Microsoft Purview DLP Policies

Overview: Microsoft Purview allows a company to create end device DLP policies and push out to all client devices.

Create policies, and takes up to 2 hours to update end client devices and show on the "Device Monitoring" dashboard.  Client Analyser tool - check endpoint client devices are getting the latest policies, and can speed it up.  Device obviously has to be online to get the latest update.

WIP

AIP and Sensitivity Labels

Overview:  AIP has had many names and twists over the past few years.  The functionality has been improving, but the naming and changes made it difficult to implement well.  Finally, I feel Microsoft Azure Information Protection is implementable at scale.

Summary: Sensitivity labels have have the ability to allow documents and email to be classified to protect email and files.  One can track, and encrypt documents/email.  You can also use sensitivity labels to protect SharePoint sites, Teams sites and Microsoft 365 Groups.  Within AAD (B2C) I can assign sensitivity labels to Microsoft 365 Groups.

Microsoft Information Protection

Check out my earlier Post on AIP (feb 2019)

End-to-end life-cycle for encrypting files using Azure Information Protection (AIP)

Use "Unified Labeling" to create labels

Note: Encrypting stops SharePoint being able to look into the content of the file.  The labels and name are still search but not the content of the file.  eDiscovery, Search, co-authoring don't work on AIP encrypted documents.

Cloud App Security (MCAS) Screen Shot

Microsoft Information Protection Update

Microsoft as of 2019 Feb is still using Microsoft Information Protection (MIP)/ Azure Information Protection AIP interchangeably as this video from Ignite 2018 Oct highlights.  Today I went to the Ignite tour and AIP and MIP are being used to mean the same topic that I'm referring to as AIP in this post.

MIP is a framework that includes AIP includes AIP scanner (files share and SharePoint on-prem.), DLP (cloud), RMS, Azure Advanced Threat Protection, MCAS (cloud), Windows Information Protection (integrates, understands AIP labels), need a central portal to monitor in to the "Security and Compliance Centre" (SCC).

The screenshot from the Ignite London presentation shows where AIP is today as presented by Maayan Nasman Rand.  The presentation was a good overview of AIP.  The big improvement to AIP over the past 3 months is the Analytics/Monitoring, this was not working and now it's very good but still in preview.

• AIP is getting closer but I feel the big missing piece is the encryption used by AIP does not allow SPO to provide previews and more importantly search cannot index the data in SPO.  Despite this key missing piece, I'd use it on O365 without encryption if I'm in a SharePoint store.   
• The native applications auto labelling is improving quickly.
• The Auto-labeling feature is new and useful.
• A few months ago, AIP labels were merged into the Security & Compliance Centre, worth noting is if you had labels in AIP admin, you need to migrate the labels using "Unified labelling" option and the policies need to be manually brought into the Security & Compliance Centre.
• Auto-labeling is now in the Mac Office suite and also it is coming to the Office apps in Droid and iOS (preview).
• AIP is an add on, new Office and Office for Mac and Android have the AIP plug-in already installed.  Applies to all office products including Outlook, Word, Excel, PPTX.
• The UI ribbon for AIP in Office on Windows has also been updated to a new look.
• Microsoft Cloud App Security (MCAS) has scanners to perform labelling (like AIP scanner) but also works on g-suite and Box others are coming
• AIP Scanner works on file shares (CIFS) and SP2013 and SP2016 on-prem.
• 3rd party product Adobe Pro does not do yet have the ability to update labels, but it's coming soon (Jun 2020?).  They use the SDK that developers can all use.  
• The Monitoring/Reporting is actually working, a year back it was flakey and the UI and find-ability UI is much improved.
• A couple of Preview Screens show today:

Previous AIP Posts:
AIP - Protect your companies documents (Catching up to Symantec's product quickly)
SharePoint Saturday AIP Notes

MCAS access functionality to 3rd party apps https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps

Securing SharePoint O365

Microsoft outline how they treat access to your company data, how your data is kept secure and audit and availability, read this post.  The information below notes possible settings and configuration to secure 0365.

Azure AD is the key, ensure auth is 100%.  e.g. MFA for some or all accounts.  Use the "Identity Secure Score" to check possible problems.  Consider Microsoft Authenticator for MFA.

O365 Settings use:

1. Secure Score - Overview of my tenant settings and how they should be set.  Check my tenant again set MS best practices for O365. 
2. Validate setting meet governance and are not merely defaults.
3. Review SPO audit logs - ensure it is turned on (default is to have it turned off).
4. Security and Compliance Dashboard - Good email checker/analysis.  Low value for SPO.

Cloud App Security (CAS) - service looks for security on O365 tenants, improving constantly.  CAS Overview.  Add-on or included in E5 plans.

Office 365 Advanced Threat Protection (ATP) - service to identify threats.  "ATP analyzes content that's shared and applies threat intelligence and analysis to identify sophisticated threats.", Microsoft.

To manage document use IRM on SPO and AIP on documents.

"Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to 1) Detect potential vulnerabilities affecting your organization’s identities 2)
Configure automated responses to detected suspicious actions that are related to your organization’s identities 3) Investigate suspicious incidents and take appropriate action to resolve them".  More info.

SharePoint Saturday 2018 - Cambridge

Here is my slide deck from SharePoint Saturday Cambridge 2018  Introduction to Azure Information Protection (10 MB includes recordings)

Sessions I attended:
1. PowerApps Jump Start by Sandy Ussia
I got some useful pointers in this session, Sandy presents well and focused on business/citizen developers. 
2. Office 365 Security and Compliance with Albert Hoitingh and Daniel Laskewitz
This was two sessions and amazing.  Hands-on how it works and what I need to know.  Absolutely brilliant double session.  These guys really know AIP, DLP and O365 security.  Great info in a small focused setting.
3. Managing Content in O365 with Erica Toelle
I did not know Erica, I do now!  And wow she is good, she covered O365 security center, Cloud App Security (new service looks for security on O365 tenants) and AIP.  Great knowledge, humble and so easy to talk to.
4. My presentation on AIP, I cover a few points from Erica's session, as most of the audience were in both our sessions, I skipped over the info Erica already provided.
5. Containers with Anthony Nocentino
Amazing presenter - very engaging and I learnt a lot about containers.

A great conference, well organised - the sessions info were outrageous.  The speaker's dinner in Sidney Sussex College was quite an experience.  Thanks to the organizers:  Paul Hunt, Mark Broadbent, & Andy Dawson

Azure Information Protection - Protect your companies documents

Azure Information Protection (AIP) can be used to protect documents owned by your organisation to ensure they are retractable, encrypted, visible to the correct people.

Technical High-Level Overview:  
1. When AIP is used to label a document, the document is encrypted and the permissions saved within the document, the document needs to interact with the Azure RMS (AIG) Service.  
2. When the document is opened, the end user needs to authenticate, get their permissions and if they have permission, the document is decrypted and opened.

Pre-Steps to get AIP working on a Word Document:
1.> On your Azure Portal go to Azure Information Protection to Activate AIP and add labels to the global policy.
2.> On a client machine with Word/Office, install the  Azure Information Protection Client add-in (AzInfoProtection.exe).  5 min video on setting up AIP on a client and introductory information.

3.> Open a word document, and set the label on the document, this shall encrypt the docx file.

Admin Demos:
1.> Creating Labels in Azure Information Protection - 2 min (3MB)

2.> Adding Labels to AIP Policies - 2 min (2MB)

Notes:

• Event Driven Protection
• Auto classify 
• Office document labels (Azure retention labels)
• E-Discovery relook
• Joanne-cklein.com data 
• AIP works doc-centric: pdf and office docs anywhere
• O365 DLP is SPO, OD4B, application level controlled

Azure Information Protection scanner for automated classification requires the AIP Premium P2 licence.
Document tracking and revocation requires either the P1 or P2 AIP licence.  The O365 E3 does not have the revocation and tracking included.

Common Issues:

Problem:  Added a new label and it is showing on Office, when I try set the new lable I receice the error "Azure Information Protection cannot apply the label because the client isn't fully configured..."

Resolution: Give it time to propagate the update made tot he labels in Azure or use the Azure RmsAnalyzer tool to fix the client machine.

Problem:  Can't view on OWA.  
Resolution:  Protected encrypted documents are not available in Office Web Apps, use the Office products such as Word.

Problem:  I can't track or revoke a file with my O365 E3 account.

Resolution:  Only people that need to track need this capability so you can get away with far fewer licences than the number of users. 


AIP Folks to follow 
Bram de Jager

Jethro Seghers
https://jethroseghers.com/category/azure/azure-information-protection/
Albert Hoitingh