configuring Azure Rights Management

First we’ve to configure Azure RMS with the right templates. These templates can be used in Azure Information Protection. Go to the old Azure AD Portal and select Active Directory, then Rights Management can be opened to configure the right templates. I’ve created a few templates for different usage. These templates will be used later on.

RMS Templates

Configuring Azure Information Protection

In the Azure Portal the option for Azure Information Protection can be added. When this has been done it can be configured. In the first view there is an overview of all classification labels. These labels can be enabled, disabled, edited or deleted. On this page it is also possible to set that all documents must have a label, the default classification label and if a justification must be provided when lowering the classification label.

Azure IP Config

When creating or editing a classification label the label can be enabled. A name must be provided and a tooltip can be provided. On this page also a visual marking can be enabled. A header, footer or watermark can be configured.

Azure IP Templates 1

In the classification label an Azure RMS or AD RMS templates can be used. This RMS template will be applied when the Classification Label is selected.

Azure IP Templates 2

Automatic classification rules can be created.

Azure IP Templates 3

The classification label can be applied automatically or it can be recommended to the user.

Azure IP Templates 4

After this setup the Classification Labels in Azure Information Protection can be used on the clients. So let’s see how we can use this.

User Experience

First install the Azure Information Protection Software. This can be downloaded here. Download and start the installation. The installation is really straight forward. Install, next and finish.

Azure IP Software 1Azure IP Software 2 Azure IP Software 3







After this we can open Word for example. When we open this we see a new toolbar appearing under the Ribbon.

Azure IP Usage 1

In this toolbar it is possible to classify the document. By default the document is classified as “Personal” and can be shared with everyone.

Also Financial Information can be detected. When financial information is in the document and the document is saved a new classification label and so a watermark is applied.

Azure IP Usage 2

When lowering the classification label there will be a windows where a reason must be given. Azure IP Usage 3


Azure Information Protection licenses will be available in Q4 of 2016. There will be a standalone license and en Azure IP will also be part of Enterprise Mobility Suite (EMS). Azure IP is available in two licenses, namely P1 and P2. The P1 is the Azure RMS license as we know it today with manual classification and labeling from the acquisition of Secure Islands and the P2 license is everything covered in the P1 license and automatic classification and labeling.

Azure IP license

The Enterprise Mobility Suite is also divided in two separate licenses. The EMS E3 license is the current EMS license as we know it today. The EMS E5 license will be the current EMS license with some new additions for security.


In this post I gave an overview of Azure Information Protection. Microsoft has done a great job by integrating Azure RMS and the technology of Secure Island with each other in Azure Ip. With this new product documents can be secured for unauthorized access. And that with a great user experience. It’s really easy to change the classification of documents. In the near future this technology will be more and more adopted so be prepared.