Azure Information Protection (Day 2)

This is the second in a series of posts documenting our experiences and impressions with Azure Information Protection. Here are a few things we learned today:

  • The Policy setting “All documents and emails must have a label (applied automatically or by users)” should be disabled. When doing manual classification of emails and files, forcing users to classify all their public information as public quickly becomes a waste of time. If you want to have a label applied to all files and emails, use an automated data classification solution.
  • I use my Outlook client to manage both my work and personal email accounts. After enabling AIP for my work domain and installing the AIP client, I now have to also classify all my personal emails. Automatic labels are also getting applied to my personal emails.
  • The Labels we configured yesterday to automatically apply are working today. That is much faster than the “up to 7 days” that Microsoft has documented. This is good news but it’s still far from instantaneous which makes it difficult to refine data classification Labels and policies.
  • AIP is identity-centric and gets confused when you have multiple Microsoft accounts that you use on the same machine. We think this is a corner case but, again, can cause confusion when testing and trying to simulate exchange of information between companies. It’s probably not a big deal in the real world.
  • Labels applied explicitly take precedence over labels applied automatically. I’d prefer it were the other way around. Consider a file explicitly labelled Public by a user but then the file gets updated to contain sensitive information. The automated rule set to identify those conditions wouldn’t get applied. If you can’t already tell, we’re big believers in automated data classification.
  • Labels do not “federate” from one company to another but you might be able to automatically apply Labels based on the presence of a label set outside the domain. If this statement doesn’t make sense, don’t worry. Tomorrow, we’re going to get into more detail about this.