Enterprise Mobility and Security Blog

RSS

Hi everyone, and welcome to an important post for those of you who work with the configuration of Azure Information Protection (AIP). As you may already be familiar with, for historical reasons we are currently spanned across both the classic and new Azure management portals. This is due to the protection part of AIP (the encryption, formerly known as Azure RMS) being in the classic, and the Classification and Labelling part being in the new.

Well, today that all changes! We are excited to release into Preview the new unified administrative experience which brings the Protection configuration (you will know this as Azure RMS templates) into the AIP configuration. This is the first step in our move to a label centric model.

So what does this mean to you?

  • From an admin perspective, we have unified access to all configuration into a single location to define your classification taxonomy, labels and any specific actions including protection.
  • You can try out this new unified admin experience right now, just log into https://portal.azure.com
  • Until now, an admin had to first create RMS templates in the Azure classic portal, then go to the Azure portal to configure labels, and then link RMS templates to labels.
  • Moving forward, everything is now configured via the Azure portal. Protection becomes an optional setting of a label, just like visual marking or classification automation with conditions.
  • Based on your feedback, we have also removed the need for an admin to be a Global Admin! Security Admins can create labels and configure protection settings.
  • Following our release of new collaboration features in February, we have now added UI based configuration options to protect content to:
    • anyone within your company (e.g. @contoso.com)
    • anyone at another company (e.g. @fabrikam.com)
    • a group of people at another company (e.g. finance@fabrikam.com)

This is our first step in the move from the previous Classic Portal (https://manage.windowsazure.com) to the Azure portal (https://portal.azure.com), which is scheduled to be complete by July this year. We would really love to have you try out the new settings, and let us know what you think. We will be listening in YammerSmile

Let’s take a deeper look

When you log into the portal and open a label, you will see that we have added an option to set Protection permissions on the label (which also means sub-labels, for brevity we will just say “labels”):

Label Confidential

 

Once you choose the option “Custom (Preview)” you can define the same settings that were previously in the classic portal, including content expiration, offline access policy, users/groups and their rights. In the example below, we are giving the Big Wigs group and Bonnie as a specific user the Co-Owner rights.

Protection add permissions

You can also optionally provide “everyone” within your organization rights:

Provide everyone with organization rights

 

If you wish to collaborate on protected content with people outside your organization, you can use the custom or external option to add users (i.e. jane@contoso.com), groups (i.e. projects@contoso.com) or entire organizations (@contoso.com):

Add user custom or external option

Once the settings are configured and saved, the AIP service creates Protection templates in the background. We still create these templates to preserve backward compatibility for applications that use RMS templates without requiring any updates to adopt labels.

A note on templates: The AIP client refreshes templates that are associated with labels, and this refresh happens whenever you relaunch the client. For users without the AIP client (i.e. just using RMS) these templates refresh on a regular basis, the default is 7 days but you can tune this.

A few questions you may have

I don’t see all the options that are available on the classic portal, where are they?
In this Preview we enable only creation of new templates as settings on the label. Management of existing templates via the Azure portal will come with the next Preview release expected late May.

Can I continue to manage templates created via the Azure portal using the classic portal?
Yes, but we don’t recommend that you archive or delete these templates through classic portal or using PowerShell. If you want to remove them, you should first disable protection on the relevant label and then remove the templates.

How can I create scoped templates?
You should create scoped policies and create a label scoped to the relevant group. Any template created as a configuration on a label will be scoped to the same audience.  Note: Only e-mail enabled groups and users can be used for scoped templates.

We know this can be a lot to absorb, and we are here to help! Engage with us on Yammer, Twitter or send us an e-mail to askipteam@microsoft.com.

 

Thank you,
Dan Plastina on behalf of our enthusiastic Azure IP team.
Twitter: @DanPlastina
Useful links: aka.ms/DanPlastina (PDF)

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!