Azure Information Protection: Office application prompt for privacy notice

Microsoft provide notice to end users that has Azure Information Protection enabled and Policy has set to them. It does not matter either you are on Azure Information Protection Classic or Unified labeling.

When you first launch your office application or relaunch it you will get this notice.

A privacy notice such as below;

privacy.PNG

aOSKL 2019: My First Ever Workshop – Coming Soon

EFUkVdgUEAAmDba.jpg

I am glad to got accepted again for this aOSKL event, but there is a challenge to this, that is it is a workshop, 2 hours of workshop. Am I going to just read through slides? (That will be so boring….duhhh) What will my workshop consist? Well, are you interested to know? Come register and join my workshop! Seats are limited, first come first served.

“Sabrina Kay always hunger for challenges!”

Here is the link aOSKL 2019, to help you to find out more what this events has 🙂

 

Differences of AzInfoProtection and AzInfoProtection_UL client application

When unified labeling was announce that it is no longer in Preview mode, and here it comes the new application called, AzInfoProtection_UL, you could find the link to download this application at the references below of this post. There is the Preview application called, AzInfoProtection_UL_Preview.

Before unified labeling, the only application has for Azure Information Protection is AzInfoProtection (Classic client). So what so different about them? Before we jump into getting to know what are the differences, let’s understand the definition or meaning.

Classic client

Azure Information Protection is a new enhancement of rights management and it is manage from Azure portal. If you need scanner and HYOK (your own key) then you install AzInfoProtection.exe (User Profile based installer) or AzInfoProtection_MSI_for_central_deployment (System installer) client application.

word01
Classic client
word03
Classic client
word04
This part shows Azure labels and Office 365 Sensitivity labels. Let’s take “DLP View Only” is a label custom created from Office 365.

 

Unified labeling

Azure Information Protection with Unified Labeling was just announce somewhere the month of June or July 2019. Unified Labeling means that your labels can be manage either from the Azure portal or from Office 365 Security and Compliance portal. This feature is enabled by default. You can migrate your labels from Azure to Office 365 Security and Compliance. Unified Labeling supports for more Office 365 products, such as Microsoft Teams. If you do not need HYOK protection (your own key)  or the scanner, then you install AzInfoProtection_UL.exe (User Profile) or AzInfoProtection_UL_MSI_for_central_deployment (System installer) client application.

word05
This is how it looks like first install, notice the icon is different
word06
Select on the “Sensitivity” icon and click “Show Bar”
word07
These are my Office 365 Sensitivity labels

If you would like to deep-dive the comparison of these 2 application here is a helpful link.

 

References;

  1. https://www.microsoft.com/en-us/download/details.aspx?id=53018
  2. https://docs.microsoft.com/en-us/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history

 

Azure Community Singapore First Live YouTube Video! Topic: Azure Information Protection and Azure Sphere

Good day everyone! Keep staying positive even the day is bad. As a community member for Azure Community Singapore since the month of July or August 2019, this community is not just answering questions, this community has a monthly speaking meetup and yea I joined, I was “like yea, I would like to join and share about Information Protection”. However, the downside is that I can’t travel to Singapore every month just for this speaking meetup. Discuss and Discuss and they reach an end result, “let’s try doing it as YouTube Live!”.

The community set up 2 sessions, Azure Information Protection by Sabrina Kay and Azure Sphere by Snake Chia.

We went through twice of the rehearsal after working hours, the first rehearsal was to test out how we can do YouTube live with multiple users, we faced challenges like internet congestion and delay, try out implement QoS on the machine, hopes to improve connectivity and communication. On the last rehearsal, we did a dry run and getting the timeline and order of switching speaker, making sure everything fines. Thanks for pulling this rehearsal together.

The first YouTube Live just below this link:

[September 2019 Meetup] Azure Information Protection and Azure Sphere

Thanks, Marvin Heng, Goh Chun Lin, and Snake Chia! 🙂

PowerShell: Goodbye old Azure Rights Management module

Today I decided to say goodbye to a PowerShell command module, its name is Azure Rights Management, for short AADRM. Why? If you remember or read my old blog post about Rights Management in Azure then you know why I am saying Goodbye to it. Remember the old Azure Portal? https://manage.windowsazure.com

Before saying Goodbye, I was glad to experience this generation of Azure Rights Management, in 2017 and seeing the improvement and growth of it makes me happy. Now I am moving forward to the AIP Service module, where the new Rights Management named “Azure Information Protection”. AADRM End-of-life is on July 2020. During my first experience with AADRM, it was quite complicated to understand and manage it, because of its commands different from what I usually do.

Alright to install AIP Service module, what you should do first? When you already have AADRM installed, you have to uninstall it via PowerShell Run as Administrator. If you try to install the AIP Service module before uninstalling AADRM, it will give you an error saying “You already have the following commands ‘Get-AADRM and etc…’“.

This new AIP Service Module contains the new commands which are the AIP Service commands, don’t worry this new module still has the AADRM commands.

aip01.PNG If you happen to have MFA enabled, AADRM module and the new AIP service module does support.

 

 

Azure Information Protection and Unified Labeling (No longer in Preview)

This post has been in my draft, just got too much to handle this few months and I am terribly embarrassed about holding this post in draft. *Gomeinasai*

Last few weeks, I notice that there is a new Azure Information Protection version of the client, it was released on 14th July 2019, stating that it comes with unified labeling. I was a slight surprise “Is it true? that unified labeling is no longer in preview mode?”.

Capture

Before it was announced that it is no longer in preview mode, I had to do the manual integration and it will cause the Security and Compliance’s Data Leak Protection Policy to crash via GUI. I had to use force command to remove the Data Leak Protection policy, via PowerShell.

Manual integration involving SharePoint settings, Security and Compliance, and Azure Information Protection. However, this may win theoretically but technically is not working that well for me though. Well, it was a tough experience but good to go through it.

I tried many ways to get it working but it will crash. “Updating…” status will just stay there for more than 48 hours! *faint*

Anyway, is good to know that Unified labeling is no longer in preview mode. You can manage your labeling in Security and Compliance too by migrating the Azure Information Protection Labeling (AIP). Just to make sure no duplicates labeling in Security and Compliance before migrating.

 

Azure Information Protection: Install Azure Information Protection Application for Windows Client

If your Windows client is a joined to the domain and has limited privilege, to download software or applications. Thus, requirements a local administrator or an administrator account to proceed with these changes.

Requirements

  1. Supported Windows
  2. Supported Office Application
  3. The Internet
  4. Browers

Step-by-Step

  1. Browse to Microsoft Download
  2. Once you have finish download, double click on the installer
    • az02.png
  3. Select “I agree”
    • az01
  4. Select “close”, once completed
    • az03.png
    • az04.png
  5. You will find the Azure Information Protection Viewer application shown and your office application has the Azure Information Protection labels shown too
  6. Select Start or Windows button
    • az05.PNG

 

There is another way to have this installed in the client’s device that is joined to the domain, which is through GPO (Group Policy Management).

Azure Information Protection: Overview Default labels on Office application

I am having an Office ProPlus application, using Windows 10 Pro. Azure Information Protection stands for AIP. I will use AIP term throughout this post. Making sure AIP is enabled at the Global administrator side.

If you are wondering “Hey, I do not want my users to be having the privileged to uninstall AIP application from their devices”, well I will explain more on the next post 🙂 !

Requirements

  1.  An office 365 account
  2. Supporting Office 365 License
  3. Supporting Windows Client/Server
  4. Azure Information Protection Application

Just to show you how the labels look like for each of the Office application (Outlook, Word, PowerPoint, and Excel),

Outlook Without AIP

o36501

Outlook with AIP

o36502.png


Word without AIP

o36506.PNG

Word with AIP

o36503


Excel without AIP

o36508

Excel with AIP

o36505


PowerPoint without AIP

o36507

PowerPoint with AIP

o36504

 

 

 

Cloud App Security: Scan and Track Azure Information Protected attachments

You can talk to your license vendor about purchasing cloud app security.

*Note

  • Make sure you have Azure Information Protection and FIle policy enabled to proceed with this task
  • Make sure you have App connector ready too

Once you got your file policy enabled and ready then you must perform some settings to allow cloud app security to scan for protected files.

So lets enabled the scan for protected attachments;

  1. Go to cloud app security portal
  2. Select settings icon on the top right then select settings

cas01

3. At the sidebar, you will notice under the category of “Information Protection”, Select “Azure Information Protection”

cas02.PNG

4. Here you will see 2 selection, on how you want cloud app security to scan your AIP files

  • You could have either one selected or both
  • The first one is meant for only scan NEW AIP files
  • The second one is meant for only scan AIP files that are not set by external tenant

cas03.PNG

5. Once this is enabled, then cloud app security will take less than 5 minutes to scan AIP attachments

6. Currently, I have an attachment with AIP applied, and cloud app security able to detect it. Below is an example, this is the only summary of the investigation of the file.cas04

7. To dig a deeper view of this file’s investigation and etc., you can select the icon at the side of the file.

8. Then it will expand with a list of options for you to choose to dig deeper

cas04.PNG

 

I would say it is indeed fascinating to see such a wonderful view of the deeper results of a file. FYI, I didn’t set up any File Policy so that Cloud App Security can detect AIP attachment. These are all purely from Cloud App Security Settings.

 

 

 

Get-AIPFileStatus Script for users

Just having thought about how to extract the AIP File status from storage via PowerShell Scripting. Hope this helps. Do leave comments if you find some faulty or beside faulty.

*Note:

  1. This script doesn’t limit to what you want, you could modify it.

 

Assumption;

  1. Has AADRM module installed
  2. Has the Execution Policy modified
  3. Has PowerShell 3.0  above or Azure Module PowerShell console

Below is the script;

#Purpose: To export data of AIP labelled files from users devices
#You can do this into a GPO but beware of vulnerabilities and 50-50 percent chance that this could actually work
#If you want to run this in a GPO, you have to modify this script

#Connect to the aadrm service
$AADRM = Connect-AADRMService

if($AADRM){
#Please enter the path
 $ReadPath = Read-Host -Prompt "Enter Path that you wish to check"
 $ReadPath = $ReadPath.ToString()
 $AIPFileStatus = Get-AIPFileStatus -Path "$ReadPath" | where-object {$_.IsLabeled -eq $true}

#Count number of AIP files inside the path
 $CountFile = $AIPFileStatus.Count
 Write-Host "There are total $CountFile AIP File(s)."

#Prompt for export
 $a = Read-Host -Prompt "Do you want to export this data? (Yes/No)"

 $CurrentDate = Get-Date
 $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')

 If ($a -eq "Yes" -Or $a -eq "yes"){ 
 $Export = $AIPFileStatus | Export-Csv "AIPFileStatus_$CurrentDate.csv"
 Write-Host "Successfully Exported!"
 }

 else{
 Write-Host "End..."
 }

}
else{
 Write-Host "Fail to connect"
}