Azure Information Protection (AIP) is used to label, classify and protect documents and emails across apps and services. Within the Azure portal, you can now also apply usage rights to documents and emails labeled with AIP using the Azure Rights Management service. A truly powerful combination.
What is meant by usage rights? These are the kinds of things you’ll be able to do with the document/email when it’s protected by an AIP label. Things like printing, copying, editing, forwarding, and saving! (all usage rights shown below)
You can select from predefined roles (Co-Owner, Co-Author, Reviewer, Viewer) or build a custom one. Let’s walk thru an example of how to apply usage rights to an AIP label to show what the experience is like for anyone opening a document or receiving an email labeled with it.
Microsoft documentation: Configuring usage rights for Azure Rights Management
There are several scenarios I can think of in a typical organization where this kind of functionality might be required. Here’s a few:
- A secret project where no one on the project team should be allowed to copy or print any of the documents within or forward any of the emails for the project. This could be accomplished by configuring a scoped label and usage rights!
- Anything labeled Top Secret should never be printed, copied, downloaded, edited or forwarded in an email except by the creator. This could be accomplished by configuring usage rights on the Top Secret label in the global policy.
Let’s walk thru the second example above.
Step 1: Define a Top Secret AIP label
Add a Top Secret label within the tenant’s Global policy in the Azure portal. These labels will be visible to everyone across the tenant. Define any required visual markings (header, footer, watermark) and conditions for the label.
To enable usage rights for documents and emails, select Protect.
Step 2: Configure protection settings for the user/group
For this example, I’ll define everyone in the tenant domain as a Viewer for this label, however you can choose individual users, security groups, and even external domains.
The Viewer permission role grants the usage rights checked below:
Note: the account that protects a document/email using Azure Rights Management service becomes the Rights Management Issuer and Owner of the content. This means they will always have Full Control of the document/email even if they are included in a group you have defined in the Protection setting. In this example, even though I’m part of the tenant domain above, I will have Full Control if I created and labeled the document (thereby applying the protection).
Publish the policy changes.
Step 3: Create a document and label it Top Secret
I’ll create a document for my favorite chocolate brownie recipe and label it with the Top Secret label. There’s no way I want anyone copying that! 🙂
What does the document owner see? When I open the document and click the View Permission button on the yellow protection bar (below), the dialog pop-up displays the full control permission level for this document. I’m able to perform all of those functions on this document in Word.
What do all other document viewers see? When anyone we’ve associated to the Viewer role (tenant domain in this example) opens the document, they will only be allowed to view it (I couldn’t screenshot this due to the usage right!) I’ve logged in as another user in this tenant. When they click the View Permission button, the dialog pop-up displays the usage rights for this document (below). They cannot edit, copy, print, save, or export the document – those menu options are now disabled for them in Word. Very cool!
A copy is a copy is a copy…
Since the Copy usage right is turned off, I could not take a screen shot of the document for this blog post. Copy means copying any of the data, including screen captures and video recording, from the content. The only record-able piece of content was the permission pop-up shown above.
Step 4: Send an email labeled Top Secret
What does the sender see? The sender (owner) of the email can see and do anything with the email once it’s labeled Top Secret. Below I’m showing what it looks like when an owner opens the email from a phone and from the desktop client. The text and header shown will be removed if a recipient tries to forward the message however.
What does the recipient see? Although I can’t copy the image for what a recipients sees due to the usage right, if they try to forward the email, the contents of the message circled above is removed and a message is inserted where the text previously was with the text below:
Note: This conversation is restricted, so you might not be able to cut or copy from it. See the information above the To line for more details. Also, while the conversation is restricted, the conversation owner can send the message to other people.
I think combining usage rights directly with AIP in the Azure portal is a solid step forward in an organization’s data protection journey. Lots of planning will need to go into determining if permission roles will be associated to each label and what those will be. I recently blogged about creating an AIP Planning OneNote notebook to document your organization’s AIP configuration. Make sure you add any Rights Management protection settings into it as well (AIP Planning OneNote).
When the settings are in place, why not run a pilot group to see how information workers in your organization will adjust to this new experience? Based on their feedback, put training in place for the organization-wide roll-out.
AIP and usage rights. A simple configuration with a big impact.
Thanks for reading.
you have not shown how you would create a top secret label with access permissions, which is vital.
I’ve shown how to protect the document to make everyone in the domain have viewer access permissions (except for owner). What do you want?