S for Security in EMS – Azure Information Protection

Julian Rasmussen

Even tho Azure Information Protection is included within the EMS package i would recomend using the Office 365 Unified Labeling insted.

Those labels which can be eather Sensitivity or Retention labels and capabilities comes with in the Office 365 E3 or Office 365 E5 license.

Why should you use Unified labels you say?

Well, in my opinion you should keep it as simple as posible for your users therefore by embracing the Unified labels within Office 365 users don`t have to think about using a labeling client to manage their labels. Unified labels are built into Office applications both web and installed ones and also embeded into the mobile applications. That meaning users can label on any device with application.

When using Azure Information Protection internal IT department of your company need to roll out the AIP Client to all machines and drawbacks here is that web applications and mobile applications are not eligable for this client.

So!

Start with creating some labels from Security & Compliance center and play arround crating watermarks, encryption and deploy to test users at first to be able to test your policies.

Head into https://protection.office.com/ and navigate to “Classifications -> Sensitivity labels” and from her create a new label

CD Home Alerts Permissions — Classification Sensitivity labels Retention labels Sensitive info types https://protection.office.com/sensitivity?viewid=sensitivitylabels Office 365 Security & Compliance Home > sensitivity Labels Label policies Sensitivity labels are used to classify email messages, documents, sites, and more. encrypt files, add content marking, and control user access to specific sites. Learn + Create a label Publish labels C) Refresh Name Classified - Web only from not compliant clients Highly classified - Block access from not compliant devices

Follow through with the wizard

New sensitivity label o o o o o Name & description Encryption Content marking Endpoint data loss prevention Site and group settings Auto-labeling for Office apps Review your settings Name your label The protection settings you choose for this label will be immediately enforced on the files, email messages or sites to which it's applied. Labeled files will be protected wherever they go, whether they're saved in the cloud or downloaded to a computer. Name Classified Tooltip Enter text that helps users understand this label's purpose Description Enter a description that's helpful for admins who will manage this label

And when going through the Wizard you need to take some descisions on what the policy should do.

  • Encryption
    • Yes or no and what permissions should be set automatically to your files.
    • Should the access to the file expire on a givven date or days after encryption
    • Allow offline access to files could be convenient for some.
  • Should the content be watermarked?
  • Add DLP policy from the Entpoint (Windows Information protection WIP).
  • Use this label to protect Office365 groups (Teams and SharePoint sites also)
    • Here you can choose if the created SharePoint site, Teams or Office 365 Group should be have restricted access from unmanaged devices and such.
  • Use Autolable based on conditions
    • This feature require E5
    • You can automatically lable documents with for example Norwegian passport number is written in a document.

Thats it! You have created your first label – quite easy.

But before going big-scale you need to evaluate how your company should label documents. General, Confidential, Higly confidential and so on.

My best tip there is to create a table on the labels you think you need and describe the “rules” of when to apply the labels. Like financial data should maybe be labels highly confidential while some company flyers should have “General”.

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Related Posts