Creating a scoped Policy and linking it to a label.

In my previous posts I have mentioned scoped policies a few times. The policy that is included from the start and that will be available for everyone default is the Global Policy. Sometimes that will be all you need, but there are situations where protecting content for groups of people, like the HR department for instance, will be required.

A scoped policy then is a policy that only applies to the users you specify, and not the entire tenant.  

In this post I will go through the creation of a scoped policy, and we will assign a label to the policy. That means that the group targeted by the scoped policy will get a label that is only visible to them, and it will protect content so that it can only be read by them. This could be useful when having a project or task force dealing with highly sensitive information for instance.

And we start by going to The Azure Information Protection blade in the Azure Portal.
Then we select Policies, and + Add a new policy:

Then we select Policies, and + Add a new policy:

+ Add a new Policy

In the Policy Blade, we will give our new policy a name, and a description before we select which users will get this policy. As an important note we are told that the groups must be email-enabled.
Groups needs to be mail-enabled.

Not much to do here, but press the Users/Groups option:
Select Users/Groups

We can then search and select a user or an email-enabled group that should get this policy.

Select from list or search

When this is done we press OK and go back to looking at our policy. We have now given it a name and description, and we have chosen a group that should get it, but we haven’t really done anything else. So, what does this new policy do? In short, right now nothing. If we try the Add or remove labels option, there really isn’t much to do. All the current labels are already used in the global policy.
Notice that all labels have a checkbox checked.

So how do we get a new label for our scoped policy? Well, we need to create one. We will add it from the main menu:

Select Labels

Sometimes you may want to combine the scoped policy with a sublabel. This is a label that appears in a pulldown menu under a normal label. A sublabel is created by selecting one of the existing labels, selecting the three dots on the right side of it, and Add a sub-label. 
Add sublabel option

We will not do that this time, we select the + Add a new label option again, but this time when we select it we won’t just see the current ones, but a blade for our new label will open. You can give the label a name and description and choose Protect à Protection to add protection to the label.


The Protection blade will open, and we can select what is called “the protection action type”. As you can see, Microsoft still have the “Select a predefined template” in their help text, but this option has been removed as I have mentioned in an earlier post. 
Only two options remains

Here I have selected the Set permissions option, and I will add my Business Development group. The very same group that the scoped policy is targeting.

Add permissions

I can also choose if the content can be read offline, and the number of days the content should be available without an internet connection. Why is this interesting? Well, with extremely sensitive material you may want to set the offline access to Never, so that any changes you make in access permissions will be effective immediately. This means that if you revoke access, the information cannot be accessed again. For this demo we will leave the default 7 days and see what permissions our users should have.

We can choose whatever we want from Co-Owner that allows our users to do everything you can, even remove protection and all the way down to Viewer, which gives them Read-Only access to the content. 

Pressing OK will bring us back to our Label blade. This is also where we can choose to give the content heading/footer/Watermark, choose automatic settings (requires EMS E5/P2) and many other options.

The label blade
When we have done all the configuration we want, we can save, and our new label has been created.
Saving automatically publishes the label

But we still haven’t assigned the label to anyone. We have created a Policy and we have created a label, but we want to connect the new label to our new scoped policy. We need to go back into our scoped policy to do that. 
Go back into the Scoped policy

This time, when we select + Add a new label, we see our newly created one, ready for selection:

Our new label ready for selection

Select the checkbox and the users in the Business development group now have a label that no one else can see. Protecting content with this will also make sure no one else outside the group will be able to read it.
Configurations to our new Policy
The scoped policy has the same opportunities as the Global one. The same goes here as in the Global one, that all automatic behavior requires EMS E5/P2. Not only the automatic conditions option.
EMS E5/P2 functionality

But also things like Select the default label.

EMS E5/P2 functionality

Why would we want to select a default label you ask? Well, it can be very useful, and making sure all content has a default label can make the users more aware of what they are doing and protect them from sending sensitive data to external parties by accident. Anything they want to share without people outside the group will have to be de-classified/re-classified.

You may also want to include header/footer and do other stuff to the label. 

Header/footerand more

That’s it. Now the users in our Business Development group have their own label and can communicate in secret if they need to.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label