How to start your AIP project with only a selected group of users.
I am sometimes asked if AIP needs to be visible to all users, and usable by all users when customers are starting a PoC or just want to play around with the security settings in AIP.
After all, you may
not want all your users to start protecting content, and especially before they
have been informed and trained. Well, Microsoft has thought of this, and an easy way
to select only the users you want to include in the PoC/test is by using this simple
PowerShell command:
Set-AadrmOnboardingControlPolicy
Info: Since this article
requires you to have the AADRM PowerShell module, I have included a short
guide on how to install this at the bottom.
The Onboarding policy
is a great tool for a gradual deployment of Azure Information Protection. It gives us the ability to specify who should be allowed to protect content. We can chose either the members of a group, or select users by
if they are licensed or not.
If you want to give AIP only to the users who are licensed, you can run the following command:
If you want to give AIP only to the users who are licensed, you can run the following command:
Set-AadrmOnboardingControlPolicy -UseRmsUserLicense
$True
If you would rather use
a group to control which ones of your users who get AIP, you can find the
groups Object ID in the Azure portal, under Azure Active Directory – Group -
Properties (see illustration below) or run the Get-MsolGroup command.
Groups in Azure Active Directory |
You can then run the
following command:
Set-AadrmOnboardingControlPolicy
-UseRmsUserLicense $False -SecurityGroupObjectId "feb2c2a7-0798-4b72-936b-c7454a53efb1"
to specify that only
the members of this group should be able to protect content.
AIP should now only be
usable for the users/groups you have specified.
And when you no longer want to use the onboarding policy, regardless of if you decided to use group or license:
Set-AadrmOnboardingControlPolicy
-UseRmsUserLicense $False
Installing the AADRM PowerShell module
Getting the AADRM PowerShell
is done by starting PowerShell as an admin, and running the following command:
Install-Module -Name AADRM
You may receive a warning
that you are installing from an untrusted repository. Press Y to continue.
If you already have
AADRM PowerShell installed, but you need a newer version (the actions in this
article requires AADRM PowerShell 2.1.0.0 or above) you can run:
Update-Module -Name AADRM
Hopefully this gets
you one step closer to starting your AIP PoC.
Comments
Post a Comment