Azure Information Protection how to Technical Guide

In this Document I’ll share with you a full How to technical guide for all

Azure Information Protection Features, also I’ll be sharing with you

some tips and Tricks.

About me…

My Name is John Nabil a cloud Guru, also I’m an

Infrastructure System Engineer at LINK Development.

Empowering your organization Productivity and Security

is my responsibility! my scope of expertise in

Enterprise Mobility + Security, Azure Active Directory Premium,

Office365 and Windows 10.

"Passionate about Technology, reading, helping others and

inspiring everyone to achieve more. "

You can reach me out here:

Email: John-nabil@live.com

LinkedIn: https://www.linkedin.com/in/john-nabil-iskander-0b609888

Blog: http://johnnabil.azurewebsites.net/

Mobile: +(2) 01275446259

Contents/ Tables/ Figures

1 CREATE GLOBAL POLICY .................................................................................... 4

1.1.1 Create Global policy Sub-Label ................................................................ 7

2 CREATE SCOPED POLICY .................................................................................... 9

3 CONFIGURE A PROTECTION FOR YOUR LABEL ..................................................... 12

3.1 SET PERMISSIONS ..................................................................................... 12 3.2 SET USER DEFINED PERMISSIONS (PREVIEW) ...................................................... 17 3.3 SELECT A PREDEFINED TEMPLATE ..................................................................... 18

4 AUTOMATIC LABELING YOUR DOCUMENTS AND EMAILS. ...................................... 19

4.1 AUTOMATICALLY LABELING ............................................................................ 19 4.2 RECOMMEND A LABEL TO THE USER. ................................................................. 21 4.3 CUSTOM CONDITIONS ................................................................................. 22

5 CREATE A DEFAULT POLICY APPLIED WITH FILE CREATION. .................................. 24

1 CREATE GLOBAL POLICY

Global Policy is the policy which is Globally published for all the licensed users\groups to user it.

Those are the default Global Policy labels which are (Personal, Public General, Confidential, Highly

confidential).

Now Let’s create new Global Policy Label and name it Contoso Confidential.

1. Click on Add a new Label.

2. This page will appear.

Enabled Click on (On Button) to enable this sub-label.

Label Name enter Label name.

Description enter Label description.

Color choose your desired color to remark this label.

Set Permissions configure your desired protection.

Set visual marking (such as header or footer) This for creating visual marking for the classified document to be visible to the end user.

Configure condition for automatically apply the label This is for custom conditions to

let the label be recommended or automatically applied when it finds any custom condition such as (Credit Card, Financial or Medical confidential information, etc…).

Add notes for the administrator use This is for adding any comments to be appeared

to other admins.

Save after finishing all of the above click save.

3. You’ll be routed to the Global Policy Page to publish the label.

1.1.1 CREATE GLOBAL POLICY SUB-LABEL

This is how to create a Global Policy Sub-Label.

Such as Contoso Confidential\Finance.

1. Right click over Contoso Confidential and choose add a sub-label.

2. This page will appear.

Enabled Click on (On Button) to enable this sub-label.

Label Name enter Label name.

Description enter Label description.

Color choose your desired color to remark this label.

Set Permissions configure your desired protection.

Set visual marking (such as header or footer) This for creating visual marking for the classified document to be visible to the end user.

Configure condition for automatically apply the label This is for custom conditions to let the label be recommended or automatically applied when it finds any custom

condition such as (Credit Card, Financial or Medical confidential information, etc…).

Add notes for the administrator use This is for adding any comments to be appeared to other admins.

Save after finishing all of the above click save.

3. You’ll be routed to the Global Policy Page to publish the Sub-label.

2 CREATE SCOPED POLICY

Scoped Policy is the policy which is published Specifically for specific licensed users\groups to user it.

Such as we need some policies to appear to Marketing team and disappear to HR Team.

1. Open the Scoped Policy by clicking on Scoped Policy on the left.

2. Click on add a new Policy to create a new scoped policy for specific licensed users\groups.

3. Then fill the following.

Policy name enter the scoped policy name.

Policy Description enter the description of the scoped policy. Select which users and groups get this policy choose your licensed users\groups

4. Right Click on any label to create your Scoped Sub-label Policy

5. This page will appear.

Enabled Click on (On Button) to enable this sub-label.

Label Name enter Label name.

Description enter Label description.

Set Permissions configure your desired protection.

Set visual marking (such as header or footer) This for creating visual marking for the

classified document to be visible to the end user.

Configure condition for automatically apply the label This is for custom conditions to

let the label be recommended or automatically applied when it finds any custom condition such as (Credit Card, Financial or Medical confidential information, etc…).

Add notes for the administrator use This is for adding any comments to be appeared

to other admins.

Save after finishing all of the above click save.

6. You’ll be routed to the Global Policy Page to publish the Sub-label.

3 CONFIGURE A PROTECTION FOR YOUR LABEL

In this topic we will create a rights management protection for

Contoso Confidential\Finance Sub-Label.

There will be three types of Azure (Cloud Key) Protection.

1. Set Permissions.

2. Set user defined permissions (Preview). 3. Select a predefined template.

These will be the same steps for creating any protection for any label or any sub-label.

3.1 SET PERMISSIONS

1. Open the Sub-Label Finance to configure its protection.

2. Under set permissions for documents and emails containing this label Click Protect

Then Click on Azure (Cloud Key).

3. The Protection Page will be opened, under the Protection settings choose the option Azure (cloud key) then click on Set Permissions.

4. Under Add permissions Click on Add Permissions.

5. The Add permissions Page will be opened

6. Under Specify users and groups choose Select from the list to specify users inside

your organization. Click Add(Domain Name)(Default Directory-All members to specify all users in your corporate or select browse directory to specify a specific

users\groups.

7. Under Choose permissions from preset choose your required rights protection.

8. Under Specify users and groups click on Enter Details to specify users\groups outside

your organization such as any partner organization you’re sharing your documents with.

9. Under Enter Details you can add your partner organization domain such as Corp.com

then click Add. 10. Under Choose permissions from preset choose your required rights protection.

11. Click Ok

12. Then click on Save.

3.2 SET USER DEFINED PERMISSIONS (PREVIEW)

This feature is for letting your users define their required rights management protection and the people

who will be granted the access to their protected files.

Note: this protection will be configured from the client.

1. We will repeat the same 1 to 2 steps included in 3.1 set permissions.

2. The Protection Page will be opened, under the Protection settings choose the option Azure (cloud key) then click on Set User defined permission (PREVIEW).

3. Mark on the bellowed two check boxes.

4. In Outlook apply don’t forward. 5. In word, Excel, PowerPoint and file explorer prompt user for custom permissions.

6. Click Ok.

Note: in Set user defined permission the available protection for outlook is Don’t forward only.

3.3 SELECT A PREDEFINED TEMPLATE

In this part you will use predefined templates that you configured before such as the templates from the

Azure RMS that configured from azure classic portal.

1. We will repeat the same 1 to 2 steps included in section 3.1 set permissions part. 2. The Protection Page will be opened, under the Protection settings choose the option

Azure (cloud key) then click on Select a predefined template. 3. Choose from the dropdown list your desired predefined template.

4. Click Ok. 5. Click Save.

6. Click Publish.

4 AUTOMATIC LABELING YOUR DOCUMENTS AND EMAILS.

In this part I will be talking about labeling your Docs\emails automatically or by showing a

recommendation to the user.

4.1 AUTOMATICALLY LABELING

In this Section I will be showing you how to automatically label any document by finding any confidential

information such as credit cards.

1. Open any label you want in our case I’ll open Contoso Confidential.

2. Then Under Configure conditions for automatically applying this label, click on

add new condition

3. Under choose the type of conditions click on Information Types then choose your

category under choose an industry which will be All, Financial, Medical and Health and Privacy.

4. In our case we will choose financial the search for credit card and choose it. 5. In Minimum number of occurrence let it be 1.

6. Leave count occurrences with unique values only to be off

7. Click Save.

8. Under Configure conditions for automatically applying this label you will find Select how this label is applied click on Automatic then under Add policy tip describing to

users the reason for applying this label enter your description.

9. Click Save. 10. Click Publish.

4.2 RECOMMEND A LABEL TO THE USER.

In this Section I will be showing you how to recommend a label for any document by finding any

confidential information such as credit cards.

1. We will repeat the same 1 to 7 steps included in 4.1 Automatically labeling. 2. Under Configure conditions for automatically applying this label you will find Select

how this label is applied click on Recommended then under Add policy tip describing to users the reason for applying this label enter your description.

3. Click Save.

4. Click Publish.

4.3 CUSTOM CONDITIONS

In this Section I will be showing you how to recommend or automatically label any document by finding

any custom confidential information which doesn’t exist in the Azure Information Protection built in

conditions such as any sequence like that:

AA26734.

BC26374.

Or any specific words such as:

Confidential.

Salaries. Passport.

1. We will repeat the same 1 to 3 steps included in 4.1 Automatically labeling. 2. Under choose the type of conditions click on Custom Then Under the Name enter

your condition name in our case will be Employees ID. 3. Under Match exact phrase or pattern we can put a specific word as a condition or a

pattern to generate this label, in our case will be a pattern which is Employee ID

(Two Characters (A-Z) Followed by 6 Digit number) for example AP157483. so I’ll put this regular Expression function: [A-Z]{2}\d{6}

4. Let match as a regular expression be On. 5. Let match with case sensitivity be Off.

6. Minimum number of occurrence let it be 1. 7. Let count occurrences with unique values only be Off.

8. Click Save. 9. Click Save.

10. Click Publish.

For Regular Expression references:

Learn more from here: http://bit.ly/2yS2WI5

Test your Regular Expression from here: http://bit.ly/1HOMZBx

5 CREATE A DEFAULT POLICY APPLIED WITH FILE CREATION.

In this section I’ll share with you how to make a default policy which will be automatically applied when

we create any File or email.

1. Open Global Policy Page.

2. Under Configure settings to display and apply on Information Protection end users. 3. Under Title let it be Sensitivity.

4. Under Tooltip let it be the same description that already written.

5. Under Select the Default label click on the dropdown list and choose your default label for any document or email which will be General in our case.

6. Under all documents and emails must have a label let it be On. 7. Under users must provide justification to set a lower classification label, remove a

label or remove protection let it be On. 8. Under for emails messages with attachments apply a label that matches the highest

classification of those attachments let it be On. 9. Under Display the information protection bar in office apps let it be On.

10. Under Add don’t forward button to the outlook ribbon let it be On.

11. Under Make the custom permissions option available for users let it be Off. 12. Under Provide a custom URL for the Azure Information Protection Client “tell me

more” enter a web page URL that help your users to use the AIP client.