Improved Protection Stack for Azure Information Protection

Do you know how many cloud applications are being accessed by your employees?
Are your employees sharing valuable information via emails and attachments?
Is Your Help Desk Inundated with Password Reset Requests Over and Over?
Get Started With A FREE Trial Get Started With A FREE Trial Request a Consultation Request a Consultation Download FREE MOBILE DEVICE SECURITY REPORT

Microsoft is always striving to make the process of protecting information easier and simpler for users and admins alike. Hence, to help with the initial step in protecting your information, Microsoft was happy to announce as of February 2018 all Azure Information Protection eligible tenants will have Azure Information Protection on by default. Organizations which have the Office E3  SKU and above or EMS E3 and above service plans can now get a head start in protecting information through Azure Information Protection.

Azure Information Protection

The new version of Office 365 Message Encryption which was announced at Microsoft Ignite 2017, leveraged the encryption and protection capabilities of Azure Information Protection. Microsoft has continued to make major improvements in the product since it’s initial launch and are excited to announce new capabilities in both Office 365 Message Encryption and Azure Information Protection.

By Default Protection is on for Azure Information Protection

Microsoft has enabled the protection capability in Azure Information Protection automatically for new Office 365 E3 or above subscription. Tenant administrators can check the protection status in the Office 365 administrator portal.

EMS E3/E5 subscription and Azure Information Protection P1, P2 plans offer standardized and approachable labels and classification taxonomy. The default global policy will now configures Azure Information Protection based encryption and rights management for the following sublabels:

  • Confidential \ All Employees
  • Confidential \ Recipients Only
  • Highly Confidential \ All Employees
  • Highly Confidential \ Recipients Only

By Default Office Message Encryption is on

Along with enabling the protection service, Microsoft has now enabled the Office 365 Message Encryption capabilities by default for any new Office E3 or above subscription.

Azure Information Protection’s powerful classification and labeling capabilities enabled organizations to easily collaborate within and across organizational boundaries. Administrators could create labels which were backed by protection policies which promoted group-collaboration (e.g and cross company-collaboration (e.g Up until now, the groups and users specified in the label definitions (e.g, needed to be part of the AAD identity fabric.

Since Microsoft Ignite 2017, Office 365 Message Encryption has enabled organizations to send Azure Information Protection encrypted and rights managed emails to anyone with any email address. But, administrators had expressed their frustration on their inability to create effective Azure Information Protection labels which was backed with protection that could include non-AAD users and groups. With this month’s update of the Azure Information Protection service, administrators can now include non-AAD domains in the template definition which would specifically assist in cross-company or non-AAD collaboration scenarios of Office 365 Message Encryption. In the snip below, Contoso’s administrator has defined a custom protection permission for recipients who have a address, address and address.

A New policy – Encrypt-Only

Do Not Forward has been the only out-of-box and default policy which was available to our customers. While Do Not Forward is very useful in securing the content (recipients cannot forward, print, edit, copy content), customers have indicated that it is far too restrictive and does not help in today’s collaborative environment.

There is a new out-of-the-box policy called Encrypt-only. With this policy, users can send encrypted email to any recipient, whether they are inside or outside the organization, and the protection follows the lifecycle of the email. However, unlike Do Not Forward, recipients can copy, print and forward the email. Encryption will follow the forwarded mail and no one other than the original sender can remove the protection of the email. This new policy provides more flexibility in the type of protection that can be applied to your sensitive emails. You can learn more about the Encrypt-Only policy here.

FAQS  you might have:

How does this announcement for enabling Azure Information Protection by default affect existing Office 365 tenants?

There is no impact to existing Office 365 tenant. They would still need to enable Azure Information Protection manually through Office 365 or through PowerShell cmdlets.

However, for tenants who have enabled Azure Information Protection, Office 365 Message Encryption will be enabled by default.

How does it affect tenants who wish to migrate from AD RMS to Azure Information Protection?

Going forward, if you are creating a cloud subscription for migrating from AD RMS to Azure RMS, please manually disable the Rights Management service before starting the migration.

Will SharePoint Online IRM feature also be configured automatically?

No, that still needs to be done manually.

Microsoft feels that these updates will reduce the work admins need to do to secure emails within organizations.

For more information email or visit.

(Visited 59 times, 1 visits today)