Azure Information Protection – Part 1
In this post, we’ll see how we can do basic Azure Information Protection (Unified Labelling) configuration.
Existing setup done:
- Two Local users created
- Azure AD Connect configured
- Seamless Single Sign-On (IE) configured
- Seamless Single Sign-On (Firefox) configured
- Hybrid Azure AD Join configured
- Intune enrollment – Domain Joined Windows 10 devices
- Azure AD Join
- Office 365 Pro Plus Application
- Sample SharePoint Team Site
- OneDrive Known Folder Migration and SharePoint library sync
- Copy necessary files (Win32 App)
- Set Desktop Background, Lock Screen and Screensaver
- Adding applications to StartUp folder
- Adding some 3rd Party applications (Browsers)
- Microsoft Store for Business configuration and integration and Store Apps.
- Windows Defender Application Guard configuration
- Extend Application Guard to Mozilla Firefox and Google Chrome
- Configure Windows Defender Antivirus
- Windows Defender Credential Guard
- Windows Defender Exploit Guard – Attack Surface Reduction
- Windows Defender Exploit Guard – CFA, NP, EP
- Windows Defender Application Control Part 1
- Windows Defender Application Control Part 2
- SkyDC: Machine with ADDS, DNS, DHCP role
- SkyCON: Machine where we will install Azure AD Connect
- SkyCM: Machine with Configuration Manager Current Branch
- SkyTEN1: Domain Joined Windows 10 machine
- SkyTEN2: Domain Joined Windows 10 machine
- SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
- SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
This post talks on how we can do basic AIP configuration in a brand new Tenant.
Login to Azure portal.
Navigate to Azure Information Protection. If it’s not already there, you can search for it in the Search bar.
In the Quick start page, you can watch the video and check the Get Started tutorial also.
Scroll down and click on Protection activation.
If it is not activated, you need to activate it. In my case, we see that it is activated.
Click on Unified labelling.
As this is new tenant, so Unified labelling is already activated.
Navigate to Classifications -> Labels.
Since it is new Tenant, I do not have default labels already generated.
So we click on + Generate default labels to generate them.
You can see that the default labels are being generated.
The labels got generated.
Navigate to Policies section.
You see that a Global policy is created.
If you use the Classic AIP client, it takes labels and Policy settings from Azure portal.
Click on the policy created.
You can see that there is no label associated with the policy.
Click on Add or remove labels.
Select the labels and click OK.
You can configure other settings also.
In my case, I have configured the settings as per my requirement, like the General label is the default label.
Click Save once done.
If you want to use Unified AIP client, then you need to configure the labels and policies from below consoles:
Office 365 Security & Compliance Center (https://protection.office.com/)
Microsoft 365 Security Center (https://security.microsoft.com/)
Microsoft 365 Compliance Center (https://compliance.microsoft.com/)
Open Office 365 Security & Compliance Center by visiting https://protection.office.com
Navigate to Classification -> Sensitivity labels.
You can see all the labels here.
If you want to modify any label click on it and edit the label. In this example we are modifying General label.
Click on General label.
Click Edit label.
In Name & description section, modify anything as per your requirement and click Next.
In Encryption section, modify anything as per your requirement and click Next.
In Content marking section, modify anything as per your requirement and click Next.
In Auto-labelling for Office apps section, modify anything as per your requirement and click Next.
Click Publish labels to create a AIP policy and publish the labels.
In Chooses labels to publish section, click Choose sensitivity labels to publish.
Select the labels as per your requirement and click Add.
I have selected all the labels.
In Publish to users and groups section, if you want to publish to specific users and groups, click Choose users or groups.
In this case, I have left the default which is to publish all users and groups.
In Policy settings section, select appropriate option as per your requirement and click Next.
Like in our case, we have made General label as the default label for all users unless we create another label targeted to some users.
Click Next when done.
In Name & description section, modify as per your requirement and click Next.
I have used:
Name: Global Policy
Description: This is Global policy for Sensitivity labels.
Review the settings and click Submit.
Click on Label policies.
You can see that the policy is created.
Download and create AIP Unified Labeling client
Click on Download button.
Select AzInfoProtection_UL_MSI_for_central_deployment.msi and click Next.
Click Save File and save the MSI file.
Create and deploy Azure Information Protection (Unified Labeling) client MSI using the method described in https://www.devicencloud.com/m365-environment-14-some-3rd-party-applications-browsers/
Make sure to use /quiet in Command-line arguments.
As we are deploying the AIP client in latest Windows 10 version using latest Office 365 Pro Plus, deploying MSI would be sufficient.
I used the below:
Name: Win 10 – Azure Information Protection (UL) Client
Description: Azure Information Protection (UL) Client for Windows 10.
Customizing AIP Labels as per requirement
Deleting the labels
Configure Analytics (optional if there is license)