How Does Azure Information Protection Work?

If you’re looking at what’s included with Microsoft 365 Business Premium, you’ve probably noticed Azure Information Protection listed as one of the secure cloud services included. When the question how does Azure Information Protection work? Came up, I thought it would be worthwhile creating a blog post to explain firstly what Azure Information Protection is and how it works.

Azure Information Protection gives you the ability to apply labels to certain types of content and emails to prevent them being shared and accessed by unauthorised users.

Azure Information Protection allows you to control your data. You can restrict which users have access to it and control the data, even when it has been shared externally.

We’re going to look at how Azure Information Protection works, how easy it is to configure, and why your business should be using it.

Azure Information Protection: How Does It Work?

Azure Information Protection lets your label, classify, and protect documents all in one go. Labelling and classification can be done manually but also automatically, if that’s ideal for your organisation.

Azure Information Protection: Labelling and Classifying Files With AIP

So let’s say you have a Word document that contains financial information. You may manually label and classify this document, meaning it is only accessible to certain team members. By labelling the document, watermarks will appear on it that inform people that the document is secret and only allowed to be seen by certain team members.

However, Azure Information Protection is actually much more advanced than this.

Azure Information Protection is actually part of the Microsoft Information Protection solution and allows you to automate labelling and classification of files.

For example, you save a file containing confidential bank account details without manually labelling or classifying it. With Azure Information Protection, that file will automatically be saved as secret, accessible to only the appropriate users.

Azure Information Protection: On-Premises Scanner

Azure Information Protection comes with a feature known as On-Premises Scanner.

AIP On-Premises Scanner allows IT personnel to scan their on-premises files. The On-Premises Scanner will allow you to rapidly identify which files you’re storing locally need to be labelled, classified, and potentially protected.

The AIP On-Premises Scanner is available through the Microsoft Azure portal and will reveal which locations on your network contain sensitive information that isn’t protected. You can then act to label, classify, and protect files.

The On-Premises Scanner reveals how users can interact with certain files (read & write, no access, and read etc.) as well as which user owns the files, and whether or not the files can be shared internally and externally. You can then dig deeper and see whether you need to label and classify the files to protect them effectively.

Azure Information Protection: Sharing Protected Content

Labelling, classifying, and protecting documents at user level and within your network is possible as I’ve outlined above. Internally, you can ensure that only appropriate users have access to certain types of files. But a bigger concern is sharing files externally. How does Azure Information Protection prevent files and sensitive information from being shared externally?

Labelling, classifying, and protecting documents actually prevents them from being shared to anyone outside of your organisation.

If you’re using AIP, you can prevent information being shared externally in numerous ways. For example:

  • You can prevent users from copying and pasting information into and out of protected documents. Users can’t just go into a file, copy and paste the content, and send it across to an external email address.
  • Emails containing protected documents or sensitive information can be blocked prior to transmission. If one of your users tries to email a protected document, they will get an email informing them that their email cannot be sent. The IT department and administrators will be informed via the Azure portal that a user has tried to send an email containing sensitive information.

Preventing users sharing files over email

The email protection is the main feature to note here as this would be the main route users would take to share files externally. Once you’ve configured Azure Information Protection and labelled, classified, and protected your files, sharing is automatically prevented.

Some might see this security as cumbersome or too forceful. There might be occasions where you need to share files externally that contain sensitive information. For instance, there’s likely to be occasions when you have to share financial information with your accountants and other external organisations. In this case, there are numerous steps you can take, such as relabelling and reclassifying a document so you can share it externally.

At the end of the day, these security solutions are only as strong as you make them.

If you’re somewhat overzealous with labelling and classifying documents, you may end up hindering the productivity of your staff and make their lives difficult.

On the other hand, if you don’t label and classify documents as you should, you may as well have no security at all.

You really need to find a healthy middle ground, where your documents and files are secure without hindering the productivity of your team.

Controlling access to shared documents

As I said above, if you have the appropriate permissions, you can share documents and files externally over email. You set permissions for people you’re sharing the file with. You can enable view-only or give people editing privileges. Your content is within your control.

Via the Azure portal for Microsoft Rights Management, you have total control over the documents and files you’re sharing — even once you’ve shared the document and the user you shared it with has viewed it.

Depending on the permissions you set, users you share your file with cannot download it. In fact, they have to be connected to the internet to view and use the shared file.

If you notice something untoward in the Microsoft Rights Management portal — for instance, a user has opened the file in a location that doesn’t seem correct — you can immediately revoke access to the file for all users you’ve shared it with. In other words, there is no way they can access this document again, even if they left it open on their screen.

The video below perfectly demonstrates the concept I’m explaining here, with a great example scenario. It explains how you protect documents and how the revocation process works, so it’s well worth two minutes of your time.

Azure Information Protection: Why Your Business Should Be Using It

Organisations around the world are using cloud-based services more than ever and file sharing is an instant process that enables productivity. However, it’s incredibly important that you keep your business protected at the same time. The last thing you want is a protected document falling into the wrong hands, as it could be very costly for your business.

If you’re already using Microsoft 365, you may already have access to Azure Information Protection. Microsoft 365 Business Premium users have access to the benefits Azure Information Protection offers, as do Enterprise users. If you don’t have Azure Information Protection available to you, it is purchasable as an optional extra to all users.

At the end of the day, it is so important to keep your documents and files secure, particularly if you’re sharing sensitive information. Despite security concerns with email and file sharing online, it’s actually much more secure than physical files when you think about it. If you set up your security properly with tools such as Azure Information Protection, maintaining control over your files is easier than ever.

Jack Mitchell

Jack Mitchell has been the Operations manager at telecoms and MSP Optionbox for more than 4 years. He has played a crucial role in the company, from marketing to helpdesk, and ensures that the IT requirements of over 300 clients are continuously met. With his innate passion for technology and troubleshooting and a particular interest in Apple products, Jack now delivers the most comprehensive tech guides to make your life easier. You can connect with Jack on LinkedIn.

Recent Posts