Cloud App Security: Scan and Track Azure Information Protected attachments

You can talk to your license vendor about purchasing cloud app security.

*Note

  • Make sure you have Azure Information Protection and FIle policy enabled to proceed with this task
  • Make sure you have App connector ready too

Once you got your file policy enabled and ready then you must perform some settings to allow cloud app security to scan for protected files.

So lets enabled the scan for protected attachments;

  1. Go to cloud app security portal
  2. Select settings icon on the top right then select settings

cas01

3. At the sidebar, you will notice under the category of “Information Protection”, Select “Azure Information Protection”

cas02.PNG

4. Here you will see 2 selection, on how you want cloud app security to scan your AIP files

  • You could have either one selected or both
  • The first one is meant for only scan NEW AIP files
  • The second one is meant for only scan AIP files that are not set by external tenant

cas03.PNG

5. Once this is enabled, then cloud app security will take less than 5 minutes to scan AIP attachments

6. Currently, I have an attachment with AIP applied, and cloud app security able to detect it. Below is an example, this is the only summary of the investigation of the file.cas04

7. To dig a deeper view of this file’s investigation and etc., you can select the icon at the side of the file.

8. Then it will expand with a list of options for you to choose to dig deeper

cas04.PNG

 

I would say it is indeed fascinating to see such a wonderful view of the deeper results of a file. FYI, I didn’t set up any File Policy so that Cloud App Security can detect AIP attachment. These are all purely from Cloud App Security Settings.

 

 

 

Get-AIPFileStatus Script for users

Just having thought about how to extract the AIP File status from storage via PowerShell Scripting. Hope this helps. Do leave comments if you find some faulty or beside faulty.

*Note:

  1. This script doesn’t limit to what you want, you could modify it.

 

Assumption;

  1. Has AADRM module installed
  2. Has the Execution Policy modified
  3. Has PowerShell 3.0  above or Azure Module PowerShell console

Below is the script;

#Purpose: To export data of AIP labelled files from users devices
#You can do this into a GPO but beware of vulnerabilities and 50-50 percent chance that this could actually work
#If you want to run this in a GPO, you have to modify this script

#Connect to the aadrm service
$AADRM = Connect-AADRMService

if($AADRM){
#Please enter the path
 $ReadPath = Read-Host -Prompt "Enter Path that you wish to check"
 $ReadPath = $ReadPath.ToString()
 $AIPFileStatus = Get-AIPFileStatus -Path "$ReadPath" | where-object {$_.IsLabeled -eq $true}

#Count number of AIP files inside the path
 $CountFile = $AIPFileStatus.Count
 Write-Host "There are total $CountFile AIP File(s)."

#Prompt for export
 $a = Read-Host -Prompt "Do you want to export this data? (Yes/No)"

 $CurrentDate = Get-Date
 $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')

 If ($a -eq "Yes" -Or $a -eq "yes"){ 
 $Export = $AIPFileStatus | Export-Csv "AIPFileStatus_$CurrentDate.csv"
 Write-Host "Successfully Exported!"
 }

 else{
 Write-Host "End..."
 }

}
else{
 Write-Host "Fail to connect"
}

Microsoft RMS: What are the difference of Information Rights Management and Azure Information Protection?

RMS – Rights Management Service

Rights Management definition is that it is a protection mechanism that uses encryption, identity, authentication to protect your emails and documents from unauthorized access.  Imagine, that your emails and documents is the Hamster and Rights Management is the Hamster’s protective ball, the Hamster is inside the Ball and if you are not the owner of the hamster and you wish to touch it I doubt that it won’t bite you.

34ql4ko
Cute and feisty hamster in a ball (from movie Bolt)

IRM- Information Rights Management

IRM stands for Information Rights Management/Azure Rights Management, let’s talk about a history of IRM.

 

IRM is the older version RMS, you could only find it at Office 365 portal, and now with AIP available, IRM has become a component within the AIP. I think Microsoft has plans to slowly decommissioning/move away IRM, because I’ve noticed that the usual modification method of IRM templates has closed since January,2018. The usual method to modify IRM templates was from the old portal of Microsoft Azure. Now the only way to modify the templates are through PowerShell.

Anyway, it also has it own separated activation via GUI;

  1. For exchange online IRM you have to activate from office 365 portal > admin > settings > services & add-ins > Rights Management/ Azure Information Protection
  2. For SharePoint online, activate it from office 365 portal > admin > admin center > SharePoint > Settings > Select Use the IRM service specified in your organization > Refresh IRM settings

Or you could just make use of PowerShell to activate IRM (Make sure you got all requirements ready);

  1. Connect to AADRM services
  2. Type in the PowerShell “Enable-Aadrm”

Yea, so the steps are actually not brain surgery. What I like about PowerShell is that its code is understandable just by looking at it. If you compare PowerShell and C++, than you know what I mean. 

*Note:

  1. IRM can’t protect documents that are not Office Apps
  2. IRM can’t provide you much tracking details of your protected documents
  3. Exchange Online IRM and SharePoint Online IRM has different IRM management
  4. SharePoint Online IRM, is based on a site not the whole SharePoint Online
  5. SharePoint Online IRM, you can apply IRM on its list or library
  6. No longer using GUI to configure IRM templates
  7. IRM needs manual activation
  8. License requires are Microsoft Enterprise E3 or E5
  9. Doesn’t support mobile
  10. Longer propagation to end users (make take to 2 hours (same goes to DLP labeling))
  11. End Users has to select “Connect to Rights Management” in the outlook

 

AIP – Azure Information Protection

AIP is the new advanced technology/mechanism of RMS, it broke through the limitation of IRM capabilities. You can only see and management AIP in Microsoft Azure Portal (Yes, you still can see it as “Advanced feature” in Services & add-ins in Office 365 portal). The capability of AIP I could tell you is quite mind-blowing for me. It combines the IRM and DLP’s sensitive information mechanism to produce an advanced method to protect data.

To understand how to use AIP for me (hope it helps you too), you must understand steps to deploy and implement AIP 6 major points;

  1. Label – Parent Label? or Sub Label?
  2. Permission – View Only? Read Only?
  3. DLP Sensitive Information – Trigger label automatic?
  4. Apply to – Sales Department? External parties?
  5. Policy – Who will hold this label as admin?
  6. Label Admin – Sales Admin hold this label as admin

The minor points would be the notification, policy tips, access expiration date and so on.

Sadly, AIP doesn’t provide the capability to prevent data leak. Wait! Why not integrate AIP with DLP block policy function? Yes, you could do that and that is what the recommendation from Microsoft. DLP is Data Leak Protection (License of Microsoft Enterprise E3 or E5)

Minimum you could get AIP Plan 1 license for your global admins and users, to have the permission to use AIP. Once you buy AIP license and apply for the license, AIP will automatically activate for your organization (Exchange Online, OneDrive, and SharePoint Online). (Chill this won’t impact your users yet)

*Note:

  1. AIP can be apply to non-office apps documents too
  2. AIP users needs an AIP application to be install on their devices to be visible to the users to use it (PC or mobile or both, you could deploy Intune to push the application executable file into intune policy and than force apply the policy to user’s devices, just make sure user’s devices are intune managed )
  3. With AIP users can track their documents, where is it, whom has it, whom open it, whom trying to access it, AIP users whom applied the AIP label has the permission to revoke access of a document from a user(s), also can track when has this document open and etc..
  4. Faster propagation to end users (Less than 5 minutes)
  5. Easy to manage for Global admins
  6. A lot of automation action than IRM

 

*Note for RMS (IRM & AIP)

  1. Office web apps don’t support opening protected RMS documents
  2. Office web apps don’t support apply RMS

 

Choose Either one to deploy IRM or AIP. Don’t Activate both in a production environment!

 

References:

  1. https://docs.microsoft.com/en-us/office365/securitycompliance/apply-irm-to-a-list-or-library
  2. https://docs.microsoft.com/en-us/azure/information-protection/activate-service
  3. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
  4. https://docs.microsoft.com/en-us/azure/information-protection/how-does-it-work
  5. https://docs.microsoft.com/en-us/office365/enterprise/activate-rms-in-office-365?redirectSourcePath=%252fen-us%252farticle%252fActivate-Rights-Management-RMS-in-the-Office-365-admin-center-5b6d3ac7-b1ac-428e-b03e-50e882f85a6e
  6. https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies
  7. https://sabrinaksy.wordpress.com/2018/01/07/office-365-custom-dlp-how-to-create-custom-data-leak-protection/
  8. https://docs.microsoft.com/en-us/office365/securitycompliance/what-the-dlp-policy-templates-include
  9. https://track.azurerms.com/#/landing?q=Document1&sourceUrl=%2F%3Fq%3DDocument1
  10. https://joannecklein.com/2018/01/22/use-aip-labels-in-dlp-policy-rules/