Blog post: 3 minute read.
[Update August 2017] Do Not Track Preview feature added to end of post**
Azure Information Protection(AIP) is a cloud-based solution that helps protect an organization’s documents and emails. AIP provides protection for your data in 3 main ways:
- Classification and Labeling
- allows you to classify data at time of creation/modification and stores a label embedded directly as metadata in files and email headers as clear text. This allows other services (Data Loss Prevention for example) to read the classification and take further action. Due to the fact the label is in clear text and stored with the document, it remains protected regardless of its location. Refer to my recent blog post: AIP Labels: Keep it Simple (or KISS).
- Protection and Use Rights
- optionally protects data by persistent encryption and allows only authorized users to access. This ensures data is protected at all times regardless of where its stored or with whom its shared. The protection technology uses Azure Rights Management (Azure RMS) in the cloud and Active Directory Azure Rights Management (AD RMS) on-premises.
- Tracking and reporting
- provides the ability for users to track their documents and revoke access if they suspect risky behaviours.
This blog post will address the last bullet above – document tracking.
What is document tracking? It is a way to view who has accessed a document you have shared externally, when it’s been accessed as well as the geographical location its been accessed from. Using this information, you can monitor access and revoke it if you see unexpected activity. Why would you want to do this? Imagine you have shared a sensitive document and have noticed it has been recently opened by someone on the other side of the world which you deem as unusual behaviour. This may prompt you to immediately revoke sharing access to the document.
In AIP, there are 3 ways you can track your documents:
1 – Browse Directly to Website
Browse to the Azure Information Protection website: track.azurerms.com. If you are an administrator you can view all documents that have been shared across your organization.
2 – Office Clients’ Ribbon
If you have the Azure Information Protection client installed, you will see a ribbon menu option to classify your document according to your organization’s AIP labels and to Track and Revoke your document from any of these Office clients (Word, Excel, PowerPoint). An example of this from Word 2016 is shown below:
3 – File Explorer Context menu
The third way is with the above Azure Information Protection client installed, you will see a context menu beside your files (including non-Office files) in File Explorer to ‘Classify and protect’. This will launch the Azure Information Protection client and allow you to classify your document with an AIP label as well as optionally protect your document with custom permissions. You can launch the document tracker by clicking Track and Revoke from that client:
Viewing My Document Activity
If you clicked Track and Revoke as above, you will be forwarded to the document tracking site at track.azurerms.com for a snapshot tracking summary of your document. The information presented to you is broken down into 5 tabs. Below is an example of a document I recently shared called ‘Proposal Letter for Tailspin Toys.docx‘ and what you see in the Document Tracking website:
Tab 1: Summary
This is a graphical representation of your document and the activity surrounding it including views and number of times access has been denied. In the screenshot below, the bird carrying the document indicates the file is still shared and is available (i.e. flying around) for those with authorization to access. As well, you can see the document has been viewed once. This is where you would revoke access if required (bottom bar). 
Tab 2: List
This lists all accesses for your document and where you would look to see who has opened your document and if there has been any suspicious activity surrounding it. In the screenshot below, I shared the Proposal Letter for Tailspin Toys document with an external resource (myself) at JOANNECKLEIN@NEXNOVUS.COM. You can see when I viewed it. 
Tab 3: Timeline
This lists the activity timeline for your document by day.
Tab 4: Map
This is a really cool feature. It shows geographically where the document was viewed from. I’m from Western Canada and the map below reflects that the document was viewed from that location. Once again, you would very easily be able to pick out suspicious activity on a shared file by using this map.
Tab 5: Settings
This allows an end-user to request notifications via email when either someone tries to open the document or access to the document is denied. A great way to be alerted particularly on sensitive documents being shared externally.
View Organization’s Shares
If you are an Administrator, you can browse directly to track.azurerms.com where you are authorized to view all shares from across your organization. As you can see in the diagram below, this is an audited action.
You can search by username or document name. This will bring up a list of documents that user has shared or a specific document if you entered a document name.
You can see the same sharing details as the individual user view however you can see it at an organizational-wide level.
[Update August 2017] Do Not Track feature
This feature was released in Preview mode in late June 2017 to address a privacy and compliance concern some organizations may have had with document tracking.
It allows you to create a group of users who should not be tracked. You add the users to a group stored in Azure AD via a PowerShell cmdlet Set-AadrmDoNotTrackUserGroup. You could create this as a dynamic group based on an attribute in AD (Audit department for example).
Once done, on a go-forward basis you will no longer be able to see document tracking activities for anyone belonging to the group.
For more information, check out the blogpost on Microsoft’s Enterprise and Security blog: Azure Information Protection “Do Not Track” feature now in Preview
Summary
Document tracking is an excellent way to monitor activity against your shared files and to take appropriate action if you see suspicious behaviour. Once again, user education is key to ensure your end-users know how to monitor their own document shares.
With the abundance of security and compliance features being rolled out across Office 365, it is becoming apparent that a “Data Protection 101” course will soon be a must for end-users… perhaps an idea for a blog series or presentation!
Thanks for reading.
-JCK
Hi,
Is it possible to track documents that are not encrypted, but only have a label attached to them?
Best regards
Morten
HI Morten,
No. Tested this out and the document needs to be protected (encrypted) before you will be able to track it.
-JCK
Nice post, even if I’ve just found it a couple of years later…
I remember reading somewhere that Azure RMS block DLP from searching through documents. Do you know if that is valid (still)?
Here is the link with a comment Azure RMS:
https://docs.microsoft.com/nl-nl/office365/enterprise/microsoft-cloud-it-architecture-resources#file-protection-solutions-in-office-365
While Azure Information Protection works with Azure Rights Management to apply protection, you do not need to encrypt your sensitive data to protect it in Office 365. We don t recommend you encrypt Office 365 files using Azure Rights Management unless you have a business requirement that justifies the tradeoffs.
If Azure Rights Management encryption is applied to files in Office 365, the service cannot process the contents of these files. Coauthoring, eDiscovery, search, Delve, and other collaborative features do not work. Data loss prevention can take action based on labels, but not on the contents of the files.
So using Azure RMS means that you have to trust that the initial AIP label suffices, without subsequently being able to monitor changes in the document itself. Microsoft’s advice seems sound here: don’t use it unless you really need to.
Good morning. I have now seen a white paper on AIP being replaced by MIP. So I have started preparing to move to MIP. I installed the Unified Client as instructed and started moving all my policies over etc. What I don’t see when selecting the Sensitive Icon in Word is Track and Revoke. Is this no longer available in MIP? Surely this was a selling point for us to use AIP. Or is there a setting that I have not checked in SCC? Regards Mark
Hi Mark, the ‘Track and Revoke’ feature is not planned for the Office apps and File Explorer with the Unified labeling client. Please refer to the excerpt where Microsoft talks about this in here: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-client#features-not-planned-to-be-in-the-azure-information-protection-unified-labeling-client
-JCK