- January 8, 2019
- Justin Penchina
Azure Information Protection (AIP) is part of the Mobility + Security add-on for Office 365. With Azure Information Protection, you can create advanced policies to protect your data. This can be done by creating “tags” to classify documents and emails, and then creating policies based on those tags.
Data Loss Prevention (DLP) tools such as this are critical if your company handles any kind of sensitive information, not just Personally Identifiable Information (PII.) Implementation of AIP makes it easy for team members to protect data and greatly reduces the risk of sensitive information leaking outside of the intended recipients.
This guide will show you how to automatically encrypt emails going outside your company that has data marked “confidential.”
Enabling Azure Information Protection
If this is the first time you are using Azure Information Protection in your tenant, you will first need to turn it on:
- Log into the Office 365 admin console and navigate to Settings -> Services & Add-ins
- Click on Microsoft Azure Information Protection
- Click the link to Manage Microsoft Azure Information Protection settings
- Click the button to activate. Once the service is activated, this page will have a button to access Advanced Features. (Note: activation can take a while to process.)
Information Protection Labels
Once the service is activated, you can click the Advanced Features button to jump into the Azure portal. If you do not already have an Azure account, you will be prompted to create one with a free subscription.
If it does not take you directly there, use the search bar at the top to search for Azure Information Protection. This will take you to the Azure Information Protection blade.
- Under the Classification section click on Labels. To create a new label, click on the New Label link.
- Enter in the information for your label. Give it a name (in this example I used the name “Confidential,”) and enter in a brief description.
- Scroll down to the toggle that says: “Display the Information Protection bar in Office apps” and change it to On
- Click Save at the top of the blade to save your label.
- Scroll all the way down to the bottom of the blade. You will see a line of text that says, “Label ID.” Copy this ID code into a notepad window. You will need it later:
The next thing you need to do is create a Policy to publish your labels.
- On the Azure Information Protection blade, under the Classification section click on Policies.
- This opens the Policy blade. Give your policy a name and a brief description.
- Click the section to Select users and groups to choose who this policy will apply to.
This opens another blade where you can select users and groups. When testing it is best to limit the policy to as few people as possible (or even just yourself.)
Note that only users or groups that have an email address can be selected.
- Back on the Policy blade click Add or remove labels
- Select the label you created on the right side. Save the policy.
Microsoft Office Information Protection Bar
Once the policy is updated you will notice the Information Protection bar shows up in Microsoft Office applications. You may need to close and re-open Outlook/Word/Excel in order to get the update:
You can select the label to apply it to the content, but right now there are no actions associated with the label. The next thing to do is to create some mail flow rules to apply email encryption.
- Log into the Office 365 admin portal and navigate to the Exchange admin center. Click on the Mail Flow section and then Rules.
- At the top, click the plus symbol to add a new rule.
- Enter in a name like “Encrypt Email with Confidential Tag”
- In the “Apply this rule if” section choose “The recipient is located outside the organization”
- Click Add Condition to add a second condition. (You may have to click the More Options link to view the Add Condition button)
- Choose “A Message Header includes any of these words”
- On the right, click Enter Text and enter in “msip_labels”.
- Click Enter Words and put in “MSIP_Label_” followed by the Label you copied earlier, followed by “_Enabled=True;” Make sure there are no spaces and you copy the label in exactly.
- In the “Do the Following section,” choose Modify the message security… and then Apply Office 365 Message Encryption and rights protection to the message. Choose the “Encrypt” option from the pop-up:
- Save the rule.
- Click the plus symbol to create a second rule.
- Call this one “Encrypt email with confidential attachments”
- In the Apply the rule if section choose the same setting for recipient located outside the organization.
- Click “add condition” to add the second condition.
- Choose Any Attachment has these properties, including any of these words
- Click the plus button to add the property.
- Choose Specify a custom attachment policy
- In the property name, put in “MSIP_Label_” followed by your label ID, followed by “_Enabled”. Make sure there are no spaces and you copy the label in exactly.
- In the value section, enter True.
- In the “Do The Following” section, choose the same “Apply office 365 message Encryption and rights protection” setting and choose Encrypt.
- Save the rule.
It can take up to 2 hours for the rule to fully propagate and be active on matching emails. Give it some time before you send a test message.
Once the rules are in place, any email marked with the Confidential tag will be sent as an encrypted message, and any email with an attachment that is marked with the Confidential tag will be sent as encrypted.
When you create a new message in Outlook you will notice the information bar under the ribbon. This will show any labels that you have available to you. Here is what it looks like when sending an encrypted message:
When you select the label you want, it will appear on the left side of the bar. Then write and send the email like you normally would.
The recipient will receive an email from you with the subject line you used:
When the recipient opens the message, there is a notice that there is an encrypted message for them to view:
When the recipient clicks to read the message, they are given two options. They can either sign in with a Microsoft account (if they have one associated with their email) or they can receive a one-time code:
Once the recipient is authenticated, the message shows up in their browser. They can view the message, download attachments, and even reply from the page.
There are many other security measures you can put in place using Labels and Policies. Azure Information Protection lets you apply document level encryption to files with Labels and Policies, and Azure Information Protection P2 will even automatically apply labels to files that have sensitive information (like credit card numbers) in them.
How does your organization use Office 365 to secure sensitive files and prevent data loss to reduce risk? Let us know in the comments section below!