Group based assignment of Azure Information Protection Labels

Group based assignment of Azure Information Protection Labels

Beginning of February the preview updates off December, on the Azure Information Protection environment, where brought to General Availability. Dan Plastina announces this in a post on the Enterprise Mobility Blog. The following updates where announced:

  • Scoped Policies so you can make labels available to users based on group membership
  • A new, unified Windows client that combines the RMS Sharing app features into the Azure Information Protection client
  • An updated viewer for protected files, including protected PDFs downloaded from SharePoint
  • Manual (right-click) labeling and protection for non-Office files
  • Bulk classification and labeling for data at rest using PowerShell

I will give you a quick tour about Scoped Policies (Labels) and will let you see how this works.

First we have a Global Policy with labels which are linked to all users in the environment. All default labels will be created in this policy. This was the only option to deliver labels to users till now. With Soped Policies it will be possible to define a set op Azure Information Protection labels and link it to an Azure AD Group. With this the HRM Users can have other labels then Management, Sales or other groups of users.

But how will we setup this?

To configure the Azure Information Protection Labels we have to go to the Azure Portal and open the blade for “Azure Information Protection”.

In this blade section there is an overview of all policies created in the environment. To modify the current policies select the one who has to be modified. Or if you want to add a new policy with a set of labels just select “Add a new policy”. First we will look at the Global Policy. We select the Global Policy.

When this policy is opened we can see the default labels are created in this policy. These labels are showed to every user in the organization. In this policy we are unable to link this to an User or Group (Grayed out) because this is the default policy. But we have the possibility to change the defaults for the “default label” or the justification settings.

After setting up the defaults in the “Global” Policy select the “Add a new policy”, on the left side, in the menu.

Now we can setup a new policy. Give the policy a name and select the option “Select which users/groups get this policy”. A new blade will open and we can select the users or groups who needs this set of labels. After selecting the correct users/groups for this policy select “Add a new label” to create a new label. The whole process to create a new label is described in a previous post

When configuring this label the options for adding encryption are renewed. It is now possible to set the options for “Not configured”, “Protect” or “Remove Protection”. When select “Protect” we have the ability to select a Rights Management (RMS) template. Select “Protection” and this will open a new blade section.

In this section we have the ability to select a RMS template or select “Do not forward”. The “Do not forward” options is especially for mail templates. With this a mail message can be send and the receiver will not be able to forward this mail message.

In this section we have also the ability to select “HYOK (AD RMS)” which gives us the opportunity to connect an on-premises RMS environment to Azure Information Protection.

For now we have created a normal label with an Azure RMS template and saved this. 

In the overview of the new created policy we see the new label. Look at the third column and we see the difference between the three default labels which are coming from the “Global” policy and the new one which is attached to the new created policy.

To publish all new created policies and labels we have to “Publish” the environment to the users. 

There is also the option to edit the labels cross policy. To do this select the “Crooss policy editor” button.

Now it is possible to see all labels cross policy. In this view we can see the prioritization of the labels.


This new features gives us the ability to distribute labels to users or groups so the end-users will only see the labels that they need. This new feature will give customers more flexibility to deliver the correct labels to everyone in the organization.

Leave a Reply

Your email address will not be published. Required fields are marked *