Our technical writer, Carol Bailey, is letting you know what’s new and hot in the docs for March.
Dan (on behalf of the Information Protection team)
The Documentation for Azure Information Protection has been updated on the web and the latest content has a March 2017 (or later) date at the top of the article.
Updates for this month support the new release of the Azure Information Protection client, and also incorporate customer feedback for clarifications. Any day now (maybe by the time you read this!) you can also expect updated guidance for Migrating from AD RMS to Azure Information Protection. The basic instructions for migration remain the same but after learning from several customer migrations, we’ve picked up some tweaks and tips to help make this process go more smoothly. For example, we’re adding a preparation phase, which includes setting onboarding controls and deploying a pre-migration script to ensure that clients don’t accidentally bootstrap against the Azure Rights Management service before you are ready for them.
We value customer feedback and try to incorporate it whenever possible. If you have feedback about the documentation, you can contact us by emailing AskIPTeam@Microsoft.com.
What’s new in the documentation for Azure Information Protection, March 2017
The following information lists the articles that have significant technical changes since the last update (February 2017).
– Previously, this article contained information about client apps, only. It now contains a new section for server-side solutions from software vendors.
– Added Windows Server 2016 support for file servers that run Windows Servers and use File Classification Infrastructure (FCI)
– New entry: Is the Azure Information Protection client only for subscriptions that include classification and labeling? Information about how the client detects and operates in protection-only mode.
– Revised the instructions for Exchange message classification and included a screenshot of configuring an Exchange Online transport rule to set a message header for an Azure Information Protection label. In addition, the entry “How do I sign in as a different user?” is removed, and this information is now in the new Custom configurations section of the Azure Information Protection client admin guide.
– New entry: How do I send a protected email to a Gmail or Hotmail account? We’ve had a lot of questions asking how to configure Azure Information Protection as shown in the Ignite session Send secure email to anyone with the power of Microsoft Office 365 and Azure Information Protection. This feature is still in private preview.
– Updated throughout, to reflect the new, default policy for customers who are connecting to the Azure Information Protection service for the first time.
– Added a new section about considerations if email addresses change.
– Updated the information to include the Azure Information Protection client and Office 2016 for Mac, and revised the information for Office 2010.
– Updated the description for Save As, Export (common name) to clarify that if this right is not granted, Office applications let a user save a document to a new name if the selected file format supports Rights Management protection. For example, when an authorized user opens Report.docx that has been protected but the Save As, Export right is not granted, she can save the document as NewReport.docx because Word supports Rights Management for that file type, but she can’t save the document as Report.pdf because Word doesn’t support Rights Management for that file type.
In addition, this page is updated for information that Outlook and the Outlook web app requires the Edit Content, Edit (common name) right with Reply or Reply All when the recipient is in another organization.
– Updated for the revised default policy that was deployed March 21, 2017. If you were already using Azure Information Protection before the default policy was revised, your earlier version of the default policy is not updated because you might have configured it and deployed into production. However, you can use this information to update your policy to the latest values.
– Updated for the new setting: For email messages with attachments, apply a label that matches the highest classification of those attachments
– Updated to clarify that visual markings are not applied when the label is applied by using File Explorer and the right-click action, or when a document is classified by using PowerShell.
– Updated to clarify that the file-name field is populated only for protected documents that are tracked by using the Azure Information Protection client for Windows or the Rights Management sharing application for Windows, and is also blank if the request type is RevokeAccess. Other fields are updated to clarify when they are similarly blank if the request type is RevokeAccess.
– Updated to clarify that if you have the minimum required version of PowerShell (v2.0), you must manually load the module (Import-Module AADRM) before you can use any of the Azure RMS cmdlets in your PowerShell session. Because most people have a later version of PowerShell, other documentation pages do not include the step to manually import module before running the cmdlets.
– Updated for information about the 18.104.22.168 release this month.
– Updated for information about prerequisites and custom installs, with a new section for Additional checks and troubleshooting. There’s also a new section, Custom configurations, which contains advanced configurations that you might need for specific scenarios or a subset of users. Suitable for administrators but not for end users, these configurations will often require deleting files or editing the registry, so please do this carefully! Note that the information previously published as an FAQ entry (“How do I sign in as a different user?”) is now moved to this new section.
– Updated for PDF files that now support labels that can apply classification-only.
– Removed the statement that you can use New-AzureADServicePrincipal from the latest Azure AD PowerShell module to create the service principal account for Set-RMSServerAuthentication. Currently, this cmdlet is not supported for the Azure Rights Management service and instead, you must use New-MsolServicePrincipal from the MSOL PowerShell module.
– Updated for the new functionality to set custom permissions for a document.
– Updated to clarify that you must run the Get-RMSTemplate on the file server before running the script, and again with the -force parameter if you make changes to the template you’re using for FCI. Also clarified that this configuration does not support scoped templates.
– Updated to clarify that you can run this command concurrently when you specify a different path for the -LogFile parameter for each command that runs in parallel. Protect-RMSFile does not currently support running concurrently; Set-AIPFileLabel does support running concurrently.