Blog post: 3 minute read.
[Update August 2017] Do Not Track Preview feature added to end of post**
Azure Information Protection(AIP) is a cloud-based solution that helps protect an organization’s documents and emails. AIP provides protection for your data in 3 main ways:
- Classification and Labeling
- allows you to classify data at time of creation/modification and stores a label embedded directly as metadata in files and email headers as clear text. This allows other services (Data Loss Prevention for example) to read the classification and take further action. Due to the fact the label is in clear text and stored with the document, it remains protected regardless of its location. Refer to my recent blog post: AIP Labels: Keep it Simple (or KISS).
- Protection and Use Rights
- optionally protects data by persistent encryption and allows only authorized users to access. This ensures data is protected at all times regardless of where its stored or with whom its shared. The protection technology uses Azure Rights Management (Azure RMS) in the cloud and Active Directory Azure Rights Management (AD RMS) on-premises.
- Tracking and reporting
- provides the ability for users to track their documents and revoke access if they suspect risky behaviours.
This blog post will address the last bullet above – document tracking.
What is document tracking? It is a way to view who has accessed a document you have shared externally, when it’s been accessed as well as the geographical location its been accessed from. Using this information, you can monitor access and revoke it if you see unexpected activity. Why would you want to do this? Imagine you have shared a sensitive document and have noticed it has been recently opened by someone on the other side of the world which you deem as unusual behaviour. This may prompt you to immediately revoke sharing access to the document.
In AIP, there are 3 ways you can track your documents:
1 – Browse Directly to Website
Browse to the Azure Information Protection website: track.azurerms.com. If you are an administrator you can view all documents that have been shared across your organization.
2 – Office Clients’ Ribbon
If you have the Azure Information Protection client installed, you will see a ribbon menu option to classify your document according to your organization’s AIP labels and to Track and Revoke your document from any of these Office clients (Word, Excel, PowerPoint). An example of this from Word 2016 is shown below:
3 – File Explorer Context menu
The third way is with the above Azure Information Protection client installed, you will see a context menu beside your files (including non-Office files) in File Explorer to ‘Classify and protect’. This will launch the Azure Information Protection client and allow you to classify your document with an AIP label as well as optionally protect your document with custom permissions. You can launch the document tracker by clicking Track and Revoke from that client:
Viewing My Document Activity
If you clicked Track and Revoke as above, you will be forwarded to the document tracking site at track.azurerms.com for a snapshot tracking summary of your document. The information presented to you is broken down into 5 tabs. Below is an example of a document I recently shared called ‘Proposal Letter for Tailspin Toys.docx‘ and what you see in the Document Tracking website:
Tab 1: Summary
This is a graphical representation of your document and the activity surrounding it including views and number of times access has been denied. In the screenshot below, the bird carrying the document indicates the file is still shared and is available (i.e. flying around) for those with authorization to access. As well, you can see the document has been viewed once. This is where you would revoke access if required (bottom bar). 
Tab 2: List
This lists all accesses for your document and where you would look to see who has opened your document and if there has been any suspicious activity surrounding it. In the screenshot below, I shared the Proposal Letter for Tailspin Toys document with an external resource (myself) at JOANNECKLEIN@NEXNOVUS.COM. You can see when I viewed it. 
Tab 3: Timeline
This lists the activity timeline for your document by day.
Tab 4: Map
This is a really cool feature. It shows geographically where the document was viewed from. I’m from Western Canada and the map below reflects that the document was viewed from that location. Once again, you would very easily be able to pick out suspicious activity on a shared file by using this map.
Tab 5: Settings
This allows an end-user to request notifications via email when either someone tries to open the document or access to the document is denied. A great way to be alerted particularly on sensitive documents being shared externally.
View Organization’s Shares
If you are an Administrator, you can browse directly to track.azurerms.com where you are authorized to view all shares from across your organization. As you can see in the diagram below, this is an audited action.
You can search by username or document name. This will bring up a list of documents that user has shared or a specific document if you entered a document name.
You can see the same sharing details as the individual user view however you can see it at an organizational-wide level.
[Update August 2017] Do Not Track feature
This feature was released in Preview mode in late June 2017 to address a privacy and compliance concern some organizations may have had with document tracking.
It allows you to create a group of users who should not be tracked. You add the users to a group stored in Azure AD via a PowerShell cmdlet Set-AadrmDoNotTrackUserGroup. You could create this as a dynamic group based on an attribute in AD (Audit department for example).
Once done, on a go-forward basis you will no longer be able to see document tracking activities for anyone belonging to the group.
For more information, check out the blogpost on Microsoft’s Enterprise and Security blog: Azure Information Protection “Do Not Track” feature now in Preview
Summary
Document tracking is an excellent way to monitor activity against your shared files and to take appropriate action if you see suspicious behaviour. Once again, user education is key to ensure your end-users know how to monitor their own document shares.
With the abundance of security and compliance features being rolled out across Office 365, it is becoming apparent that a “Data Protection 101” course will soon be a must for end-users… perhaps an idea for a blog series or presentation!
Thanks for reading.
-JCK