Azure Tidbit – Using Azure Information Protection in the Enterprise

Hello All,

Saw this video from Ignite and thought I would do a dive on Azure Information Protection and show you some of the great things it can do.  Remember organizations no longer operate within their own perimeter. Data is traveling between users, devices, apps, and services more than ever before. And protecting your perimeter, users, or devices does not guarantee protection of your data as it travels outside of corporate boundaries. Even simply identifying the data that needs protection can be a major challenge.

First of all AIP behave differently depending on your license if you have, see the table for more info

  Azure Information Protection Premium P1 Azure Information Protection Premium P2
Manual document classification and consumption of classified documents
Automated data classification and administrative support for automated rule sets  
Hold Your Own Key (HYOK) that spans Azure RMS and Active Directory RMS for highly regulated scenarios  
Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle
Custom templates, including departmental templates
Protection for on-premises Exchange and SharePoint content via Rights Management Services (RMS) connector
RMS software developer kit for all platforms: Windows, Windows Mobile, iOS, Mac OSX, and Android
RMS connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector
Document tracking and revocation
Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection)
RMS content consumption by using work or school accounts from RMS policy-aware apps and services
RMS content creation by using work or school accounts
Office 365 Message Encryption (OME)
Administrative control


Second you need to understand the file types and the type of protection that you can expect, see this table for some of that information but see this article for the complete picture.

Type of protection Native Generic
Description For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and other application file types that support a Rights Management service, native protection provides a strong level of protection that includes both encryption and enforcement of rights (permissions). For all other applications and file types, generic protection provides a level of protection that includes both file encapsulation using the .pfile file type and authentication to verify if a user is authorized to open the file.
Protection Files protection is enforced in the following ways: - Before protected content is rendered, successful authentication must occur for those who receive the file through email or are given access to it through file or share permissions. - Additionally, usage rights and policy set by the content owner when files are protected are fully enforced when the content is rendered in either the Azure Information Protection viewer (for protected text and image files) or the associated application (for all other supported file types). File protection is enforced in the following ways: - Before protected content is rendered, successful authentication must occur for those who are authorized to open the file and given access to it. If authorization fails, the file does not open. - Usage rights and policy set by the content owner are displayed to inform authorized users of the intended usage policy. - Audit logging of authorized users opening and accessing files occurs. However, usage rights are not enforced.
Default for file types This is the default level of protection for the following file types: - Text and image files - Microsoft Office (Word, Excel, PowerPoint) files - Portable document format (.pdf) For more information, see the following section, Supported file types for classification and protection. This is the default protection for all other file types (such as .vsdx, .rtf, and so on) that are not supported by native protection.


NOTE: There is no need for infrastructure to support this feature and you can protect documents within the following on-prem repositories Exchange Server, SharePoint Server, and Windows Server file servers that support File Classification Infrastructure

Lastly what does AIP do for me

  1. Classification and labeling

Classification and labeling can be done automatically or manually as well you can use the default templates or create templates to make your end-users classification easier.  Azure Information Protection templates give you the ability to set what protection the document would receive see here for more information about templates.

2. Encryption and Rights Management

By default, uses RSA 2048 for all public key cryptography and SHA 256 for signing operations and uses AES 128 for symmetric encryption. Azure Information Policy is compliant with FIPS 140-2 when your tenant key size uses the default size.  For more information continue reading here.

3. Intuitive, One-Click process

Use policies to classify and label data in intuitive ways based on the source, context and content of the data. Classification can be fully automatic, user-driven or based on a recommendation. Once data is classified and labeled, protection can be applied automatically on that basis. Data classification and protection controls are integrated into Office and common applications. These provide simple one-click options to secure data that users are working on. In-product notifications provide recommendations to help users make the right decisions.

4. Detailed tracking and Reporting

If you have a subscription that supports document tracking, the document tracking site is enabled by default for all users in your organization. Document tracking provides information for users and administrators about when a protected document was accessed and if necessary, a tracked document can be revoked.  For more information read this article.

What if I want more information


Comments (0)

Skip to main content