Enterprise Mobility and Security Blog

RSS

In our Dec 7th announcement we were excited to make available a number of new features in Azure Information Protection (AIP). To recap, these included:

  • Scoped Policies so you can make labels available to users based on group membership
  • A new, unified Windows client that combines the RMS Sharing app features into the Azure Information Protection client
  • An updated viewer for protected files, including protected PDFs downloaded from SharePoint
  • Manual (right-click) labeling and protection for non-Office files
  • Bulk classification and labeling for data at rest using PowerShell

Today we are even more excited to move ALL of these features from Preview to General Availability AND add two great new collaboration features!

Scoped Policies

As we covered in the December 7 post, Scoped Policies allow customers to build sets of labels that are only visible and usable to specific employees and groups of employees such as teams, business units or projects.

In all instances, a global set of policies is made available to all users. The new scoped policies are layered over this global set, available to just users in the specified security group membership. It is important to note that scoped policies are an admin concept, users will not be aware as they just see a combined set of labels they are assigned.

Each set of scoped policies allows for customization, including labels, sub-labels, and settings like mandatory labeling, default label, and justifications. The scoping model is consistent with Azure RMS template scoping, in that it is based on Azure Active Directory users and groups.

A few important notes on scoped policies:

  • Scopes are optional, you don’t have to define a set or group for a policy. If not set, the policy has global scope for everyone in the tenant.
  • Policies are ordered by administrators. This order defines which scopes are considered higher than others. Policies are combined into an effective policy, which is given to the client.

If you need to configure Scoped Policies in your organization, this is great place to get started.

A Single, Unified Client

We have listened and worked with our customers closely to learn how we can improve the user experiences and business scenarios for the previous RMS Sharing app and the new AIP client.  Today we are making available a single, unified client for classification, labeling and protection. This new client includes the ability to set custom permissions, share data in a protected way, track and revoke files and view protected files (beyond Office files).

The existing RMS sharing app is still available on our download center and will be supported for a period of 12 months with support ending January 31, 2018The Azure Information Protection user guide can help you get started with the new client and transition from the RMS Sharing app.

The new client, which can be downloaded here includes:

  • The ability to set/remove custom permissions for files (single files, multiple files and files in folders) through the Explorer shell extensions (right click on a file / folder) and select “classify and protect”
  • We will shortly enable users to set/remove custom permissions for Office files via the Office Interface (Word, Excel, PowerPoint)
  • Users can select contacts from their Global Address Book (requires Outlook)
  • Once protected, users can share a file via any method such as mail, SharePoint and cloud sharing apps.
  • Set Track and Revoke options for protected documents

External recipients who receive a protected document can download a lightweight client app (the Azure Information Protection Viewer) to open and view these docs in a simple way. This app does not require admin rights to be installed and can be downloaded from http://aka.ms/aipviewer.

Classify and protect shell explorer app

Image 1 – Classify and protect a file through the “classify and protect” shell explorer app

Custom permissions classify and protect shell explorer

Image 2 – Apply custom permissions through the “classify and protect” shell explorer app

View protected content viewer app

Image 3 – View protected content with the lightweight Viewer app

Access denied message

Image 4 – Access Denied message and instructions on how to request permission

Bulk Classification

With the December updates we extended the RMS PowerShell commands to support Label and Protection actions based on Azure Information Protection policies. Administrators and data-owners can label and protect files in bulk on File stores, or query for the file’s status. The PowerShell cmdlets, which are installed as part of the new unified client, are now GA and enable our customers to:

  • Query for a files Label and Protection attributes
  • Set a Label and/or Protection for documents stored locally or on file servers and network shares that are accessible through SMB/CIFS (e.g. \\server\finance\)

Powershell commands

Image 5 – Use the PowerShell commands to perform bulk labeling and protection tasks

For examples and help run PowerShell and type “Get-Help Get-AIPFileStatus -online” and “Get-Help Set-AIPFileLabel -online”. You can also refer to the help documentation for this module.

New Collaboration features – share protected documents with groups and companies

Two top requested features are now available, the ability to share protected documents (Word, Excel, PowerPoint) to:

  • A group of people at an organization e.g. finance@contoso.com
  • Anyone at a specified organization e.g. [anyuser]@contoso.com

Group collaboration – this scenario is designed so that two organizations can collaborate effectively with each other without having to know exactly who is in the group, for example legal teams needing to work on briefs or project teams working on a joint effort. Simply by being a member of the group, permissions are provided to users. This requires that the group is in Azure AD (either through Azure AD Connect or a native cloud group), if you are on Office 365, this just works!

Company collaboration – this new feature enables content to be protected to all users within a specified organization, for example any user who works at Contoso. This is particularly useful in B2B scenarios like supply chains and M&A activities.

What does this look like for users? Very simple and easy, just protect your document and share.

By way of example, here is a document that has been classified for Contoso-Fabrikam collaboration. A label was provided to users configured to apply the Azure RMS template that provides anyone at either company permissions to the document. On applying the classification, the sensitivity label was applied to the document along with the collaboration template:

Protected document view

The document is then shared. On receiving the document, the recipient is restricted in the actions they can take as shown below:

Shared protected document view

The group collaboration requires no additional configuration and users can simply protect and share to AAD groups from today. For the company level collaboration, this must be enabled by an administrator using an updated Azure RMS PowerShell module. An example to create a rights definition and template is shown below:

$names = @{}
$names[1033] = "Contoso-Fabrikam Confidential"
$descriptions = @{}
$descriptions[1033] = "This content is confidential for all employees in Contoso and Fabrikam organization"
$r1 = New-AadrmRightsDefinition -DomainName contoso.com -Rights "VIEW","EXPORT"
$r2 = New-AadrmRightsDefinition -DomainName fabrikam.com -Rights "VIEW", "EXPORT"
Add-AadrmTemplate -Names $names -Descriptions $Descriptions -LicenseValidityDuration 5 -RightsDefinitions $r1, $r2 -Status Published

If you haven’t used the Azure RMS PowerShell cmdlets before, start by reading this documentation. But if you want more information about specifying a rights definition object for the new collaboration options, see the updated New-AadrmRightsDefinition help.

For more details regarding the Azure RMS PowerShell cmdlets, you can access the documentation here.

Get started NOW!

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get started today!

Dan Plastina (@DanPlastina) on behalf of the Information Protection Team.


Please let us know what you think of the EMS blog by taking our survey! Read this blog post to learn more about the survey and how you can qualify to win one of five $200 gift cards.