Azure Information Protection and Unified Labeling (No longer in Preview)

This post has been in my draft, just got too much to handle this few months and I am terribly embarrassed about holding this post in draft. *Gomeinasai*

Last few weeks, I notice that there is a new Azure Information Protection version of the client, it was released on 14th July 2019, stating that it comes with unified labeling. I was a slight surprise “Is it true? that unified labeling is no longer in preview mode?”.

Capture

Before it was announced that it is no longer in preview mode, I had to do the manual integration and it will cause the Security and Compliance’s Data Leak Protection Policy to crash via GUI. I had to use force command to remove the Data Leak Protection policy, via PowerShell.

Manual integration involving SharePoint settings, Security and Compliance, and Azure Information Protection. However, this may win theoretically but technically is not working that well for me though. Well, it was a tough experience but good to go through it.

I tried many ways to get it working but it will crash. “Updating…” status will just stay there for more than 48 hours! *faint*

Anyway, is good to know that Unified labeling is no longer in preview mode. You can manage your labeling in Security and Compliance too by migrating the Azure Information Protection Labeling (AIP). Just to make sure no duplicates labeling in Security and Compliance before migrating.

 

Azure Information Protection: Install Azure Information Protection Application for Windows Client

If your Windows client is a joined to the domain and has limited privilege, to download software or applications. Thus, requirements a local administrator or an administrator account to proceed with these changes.

Requirements

  1. Supported Windows
  2. Supported Office Application
  3. The Internet
  4. Browers

Step-by-Step

  1. Browse to Microsoft Download
  2. Once you have finish download, double click on the installer
    • az02.png
  3. Select “I agree”
    • az01
  4. Select “close”, once completed
    • az03.png
    • az04.png
  5. You will find the Azure Information Protection Viewer application shown and your office application has the Azure Information Protection labels shown too
  6. Select Start or Windows button
    • az05.PNG

 

There is another way to have this installed in the client’s device that is joined to the domain, which is through GPO (Group Policy Management).

Office 365 Secure Score

office365secure

Security is a Journey

Secure Score is here to help.

Secure Score analyzes your organization’s security based on your regular activities and security settings in Office 365 and then assign a score.

Secure Score also provides you few guidelines on how to meet the score but not all of the score is needed by your organization to meet.

If you like to know how this Secure Score works and calculates, then you could refer to the link below at the “References”.

If you would like to know what are the requirement license to have this Secure Score, then you could refer to the link below at the “References”.

If you have any questions or concerns, then you could drop comments in this blog and I’ll get back to you.

 

*For Your Information

Please try not to modify any default security policies ,else you have no fallback plan.

References:

  1. https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-secure-score

Office 365 Security and Compliance: Data Leak Protection (DLP) & Azure Information Protection (AIP) Integration Unable to delete DLP Policy

Well hello! I’m back, yes I had been very busy last 2 months unable to write any new blog.

So when I was testing and playing with DLP and AIP in my test environment and I had 2 testing integration policy running and I found there was something wrong with my DLP policy and I went to trigger the delete via GUI at Security and Compliance and it basically will change its status to “Deletion pending” state. I know sometime these deletion takes up  to 48 hours. However, it was more than 48 hours and the DLP policy is still showing the status “Deletion pending”.

So its time to use PowerShell to solve this deletion pending problem;

*Take Note;

If you try to run the “Remove-DLPCompliancePolicy” this PowerShell without using the “ForceDeletion” to delete this policy it won’t work and you will return with an error;

#Sample PowerShell
Remove-DlpCompliancePolicy -Identity 58bed0c6-fbf9-41c4-b798-fdec65beae1c

We cannot remove policy ‘TopSecret_policy’ since it is already in pending deletion state.
+ CategoryInfo : InvalidOperation: (:) [Remove-DlpCompliancePolicy], ErrorCannotRemo…PolicyException
+ FullyQualifiedErrorId : [Server=xxxxxxxxxxxxxxx,RequestId=xxxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxxxx5,TimeStamp=4/1/2019
8:26:50 AM] [FailureCategory=Cmdlet-ErrorCannotRemovePendingDeletionPolicyException] xxxxxx,Microsoft.Office.Com
pliancePolicy.Tasks.RemoveDlpCompliancePolicy
+ PSComputerName : apc01b.ps.compliance.protection.outlook.com

What to do?

  1. First of all you need to using PowerShell and connect to Security and compliance
    1. https://docs.microsoft.com/en-us/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell?view=exchange-ps
  2. Next run the command below to get your DLP information

Get-DLPCompliancePolicy | select Name, Guid

3. Than run this command

Remove-DLPCompliancePolicy -Identity “Policyname” -ForceDeletion

OR

Remove-DLPCompliancePolicy -Identity “Policy GUID” -ForceDeletion

4. Select “A” , A is Yes to All

Below is a sample;

 

Capture

 

References:

  1. https://sabrinaksy.com/2020/07/25/powershell-unable-to-delete-stuck-data-leak-policy-using-forcedeletion/

Microsoft RMS: What are the difference of Information Rights Management and Azure Information Protection?

RMS – Rights Management Service

Rights Management definition is that it is a protection mechanism that uses encryption, identity, authentication to protect your emails and documents from unauthorized access.  Imagine, that your emails and documents is the Hamster and Rights Management is the Hamster’s protective ball, the Hamster is inside the Ball and if you are not the owner of the hamster and you wish to touch it I doubt that it won’t bite you.

34ql4ko
Cute and feisty hamster in a ball (from movie Bolt)

IRM- Information Rights Management

IRM stands for Information Rights Management/Azure Rights Management, let’s talk about a history of IRM.

 

IRM is the older version RMS, you could only find it at Office 365 portal, and now with AIP available, IRM has become a component within the AIP. I think Microsoft has plans to slowly decommissioning/move away IRM, because I’ve noticed that the usual modification method of IRM templates has closed since January,2018. The usual method to modify IRM templates was from the old portal of Microsoft Azure. Now the only way to modify the templates are through PowerShell.

Anyway, it also has it own separated activation via GUI;

  1. For exchange online IRM you have to activate from office 365 portal > admin > settings > services & add-ins > Rights Management/ Azure Information Protection
  2. For SharePoint online, activate it from office 365 portal > admin > admin center > SharePoint > Settings > Select Use the IRM service specified in your organization > Refresh IRM settings

Or you could just make use of PowerShell to activate IRM (Make sure you got all requirements ready);

  1. Connect to AADRM services
  2. Type in the PowerShell “Enable-Aadrm”

Yea, so the steps are actually not brain surgery. What I like about PowerShell is that its code is understandable just by looking at it. If you compare PowerShell and C++, than you know what I mean. 

*Note:

  1. IRM can’t protect documents that are not Office Apps
  2. IRM can’t provide you much tracking details of your protected documents
  3. Exchange Online IRM and SharePoint Online IRM has different IRM management
  4. SharePoint Online IRM, is based on a site not the whole SharePoint Online
  5. SharePoint Online IRM, you can apply IRM on its list or library
  6. No longer using GUI to configure IRM templates
  7. IRM needs manual activation
  8. License requires are Microsoft Enterprise E3 or E5
  9. Doesn’t support mobile
  10. Longer propagation to end users (make take to 2 hours (same goes to DLP labeling))
  11. End Users has to select “Connect to Rights Management” in the outlook

 

AIP – Azure Information Protection

AIP is the new advanced technology/mechanism of RMS, it broke through the limitation of IRM capabilities. You can only see and management AIP in Microsoft Azure Portal (Yes, you still can see it as “Advanced feature” in Services & add-ins in Office 365 portal). The capability of AIP I could tell you is quite mind-blowing for me. It combines the IRM and DLP’s sensitive information mechanism to produce an advanced method to protect data.

To understand how to use AIP for me (hope it helps you too), you must understand steps to deploy and implement AIP 6 major points;

  1. Label – Parent Label? or Sub Label?
  2. Permission – View Only? Read Only?
  3. DLP Sensitive Information – Trigger label automatic?
  4. Apply to – Sales Department? External parties?
  5. Policy – Who will hold this label as admin?
  6. Label Admin – Sales Admin hold this label as admin

The minor points would be the notification, policy tips, access expiration date and so on.

Sadly, AIP doesn’t provide the capability to prevent data leak. Wait! Why not integrate AIP with DLP block policy function? Yes, you could do that and that is what the recommendation from Microsoft. DLP is Data Leak Protection (License of Microsoft Enterprise E3 or E5)

Minimum you could get AIP Plan 1 license for your global admins and users, to have the permission to use AIP. Once you buy AIP license and apply for the license, AIP will automatically activate for your organization (Exchange Online, OneDrive, and SharePoint Online). (Chill this won’t impact your users yet)

*Note:

  1. AIP can be apply to non-office apps documents too
  2. AIP users needs an AIP application to be install on their devices to be visible to the users to use it (PC or mobile or both, you could deploy Intune to push the application executable file into intune policy and than force apply the policy to user’s devices, just make sure user’s devices are intune managed )
  3. With AIP users can track their documents, where is it, whom has it, whom open it, whom trying to access it, AIP users whom applied the AIP label has the permission to revoke access of a document from a user(s), also can track when has this document open and etc..
  4. Faster propagation to end users (Less than 5 minutes)
  5. Easy to manage for Global admins
  6. A lot of automation action than IRM

 

*Note for RMS (IRM & AIP)

  1. Office web apps don’t support opening protected RMS documents
  2. Office web apps don’t support apply RMS

 

Choose Either one to deploy IRM or AIP. Don’t Activate both in a production environment!

 

References:

  1. https://docs.microsoft.com/en-us/office365/securitycompliance/apply-irm-to-a-list-or-library
  2. https://docs.microsoft.com/en-us/azure/information-protection/activate-service
  3. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
  4. https://docs.microsoft.com/en-us/azure/information-protection/how-does-it-work
  5. https://docs.microsoft.com/en-us/office365/enterprise/activate-rms-in-office-365?redirectSourcePath=%252fen-us%252farticle%252fActivate-Rights-Management-RMS-in-the-Office-365-admin-center-5b6d3ac7-b1ac-428e-b03e-50e882f85a6e
  6. https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies
  7. https://sabrinaksy.wordpress.com/2018/01/07/office-365-custom-dlp-how-to-create-custom-data-leak-protection/
  8. https://docs.microsoft.com/en-us/office365/securitycompliance/what-the-dlp-policy-templates-include
  9. https://track.azurerms.com/#/landing?q=Document1&sourceUrl=%2F%3Fq%3DDocument1
  10. https://joannecklein.com/2018/01/22/use-aip-labels-in-dlp-policy-rules/

 

 

Office 365 Custom DLP: How to create custom Sensitive Information?

Yes this is interesting topic for me because it involve programming! I will make this topic as simple as learning alphabet, because I will be showing you the importance on how to create your very own DLP sensitive information. DLP templates are come in the form of xml file format.

*Note: You may need to spend some time in this. Practice makes perfect result.

Importance that you must include into your xml are:

  1. Rule
  2. Entity
  3. Pattern
  4. Identity Match/Id Match/Format/RegularExpression

#This is the flow chart

Rule -> Entity -> Pattern -> Identity Match/Format/Regular Expression

Ok, now you know what are the importance, next will be things you need to take note on the “importance” that can have multiple section. That is “Pattern” & “Identity Match”. You can only have 1 rule consist with 1 Entity, where that Entity can have multiple unique pattern types and each pattern can have its own unique ID Match.


Below is a sample of my code on how it looks like in xml;

*Note: You have to change the GUID of the highlighted red parts, as you can see there are 4 GUIDs, but only 2 GUID are the same. To get new GUID, you simple have to open your PowerShell and type the command “[guid]::newguid()”.

<?xml version="1.0" encoding="UTF-8"?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<!-- Need to change guid, rule package guid, [guid]::newguid()-->
<RulePack id="872155dc-1234-4e3e-a10d-x"> 
<Version build="0" major="1" minor="0" revision="0"/> 
<!-- Need to change guid, publisher guid --> 
<Publisher id="6907d14a-1234-4023-87cd-x"/> 
<Details defaultLangCode="en-us"> <LocalizedDetails langcode="en-us"> <PublisherName>Company Group</PublisherName> 
<Name>ID Custom Rule Pack</Name>
<Description> This rule package contains the custom ID entity. </Description> </LocalizedDetails> 
</Details>
</RulePack>

<!--This orange part, is your rule type-->
<Rules>
<!-- ID --> 
<!--This blue part, is your entity-->
<!-- need to change guid, entity guid--> 
<Entity id="b660289d-189e-1234-9e0a-x" patternsProximity="300" recommendedConfidence="70">
<!--This green part, is your pattern type-->
<Pattern confidenceLevel="80"> 
<!--This purple part, is your Identity match name-->
<IdMatch idRef="Regex_id1"/> 
</Pattern>
<Pattern confidenceLevel="80">
<IdMatch idRef="Regex_id2"/> 
</Pattern> 
</Entity>

<!--This pink part is your Regular Expression-->
<!--Format: AB-C-DE-FGH--> 
<Regex id="Regex_id1">(\d{2})[-](\d{1})[-](\d{2})[-](\d{3})</Regex> 
<!--Format: ABCDEFGMANNN -->
<Regex id="Regex_id2">(\d{7})[mM][a-zA-Z](\d{3})</Regex> 

<LocalizedStrings> 
<!-- Resource guid same as rule guid --> 
<Resource idRef="b660289d-189e-1234-9e0a-x">
<Name default="true" langcode="en-us">ID</Name>
<Description default="true" langcode="en-us"> A custom classification for detecting IDs. </Description> 
</Resource> 
</LocalizedStrings>

</Rules>

</RulePackage>

The above xml consist of 2 patterns both are set with accuracy of 80%, means if DLP scanned your mail/sharepoint/onedrive consist what is inside the pattern and has 80% match percentage will trigger the rule. Inside each pattern consist unique identity which name “Regex_id1”  and “Regex_id2”. After that, is comes to setting the format for each unique identities. As you can see above, the format i had state in the comment.

*Note: The code above doesn’t limit your needs, you could play around with what you wish to include, such as keywords, false positive, or etc.. You could learn more about twerking around the codes by reading below references. You can also use any online tester site to test out regex of your code .


References:

  1. https://support.office.com/en-us/article/Create-a-custom-sensitive-information-type-82c382a5-b6db-44fd-995d-b333b3c7fc30
  2. https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference
  3. https://justaucguy.wordpress.com/2014/11/21/adventures-in-custom-dlp-rules-part-one/