Office 365 includes a range of information security and protection capabilities. These capabilities are first set in Azure and then applied across the Office 365 environment, including in Exchange and SharePoint Online. This post focuses on the application of these capabilities and settings to SharePoint Online.
Enterprise E3 and E4 plans include the ability to protect information in Office 365 (Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business). If you don’t have one of those plans you will need a subscription to Microsoft Azure Rights Management.
Enabling Information Protection in Azure
The following steps must be carried out the first time Information Protection is enabled on Azure:
- Log on to Azure (as a Global Administrator).
- On the hub menu, click New. From the MARKETPLACE list, select Security + Identity.
- In the Security + Identity section, in the FEATURED APPS list, select Azure Information Protection.
- In the Azure Information Protection section, click Create.
This creates the Azure Information Protection section so that the next time you sign in to the portal, you can select the service from the hub ‘More Services’ list.
Default Azure Information Protection policies
There are four default levels in Azure Information Protection:
Once set, these levels can be applied as labels to information content. Sub-labels and new labels may also be created, as necessary via the ‘+ Add a new label’ option.
The configuration settings are shown below:
Each of these label/level settings may:
- Be enabled or disabled
- Be colour-coded
- Include visual markings (the ‘Marking’ column)
- Include conditions
- Include additional protection settings.
Each includes a suggested colour and recommended tip, which are are accessed via the three dot menu to the right of each label.
When selected, this option will place a label watermark text on any document when the label is selected.
Conditions may be applied, for example, if credit card numbers are detected in the text. It allows the organisation to define how conditions apply, how often (Occurrences), and whether the label would be applied automatically or is just a recommended option.
Global Policy Settings
In addition to the settings per level, there are three global policy settings:
- All documents and emails must have a label (applied automatically or by users): Off/On
- When set to On, all saved documents and sent emails must have a label applied. The labeling might be manually assigned by a user, automatically as a result of a condition, or be assigned by default (by setting the Select the default label option).
- Select the default label:
- This option allows the organisation the default label to be be assigned to documents and emails that do not have a label.
- Note: A label with sub-labels cannot be set as the default.
- Users must provide justification to set a lower classification label, remove a label, or remove protection: Off/On [Not applicable to sub-labels]
- This option allows you to request user justification to set a lower classification level, remove a label, or remove protection. The action and their justification reason is logged in their local Windows event log: Application > Microsoft Azure Information Protection.
A custom site may be set up for the Azure Information Protection client ‘Tell me more’ web page.
Unique ‘Scoped’ Policies
In addition to the default policies listed above, a unique policy may be created. These are called Scoped Policies.
Enabling (and Disabling) Azure Information Protection
The steps above are used to set up the labels. They must then be enabled to provide protection. The steps below also allow protection to be removed.
From the Azure Information Protection section, click on the label to be set, then click on Protect. This action opens the Permission settings section.
Select Azure RMS and ‘Select template’, and then click the drop down box and select the default label template. This will probably show as, e.g., ‘(Your Company Name) – Confidential’.
Click ‘Done’ to enable this label and repeat for the others.
Note: If a new template is created after the Label section is opened, you will need to close this section and return to step 2 (to select the label to change), so that the newly created template is retrieved from Azure.
Users must have the appropriate permissions to remove Rights Management protection to apply a label that has this option. This option requires them to have the Export (for Office documents) or Full Control usage right, or be the Rights Management owner (automatically grants the Full Control usage right), or be a super user for Azure Rights Management. The default rights management templates do not include the usage rights that lets users remove protection.
If users do not have permissions to remove Rights Management protection and select this label with the Remove Protection option, they see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.
If a departmental template is selected, or if onboarding controls have been configured:
- Users who are outside the configured scope of the template or who are excluded from applying Azure Rights Management protection will still see the label but cannot apply it. If they select the label, they see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.
- All templates are always shown, even if a scoped policy only is configured. For example, a scoped policy for the Marketing group; the Azure RMS templates that can be selected will not be restricted to templates that are scoped to the Marketing group – it is possible to select a departmental template that selected users cannot use. It is a good idea (to help troubleshoot issues later on) to name departmental templates to match the labels in the scoped policy.
Once these settings are made, they need to be published (via the ‘Publish’ option) to become active.
Enabling Information Protection in Office 365
Activating Information Protection in the Office 365 Admin Portal
Once they have been configured and published, it is then necessary to enable the required settings in the Office 365 Admin Portal (Settings > Services & add-ins > Microsoft Azure Information Protection).
To do this, log on to the Office 365 Admin Portal (as a Global Administrator) then click on ‘Services & add-ins’ under Settings. Click ‘Activate’ to activate the service.
Activating Information Protection for Exchange and SharePoint Online
Once the service is activated for Office 365, it can then be activated in the Exchange and SharePoint Admin Centres. In SharePoint Online this is done via the Admin Center section ‘Settings’ and ‘Information Rights Management (IRM)’.
Configuring SharePoint and SharePoint Libraries for IRM
As at 12 March 2017, it is only possible to link Azure Information Protection classification policies with SharePoint Online if a new site is created via the SharePoint end user portal, as it appears as an option when enabled. Sites created via the SharePoint Admin Portal do not (yet) include the option to apply a protection classification.
If the creation of sites via the SharePoint end user portal is enabled, users with appropriate permissions (e.g., Owners with Full Control) can apply Information Rights Management to SharePoint libraries in their sites.
IRM is enabled on each individual library or list where the settings will be applied via Library Settings > Information Rights Management, under Permissions and Management.
Check the box to ‘Restrict permissions on this library on download’. Only one policy can be set per library.
Assigning Information Protection labels to Office documents
[NOTE: for clients that have installed versions of Office, the Azure Information Protection client needs to be installed on the desktop. See this site for more information: https://docs.microsoft.com/en-us/information-protection/get-started/infoprotect-tutorial-step3%5D
When labels are configured and enabled, they can then be be automatically assigned to a document or email. Or, you can prompt users to select the label that you recommend:
- Automatic classification applies to Word, Excel, and PowerPoint when files are saved, and apply to Outlook when emails are sent. It is not possible to use automatic classification for files that were previously manually labeled.
- Recommended classification applies to Word, Excel, and PowerPoint when files are saved.
Applying the policies to Exchange and office
The site below describes how to apply these policies to Exchange and Office applications. These are not discussed further here.