AIP in the Azure portal

One of my first (and most read) blog posts was AIP – Policies, Labels, templates and protection explained.

The thing is, AIP has changed so much, it really isn't as useful as it once was back in the day (close to a year ago). Not only have the views changed, but it has become (as I see it at least) easier. I thought we should just take a quick look at how things look in the Azure portal these days.

  The first thing that meets us when we start looking at AIP in the Azure portal are Dashboards (reporting, logs and discovery) and Classifications. Under Classifications we find Labels and Policies. This is where some people get a little confused, so I will try to show you a little bit about how it works here. If you go into Labels, you will see that Microsoft has actually done quite a bit of configuration for you here, and there are some labels and protection templates in place.

 If we look at policies, we can see that there is one, and that is called the global policy:

If we take a closer look at this policy we can see labels again:

These are actually the same labels as we just saw under Labels, so nothing to worry about.The two missing here are the ones that has automatic behaviour in them, and we will not cover why here.

The Global policy is the policy that will be applied to all the users in our tenant. (unless we specifically want to emit someone, which we can do by using an onboarding policy: Read more in my blog about onboarding policy. 

We can create additional policies and scope them towards a certain group: My blog post about creating a scoped policy. 

Or we can edit just about all the settings in it. If you want to hide a label? No problem. Change protection settings? No problem either. Add labels, change watermarks, top- and bottom text, just about anything you can think of. And as you do this, it will be published to the users if they already have started using AIP, so have that in mind. For a PoC I recommend following the blog post i referenced to over about onboarding policy.  

Policies: The entire rule-set that includes everything else. Labels, settings for users, protection etc. There is always a global policy, and you can chose to created scoped policies for groups of users.

Labels: This is not just a way to mark information according to sensitivity. It is a way to give a file a set of properties like visual markings, watermark, permissions etc. It is also where we setup automatic behavior for those who have the necessary license for this (P2/EMS E5)

Protection: Protection settings that will be applied to content. Who should be able to read, should they also be able to change? Take print screens? Print? Forward? For how long should they have access? For how long should they have access without re-authenticating with Azure AD and many other settings. This is applied through a label, and if you delete the label, the protection template will remain, so that users can still access their content.

For those of you who have been paying attention lately you may have heard about unified labels, and sensitivity labels. You may also have seen demos of the Office 365 Security and Compliance Center, where you can create and edit Sensitivity labels, apply protection and much more.  I have already touched this in my blog post about migrating labels from azure portal to sensitivity labels
but soon I will blog about how we work with sensitivity labels in Office 365 SCC portal. If you want to get notified about new blog posts, please add me on twitter: @pewinther .


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label