Azure Information Protection (Day 1)

Azure Information Protection is Microsoft’s suite of advanced security capabilities for Office 365 (and, sometimes, legacy on-premises environments). The concept is simple: manually or automatically classify files and emails and then have security templates apply to those objects based on the classification. However, you quickly get into a dizzying array of licensing combinations, administrative portals, and fluid naming conventions. We’ve spent a few days reading Microsoft’s documentation on AIP as we try to configure AIP in our own tenancy and see what it takes to get it working for us. Here are a few things we learned today:

  • An AIP classification Label and an AIP Protection Template are the same thing. Or not. Templates are an artifact from Microsoft’s previous attempts at data security. You can still use Protection Templates but you cannot edit existing ones or add new ones. Even Microsoft’s documentation sometimes uses the words “Label” and “Template” interchangeably.
  • Using the “Allow offline access” feature in AIP protection means users will still have access even after you’ve revoked it. This is true even if the user is online. It appears that the IRM engine doesn’t revalidate access until after the offline access period expires. This is a little counter intuitive. Obviously, if the user is offline then all bets are off but the current policy should always apply if the user is connected.
  • An E5 subscription seems like it would also include AIP P2 but that hasn’t been our experience. We kept running into messages about not having access to premium AIP features even though we had E5 licenses applied. We are in the evaluation period so maybe that’s the issue.
  • Custom labels – a feature I would imagine EVERYONE needs – can take up to 7 days to appear. We’ve made classification rule changes that aren’t working and it’s difficult to know if something is broken, we don’t have the licensing right, or the custom rules just haven’t been committed by Microsoft.

After a few days of looking under the covers, Microsoft AIP is good on the policy enforcement side but policy administration is, like many enterprise technologies, not as easy as the vendor would have you believe. We’re not suprised by that; AIP must support an infinite number of use cases, and flexibility usually comes at the expense of usability. We’re going to keep working on this and will continue to write about our experiences. In the meantime, you’ll want to get some help from Microsoft or your Microsoft partner of choice if you’re looking at Azure Information Protection.