Azure Information Protection (AIP) is used to label, classify and protect documents and emails across apps and services. Within the Azure portal, you can now also apply usage rights to documents and emails labeled with AIP using the Azure Rights Management service. A truly powerful combination.
What is meant by usage rights? These are the kinds of things you’ll be able to do with the document/email when it’s protected by an AIP label. Things like printing, copying, editing, forwarding, and saving! (all usage rights shown below)
You can select from predefined roles (Co-Owner, Co-Author, Reviewer, Viewer) or build a custom one. Let’s walk thru an example of how to apply usage rights to an AIP label to show what the experience is like for anyone opening a document or receiving an email labeled with it.
Microsoft documentation: Configuring usage rights for Azure Rights Management
There are several scenarios I can think of in a typical organization where this kind of functionality might be required. Here’s a few:
- A secret project where no one on the project team should be allowed to copy or print any of the documents within or forward any of the emails for the project. This could be accomplished by configuring a scoped label and usage rights!
- Anything labeled Top Secret should never be printed, copied, downloaded, edited or forwarded in an email except by the creator. This could be accomplished by configuring usage rights on the Top Secret label in the global policy.
Let’s walk thru the second example above.
Step 1: Define a Top Secret AIP label
Add a Top Secret label within the tenant’s Global policy in the Azure portal. These labels will be visible to everyone across the tenant. Define any required visual markings (header, footer, watermark) and conditions for the label.
To enable usage rights for documents and emails, select Protect.
Step 2: Configure protection settings for the user/group
For this example, I’ll define everyone in the tenant domain as a Viewer for this label, however you can choose individual users, security groups, and even external domains.
The Viewer permission role grants the usage rights checked below:
Note: the account that protects a document/email using Azure Rights Management service becomes the Rights Management Issuer and Owner of the content. This means they will always have Full Control of the document/email even if they are included in a group you have defined in the Protection setting. In this example, even though I’m part of the tenant domain above, I will have Full Control if I created and labeled the document (thereby applying the protection).
Publish the policy changes.
Step 3: Create a document and label it Top Secret
I’ll create a document for my favorite chocolate brownie recipe and label it with the Top Secretlabel. There’s no way I want anyone copying that! 🙂
What does the document owner see? When I open the document and click the View Permission button on the yellow protection bar (below), the dialog pop-up displays the full control permission level for this document. I’m able to perform all of those functions on this document in Word.
A copy is a copy is a copy…
Since the Copy usage right is turned off, I could not take a screen shot of the document for this blog post. Copy means copying any of the data, including screen captures and video recording, from the content. The only record-able piece of content was the permission pop-up shown above.
Step 4: Send an email labeled Top Secret
What does the sender see? The sender (owner) of the email can see and do anything with the email once it’s labeled Top Secret. Below I’m showing what it looks like when an owner opens the email from a phone and from the desktop client. The text and header shown will be removed if a recipient tries to forward the message however.
What does the recipient see? Although I can’t copy the image for what a recipients sees due to the usage right, if they try to forward the email, the contents of the message circled above is removed and a message is inserted where the text previously was with the text below:
Note: This conversation is restricted, so you might not be able to cut or copy from it. See the information above the To line for more details. Also, while the conversation is restricted, the conversation owner can send the message to other people.
I think combining usage rights directly with AIP in the Azure portal is a solid step forward in an organization’s data protection journey. Lots of planning will need to go into determining ifpermission roles will be associated to each label and what those will be. I recently blogged about creating an AIP Planning OneNote notebook to document your organization’s AIP configuration. Make sure you add any Rights Management protection settings into it as well (AIP Planning OneNote).
When the settings are in place, why not run a pilot group to see how information workers in your organization will adjust to this new experience? Based on their feedback, put training in place for the organization-wide roll-out.
AIP and usage rights. A simple configuration with a big impact.
Thanks for reading.
About the Author:
Joanne is a SharePoint and Office 365 independent Consultant and Microsoft MVP for Office Servers and Services. She has spent the past decade working with SharePoint Server and SharePoint Online in Office 365. Her specialties include Office 365 adoption, SharePoint information architecture, information management, data protection, and data retention which allows her to help organizations get the most out of their SharePoint/Office 365 investments. She is on the leadership team for the Saskatchewan SharePoint/Office 365 User Group and is an avid supporter of the Microsoft technical communities at large. Connect with her on Twitter or LinkedIn!
Klein, J. (2018). A Walk-Thru of Azure Information Protection and Usage Rights. Available at: https://joannecklein.com/2018/03/21/a-walk-thru-of-aip-and-usage-rights/ [Accessed: 3 May 2018].