This post is in continuation with the previous AIP post.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.
  16. Windows Defender Application Guard configuration
  17. Extend Application Guard to Mozilla Firefox and Google Chrome
  18. Configure Windows Defender Antivirus
  19. Windows Defender Credential Guard
  20. Windows Defender Exploit Guard – Attack Surface Reduction
  21. Windows Defender Exploit Guard – CFA, NP, EP
  22. Windows Defender Application Control Part 1
  23. Windows Defender Application Control Part 2
  24. Azure Information Protection Part 1

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

 

This post is in continuation with the previous post.

Previous post talked on how we can do basic AIP configuration in a brand new Tenant.

In this post we’ll create two Sensitive Info Types, two labels for the Sensitive Info Types and then we’ll add them to the default policy.

We’ll also configure SharePoint Online so that it can process content in Office online files that have encrypted sensitivity labels applied. We’ll see a collaboration on such example file in SharePoint Online.

Create some Sensitive Info Types

First, we’ll create a Sensitive info type with keyword “Finance“.

Navigate to https://protection.office.com/

Expand Classification and click on Sensitive info types.

Click on +Create.

Enter appropriate Name and Description. I have entered:

Name: Finance Word

Description: Finance Word

Click Next.

Click on +Add an element.

Expand Any of these.

Here we are going to use Keywords.

Select Keywords and enter Finance in the text box.

As we are not using any supporting elements, we can leave as default.

We can however modify Confidence level as per our requirement. In my case this is good enough.

Click Next.

Review the settings and click Finish.

It is better to test the Sensitive type before using.

Click Yes to do so.

Upload a document that contains Finance word.

Click Test.

We see that Finance word is matched.

Click Finish.

The Sensitive info type is created.

Next, we’ll create a Sensitive info type with supporting element.

Click +Create.

Enter appropriate Name and Description. I have entered:

Name: Shares

Description: Sensitive information related to Shares.

Click Next.

Click on +Add an element.

Expand Any of these.

Here we are going to use Keyword.

Select Keywords and enter Share, Shares in the text box.

Click on +Add supporting elements.

Here, we are going to use Contains this keyword list.

Enter increase, increasing, increased, decrease, decreasing, decreased in the text box.

Adjust Minimum Count, Confidence level, Character proximity as per your requirement. I have used:

Minimum Count: 1

Confidence level : 60%

Character proximity: 500

Click Next.

Click Finish.

Click Yes to test the Sensitive info type.

Upload a test document. I have uploaded a document containing the below text:

Dear Friend,

The share prices of Sky366 is going to increase.

Please take care.

Regards,

Your friend

Click Test.

We see that content is matched as per our expectation.

Click Finish.

We see that Sensitive info type is created.

Enable SharePoint and OneDrive to process content in Office online files that have encrypted sensitivity labels applied

Method 1:

If you have turned AIP integration with SharePoint, you would see the above message.

Just click on Turn on now to configure the integration.

Method 2:

This method uses PowerShell to configure the integration. This is mandatory if you have multi-geo SharePoint Site.

Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

Install-Module -Name Microsoft.Online.SharePoint.PowerShell

$adminUPN=”admin@sky366.bid”

$orgName=”your_tenant_id”

$userCredential = Get-Credential -UserName $adminUPN -Message “Type the password.”

Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $userCredential

Set-SPOTenant -EnableAIPIntegration $true

Create new labels

We are going to create two labels for the two Sensitive Info types created above:

Navigate to https://protection.office.com.

Expand Classification and click on Sensitive labels.

Click on + Create a label.

Enter Name, Description for users, Description for admins as appropriate. I have used below:

Name: Finance

Description for users: This information is related to Finance

Description for admins: This information is related to Finance

Click Next.

Click Next.

Check Encrypt files and emails.

Check Mark the content of files.

Click Next.

Select Configure encryption settings.

Expand Assign permissions now.

There are two options.

We are going to use Assign permissions now.

In User access to content expires, there are three options.

We are going to use Never.

In Allow offline access, we have three options.

We are going to use Always.

Click on Assign permissions.

There are two configurations here.

First, the users/groups who would have access on the information with this label.

Second, the type of access that above users/groups would have.

In this label, we are going to use + Add all users and groups in your organization.

Click on + Add all users and groups in your organization.

To change the permissions, click on Choose permissions.

As I am going to use Co-Author, which is already selected, I need not do anything else.

Click Save once done.

If you need to use Double Key Encryption, check that option.

Click Next.

Enable Content marking.

Add watermark, header or footer as appropriate.

In this label, we are going to add header.

Check Add a header.

Click on Customize text.

Enter/select Header text, Font size, Font color, Align text as appropriate. I have used below:

Header text: Financial Document

Click Save once done.

Click Next.

Enable Auto-labeling for Office apps.

Click on + Add condition and select Content contains.

Click on Add. You see two options.

We are going to use Sensitive info types.

Click on Sensitive info types.

A new window will open with all Sensitive info types configured.

You can search or select as appropriate.

Select Credit Card Number.

Select Finance Word.

Click Add.

You can see the both Sensitive info types are added with condition as Any of these.

This means this label will get applied if any of the Sensitive info type is found.

Expand Automatically apply the label option. You see that there are two options. Select as appropriate.

In When content matches these conditions, I have selected Automatically apply the label.

In Display this message to users when the label is applied, enter appropriate text.

I have entered: This is Finance related information.

Click Next.

We are not configuring protection settings for groups and sites as of now.

Click Next.

Review the settings and click Create label.

Click Done.

You can see the Label under Sensitivity labels.

Create another label for 2nd Sensitive info type that we created. I have used the below setings:

Name: Important

Description for users: Important Content

Description for admins: Important Content

Encrypt files and emails

Mark content of files

Configure Encryption

Assign permissions: Org wide, Co-Author

Marking:

Header: Important

Auto labelling: Yes

Sensitive Info type: Shares

Message to user: Important information

Add the labels created above in default policy

Navigate to Label policies tab.

Click on Global Policy.

Click Edit Policy.

In Choose sensitivity labels to publish, click Edit.

You can see the two labels are unchecked.

Select the two labels and click Next.

Click Next and complete the wizard as we are not modifying any other settings.

Click Submit.

Click Done.

Testing:

Windows 10 machines without AIP client:

Finance Word test:

Open Microsoft Word and enter below text:

This is Finance document.

Click on Save button.

Enter the file name.

Once document is saved, we see that the Finance label is applied.

Credit Card number test:

Open Microsoft Word. Enter sample Credit Card number. I have used below:

378282246310005

Click on Save button.

Save the file.

We see the Finance label is automatically applied.

Shares related test:

Open Microsoft Word and enter text that contains Primary element and secondary element (this we defined in the Sensitive info type). I have used below:

The share prices are going to increase.

Click on Save button.

Save the file.

We see that the Important label got applied automatically.

Testing on Windows 10 with AIP UL client:

Repeat the same test on a Windows 10 machine which has AIP UL client.

Finance word test:

This is Finance document.

Once saved

378282246310005

Once saved

Shares related test:

The share prices are going to increase.

Once saved.

Collaboration in SharePoint:

Create a test SharePoint Site:

Navigate to https://TenantID-admin.sharepoint.com

Expand Sites -> Active sites

Click on +Create.

Click on Team Site.

Enter appropriate settings and click Next.

Click Finish.

The site gets created. Click on the link.

Copy the URL and open it under any of the test user.

In the SharePoint site, navigate to Documents.

Click +New -> Word document.

A new tab opens with Word Online.

Select Finance label.

Confirm the selection.

Enter any text.

You can see that it is done by LU01 user.

Go to first tab.

We see that a document is created by LU01 user.

Click on + Ad column.

Click on Show/hide columns.

Select Sensitivity and click on Apply.

We see that Sensitivity is also shown.

Open the same document in 2nd user’s account

Navigate to the SharePoint site using 2nd user account.

Click on the document.

We see that LU01’s cursor is present at the beginning of the first line.

We see the collaboration is happening on encrypted document.

End.

Leave a comment

Your email address will not be published. Required fields are marked *