Azure Information Protection (AIP) labeling, classification, and protection. (2023)

Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels.

For example, your admin could set up a tag with rules that recognize sensitive data like credit card information. In this case, any user storing credit card information in a Word file can see a tooltip at the top of the document with a recommendation to apply the relevant tag for that scenario.

labels canclassify, and optionalprotectionYour documents so you can:

• monitoring and controlhow your content is used
• Analyze data streamsfor information about your company- Identify risky behaviorand take corrective action
• Track access to documentsand prevent data leakage or misuse
• And more ...

How labels apply classification with AIP

Tagging your content with AIP includes:

• classificationthat can be recognized regardless of where the data is stored or with whom it is shared.
• visual markerssuch as headers, footers or watermarks.
• metadata, added in plain text to files and email headers. Plaintext metadata ensures that other services can recognize the classification and take appropriate action

For example, in the image below, the label has classified an email message asGenerally:

In this example, the tag is also:

• Added footerSensitivity: generalfor email. This footer is a visual cue to all recipients that this is general business data and shouldn't be sent outside your organization.
• Embedded metadata in email headers. The header allows email services to review the label and theoretically create an audit record or prevent it from being sent out of the organization.

Tags can be applied automatically by admins using rules and conditions, manually by users, or using a combination where admins define the recommendations users see.

How AIP protects your data

Azure Information Protection USA elService Azure Rights Management (Azure RMS)to protect your data.

Azure RMS is integrated with other Microsoft cloud applications and services such as Office 365 and Azure Active Directory, and can also be used with proprietary and third-party information protection applications and solutions. Azure RMS works with on-premises and cloud solutions.

Azure RMS uses encryption, identity, and authorization policies. As with AIP tags, the protection applied with Azure RMS persists across documents and emails, regardless of the location of the document or email, giving you control over your content even when it's shared with others.

Protection settings can be:

• Part of your label setup, allowing users to classify and protect documents and emails simply by attaching a label.

• used alone, from applications and services that support protection but not labeling.

  For applications and services that only support protection, the protection settings are used asRights management templates.

For example, you might want to set up a sales forecast report or spreadsheet so only people in your organization can access it. In this case, you would apply protection settings to control whether this document can be edited, make it read-only, or prevent printing.

Emails can have similar protection settings to prevent them from being forwarded or use the Reply All option.

Rights management templates

Once the Azure Rights Management service is activated, two default rights management templates are available to restrict data access to users in your organization. Use these templates out of the box or define your own protection settings to apply more restrictive controls to new templates.

Rights Management templates can be used with any application or service that supports Azure Rights Management.

The following image shows an example from the Exchange admin center where you can configure Exchange Online mail flow rules to use RMS templates:

For more information, seeWhat is Azure Rights Management?

AIP and end-user integration for documents and emails

The AIP client installs the information protection bar in Office applications and allows end users to integrate the AIP into their documents and emails.

For example in Excel:

While labels can be automatically applied to documents and emails to take the guesswork out of users or to comply with an organization's policies, the Information Protection Bar allows end users to select labels and apply the classification themselves.

In addition, the AIP client allows users to classify and protect additional file types or multiple files at once from the Windows File Explorer context menu. For example:

Öclassify and protectThe menu option works similar to the info tag bar in Office apps, allowing users to select a label or set custom permissions.

Users and administrators can use document tracking pages to monitor protected documents and who is accessing them and when. If they suspect abuse, they can also withdraw access to these documents. For example:

Additional email integration

Using AIP with Exchange Online gives you the added benefit of sending protected email to any user, safe in the knowledge that they can read it on any device.

For example, you may need to send sensitive information to private email addresses with aGmail,hot mail, ÖMicrosoftaccount or for users who don't have an Office 365 or Azure AD account. These emails must be encrypted at rest and in transit, and only the original recipients are allowed to read them.

This scenario requiresOffice 365 message encryption capabilities. If recipients cannot open the protected email in their built-in email client, they can use a one-time password to read the sensitive information in a browser.

For example, a Gmail user sees the following message in an incoming email message:

For the user sending the email, the required actions are the same as for sending a protected email to a user in your own organization. For example, choose theDon't resendButton that the AIP client can add to the Outlook ribbon.

Alternative,Don't resendThe functionality can be embedded in a label that users can choose to classify and protect that email. For example:

Admins can also automatically protect users by configuring mail flow rules that enforce rights protection.

All Office documents attached to these emails are also automatically protected.

Scan existing content to classify and protect it

Ideally, tag documents and emails as they are created. However, you probably have many existing documents stored locally or in the cloud and you want to classify and protect them as well.

Use one of the following methods to classify and protect existing content:

• local memory: Use theAzure Information Protection-Scannerto discover, classify and protect documents on network shares and Microsoft SharePoint Server sites and libraries.

  The scanner runs as a service on Windows Server and uses the same policy rules to detect sensitive information and apply specific tags to documents.

  Alternatively, use the scanner to assign a default label to all documents in a repository without checking the file content. Only use the scanner in report mode to discover sensitive information you may not know you have.

• cloud data storage: UseMicrosoft Defender for cloud applicationsto apply your labels to documents in Box, SharePoint and OneDrive. For a tutorial seeApply Azure Information Protection classification labels automatically

Next Steps

Set up Azure Information Protection and see for yourself with our quickstart guides and tutorials:

• Quickstart: Deploy the Unified Labeling client
• Tutorial: Install the Azure Information Protection (AIP) unified labeling scanner.
• Tutorial: Find your sensitive content with the Azure Information Protection (AIP) scanner
• Tutorial: Prevent over-sharing in Outlook using Azure Information Protection (AIP)

When you're ready to implement this service in your organization, go toinstructions.