TagSensitivity Labels

S for Security in EMS – Azure Information Protection

Even tho Azure Information Protection is included within the EMS package i would recomend using the Office 365 Unified Labeling insted.

Those labels which can be eather Sensitivity or Retention labels and capabilities comes with in the Office 365 E3 or Office 365 E5 license.

Why should you use Unified labels you say?

Well, in my opinion you should keep it as simple as posible for your users therefore by embracing the Unified labels within Office 365 users don`t have to think about using a labeling client to manage their labels. Unified labels are built into Office applications both web and installed ones and also embeded into the mobile applications. That meaning users can label on any device with application.

When using Azure Information Protection internal IT department of your company need to roll out the AIP Client to all machines and drawbacks here is that web applications and mobile applications are not eligable for this client.

So!

Start with creating some labels from Security & Compliance center and play arround crating watermarks, encryption and deploy to test users at first to be able to test your policies.

Head into https://protection.office.com/ and navigate to “Classifications -> Sensitivity labels” and from her create a new label

CD 
Home 
Alerts 
Permissions 
— Classification 
Sensitivity labels 
Retention labels 
Sensitive info types 
https://protection.office.com/sensitivity?viewid=sensitivitylabels 
Office 365 Security & Compliance 
Home > sensitivity 
Labels Label policies 
Sensitivity labels are used to classify email messages, documents, sites, and more. 
encrypt files, add content marking, and control user access to specific sites. Learn 
+ Create a label Publish labels C) Refresh 
Name 
Classified - Web only from not compliant clients 
Highly classified - Block access from not compliant devices

Follow through with the wizard

New sensitivity label 
o 
o 
o 
o 
o 
Name & description 
Encryption 
Content marking 
Endpoint data loss prevention 
Site and group settings 
Auto-labeling for Office apps 
Review your settings 
Name your label 
The protection settings you choose for this label will be immediately enforced on the files, email messages or sites to which it's applied. Labeled files will be protected wherever 
they go, whether they're saved in the cloud or downloaded to a computer. 
Name 
Classified 
Tooltip 
Enter text that helps users understand this label's purpose 
Description 
Enter a description that's helpful for admins who will manage this label

And when going through the Wizard you need to take some descisions on what the policy should do.

  • Encryption
    • Yes or no and what permissions should be set automatically to your files.
    • Should the access to the file expire on a givven date or days after encryption
    • Allow offline access to files could be convenient for some.
  • Should the content be watermarked?
  • Add DLP policy from the Entpoint (Windows Information protection WIP).
  • Use this label to protect Office365 groups (Teams and SharePoint sites also)
    • Here you can choose if the created SharePoint site, Teams or Office 365 Group should be have restricted access from unmanaged devices and such.
  • Use Autolable based on conditions
    • This feature require E5
    • You can automatically lable documents with for example Norwegian passport number is written in a document.

Thats it! You have created your first label – quite easy.

But before going big-scale you need to evaluate how your company should label documents. General, Confidential, Higly confidential and so on.

My best tip there is to create a table on the labels you think you need and describe the “rules” of when to apply the labels. Like financial data should maybe be labels highly confidential while some company flyers should have “General”.

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

AIP is deprecated, move to Unified labels now!

At 06.01.2020 Microsoft released the deprication notice for Azure Information Protection client and Label management in the Azure portal. The service is deprecated as of March 31, 2021.

The notice is telling us that within 15 months you all need to migrate all your labels from AIP in the Azure portal over to the new Unified label experience within Office 365 portals.

You find the new label management in several places;

So heres a easy pointer on how to migrate you labels from Azure Information Protection to Unified labels within Office 365.

Navigate to portal.azure.com and head into the Azure Information Protection pane.

From there click on “Unified Labeling” in the left menu and acitvate it.

When this is done you can start using the Unified labeling clients and stop rolling out the classic Azure Information Protection client.

Please keep in mind that you need to have a specific version of Office applications installed on your machine or phone.

  • Windows Desktop – 1910 or higher
  • Mac Desktop – 16.21 or higher
  • iOS mobile – 2.21 or higher
  • Android mobile – 16.0.11231 or higher

For the licensing part here is the license requirement to use Sensitivity labels.

  • Microsoft 365 E3 or above
  • Office 365 E3 or above
  • Azure Information Protection P1

For more advanced use like Automated labeling with sensitivity labels you need to go to E5

  • Microsoft 365 E5
  • Office 365 E5
  • Azure Information Protection P2

© 2020 IdefixWiki

Theme by Anders NorénUp ↑