Microsoft is always striving to make the process of protecting information easier and simpler for users and admins alike. Hence, to help with the initial step in protecting your information, Microsoft was happy to announce as of February 2018 all Azure Information Protection eligible tenants will have Azure Information Protection on by default. Organizations which have the Office E3 SKU and above or EMS E3 and above service plans can now get a head start in protecting information through Azure Information Protection.
The new version of Office 365 Message Encryption which was announced at Microsoft Ignite 2017, leveraged the encryption and protection capabilities of Azure Information Protection. Microsoft has continued to make major improvements in the product since it’s initial launch and are excited to announce new capabilities in both Office 365 Message Encryption and Azure Information Protection.
By Default Protection is on for Azure Information Protection
Microsoft has enabled the protection capability in Azure Information Protection automatically for new Office 365 E3 or above subscription. Tenant administrators can check the protection status in the Office 365 administrator portal.
EMS E3/E5 subscription and Azure Information Protection P1, P2 plans offer standardized and approachable labels and classification taxonomy. The default global policy will now configures Azure Information Protection based encryption and rights management for the following sublabels:
- Confidential \ All Employees
- Confidential \ Recipients Only
- Highly Confidential \ All Employees
- Highly Confidential \ Recipients Only
By Default Office Message Encryption is on
Along with enabling the protection service, Microsoft has now enabled the Office 365 Message Encryption capabilities by default for any new Office E3 or above subscription.
Azure Information Protection’s powerful classification and labeling capabilities enabled organizations to easily collaborate within and across organizational boundaries. Administrators could create labels which were backed by protection policies which promoted group-collaboration (e.g firstname.lastname@example.org) and cross company-collaboration (e.g fabrikam.com). Up until now, the groups and users specified in the label definitions (e.g fabrikam.com, email@example.com) needed to be part of the AAD identity fabric.
Since Microsoft Ignite 2017, Office 365 Message Encryption has enabled organizations to send Azure Information Protection encrypted and rights managed emails to anyone with any email address. But, administrators had expressed their frustration on their inability to create effective Azure Information Protection labels which was backed with protection that could include non-AAD users and groups. With this month’s update of the Azure Information Protection service, administrators can now include non-AAD domains in the template definition which would specifically assist in cross-company or non-AAD collaboration scenarios of Office 365 Message Encryption. In the snip below, Contoso’s administrator has defined a custom protection permission for recipients who have a gmail.com address, hotmail.com address and onpremcompany.com address.
A New policy – Encrypt-Only
Do Not Forward has been the only out-of-box and default policy which was available to our customers. While Do Not Forward is very useful in securing the content (recipients cannot forward, print, edit, copy content), customers have indicated that it is far too restrictive and does not help in today’s collaborative environment.
There is a new out-of-the-box policy called Encrypt-only. With this policy, users can send encrypted email to any recipient, whether they are inside or outside the organization, and the protection follows the lifecycle of the email. However, unlike Do Not Forward, recipients can copy, print and forward the email. Encryption will follow the forwarded mail and no one other than the original sender can remove the protection of the email. This new policy provides more flexibility in the type of protection that can be applied to your sensitive emails. You can learn more about the Encrypt-Only policy here.
FAQS you might have:
How does this announcement for enabling Azure Information Protection by default affect existing Office 365 tenants?
There is no impact to existing Office 365 tenant. They would still need to enable Azure Information Protection manually through Office 365 or through PowerShell cmdlets.
However, for tenants who have enabled Azure Information Protection, Office 365 Message Encryption will be enabled by default.
How does it affect tenants who wish to migrate from AD RMS to Azure Information Protection?
Going forward, if you are creating a cloud subscription for migrating from AD RMS to Azure RMS, please manually disable the Rights Management service before starting the migration.
Will SharePoint Online IRM feature also be configured automatically?
No, that still needs to be done manually.
- September 2018 (1)
- August 2018 (2)
- July 2018 (2)
- June 2018 (3)
- May 2018 (2)
- April 2018 (1)
- March 2018 (2)
- February 2018 (2)
- January 2018 (1)
- December 2017 (1)
- November 2017 (2)
- October 2017 (2)
- September 2017 (2)
- August 2017 (2)
- July 2017 (2)
- June 2017 (1)
- May 2017 (3)
- April 2017 (1)
- March 2017 (3)
- February 2017 (2)
- January 2017 (3)
- December 2016 (2)
- November 2016 (2)
- October 2016 (3)
- September 2016 (1)
- July 2016 (1)
- June 2016 (3)
- May 2016 (2)
- April 2016 (5)
- March 2016 (2)
- February 2016 (1)
- January 2016 (4)
- December 2015 (5)
- November 2015 (5)
- October 2015 (5)
- September 2015 (4)