In this session for the 2022 edition of the Scottish Summit in Glasgow, I presented on Microsoft Information Protection. Subjects included the different clients, auto-classification, email protection and customization options using PowerShell
4. #ScottishSummit2022
Speaker
Albert Hoitingh
InSpark
• 25+ Years Experience in IT (sigh….)
• Microsoft Purview consultant
• CISSP and Microsoft MVP
• History enthusiast
“Has Microsoft renamed anything yet?”
linkedin.com/in/appieh
alberthoitingh.com
twitter.com/alberthoitingh
albert.hoitingh@gmail.com
https://tinyurl.com/eadfn442
5. …the FBI recovered a blue 16GB SanDisk SD card…
…the SD card was wrapped in plastic and placed between two
slices of bread on half of a peanut butter sandwich….
Picture and information curtesy of: How a Navy veteran
allegedly stole classified submarine docs (taskandpurpose.com)
6. #ScottishSummit2022
The Topics for today
Microsoft Purview
Labels overview
Encryption
Clients &
Advanced settings
Tips & tricks
Wrapping up
7. Microsoft Purview Portfolio
Prevent Insider Risks
Insider risk management
Communication compliance
Information barriers
Privileged access management
Customer Lockbox
Compliance management
Compliance Score
Compliance Manager
Build-in templates
Insights and auditing
Search
eDiscovery Standard | Premium
Microsoft Defender for Cloud Apps
Audit Standard | Premium
Privacy Management Dashboard
Information protection
Sensitivity labels & encryption (mails, documents,
sites, groups, PowerBI, data)
Double key encryption
Office 365 message encryption
Data Lifecycle Management
Data classification | Machine Learning
Sensitive Information Types
Records management & disposition
Archive 3rd party information
Metadata
Prevent data loss
Data loss prevention
Endpoint data loss prevention
On-premises data loss prevention
Non-Microsoft cloud apps
9. #ScottishSummit2022
Across platforms
On-premises
Classify and label data
in on-premises
repositories, including
fileshares and
SharePoint Server.
Office Apps
Label and protect Office
files on Windows, Mac,
iOS, Android and web.
SPO | EXO |
Teams | PowerBI
Label and protect
access to Microsoft
Teams, SharePoint
Online sites and
PowerBI reports and
dashboards. Office 365
Message Encryption.
Label content
automatically when at
rest.
Non-Microsoft
cloud
Use Microsoft Defender
for Cloud Apps to
extend the labeling to
platforms like Box and
Google Workspace.
Unified classification, labeling and protection for sensitive information
12. #ScottishSummit2022
Documents and e-mails
• Label added as metadata
• Label stays with document
• Can be configured to:
• Apply visual markings
• Encrypt the document
• Allow offline access
• Work within DLP policies
• Works with a hierarchy,
parents/sublabels
• Does not provide retention!
13. #ScottishSummit2022
Containers
• Microsoft Teams | Microsoft 365
Groups | SharePoint Online sites
• Privacy | External user access |
• Sharing settings for SharePoint Online
• Azure AD Conditional Access rules
• No "default label" for documents
• Specific label policy option
• Document and container labels
interact
14. #ScottishSummit2022
Containers
Microsoft Purview (or Azure
Purview as it was known) – see
session by Erwin de Kreuk - SQL
| Azure SQL | Azure Synapse |
Azure Cosmos | Amazon AWS S3
PowerBI – apply label on
download
17. #ScottishSummit2022
Encryption and labels
• Uses Azure Rights Management
• Requires Azure AD (or Microsoft Live) accounts
• Microsoft Managed Keys | Bring Your Own Key |
Double Key
• RMS Connector for Exchange on-premises
Microsoft Managed (Azure) key details
• Content protection: Symmetric AES 128/256 bit
• Key protection: Asymmetric RSA 2048 bit
• Certificate signing: SHA-256
18. #ScottishSummit2022
Encryption and labels - beware
• Licensing requirements &
limitations
• Azure AD accounts
• Working with guests-users
• Co-authoring and auto-save
for Office (next)
19. #ScottishSummit2022
Filetypes are important
• Some types only support labeling and no
encryption)
• Opening encrypted files:
• Web-browser
• Office and PDF files: native clients and
Edge
• Other supported files: AIP Viewer client
• Beware the file extension
20. #ScottishSummit2022
Co-authoring and auto-save
• Not possible in Office apps when
encryption is enabled
• Web-browser does support this
• Can be enabled using GUI
• But also PowerShell
• Changes labeling metadata
• Some limitations apply!
• https://alberthoitingh.com/2021/12/01/
new-metadata-model-mip/
21. #ScottishSummit2022
As for e-mails
Outlook with UL client
• E-mail can inherit label from
attachment
• Office attachment inherit settings from
e-mail
Specific options (mind the attachments):
• Do not forward (or print, save)
• Encrypt only
22. #ScottishSummit2022
As for e-mails
Beware!
• Encrypt only (using a label) is
only available in integrated
client
• Do not forward and encrypt can
also be set without labels
(Options | Encrypt)
25. #ScottishSummit2022
Different clients
AIP v1.x
Classic client
Deprecated
Do not use
UL v2.x
Unified labeling
Installable
Integrated with
Windows desktop
As of 1/1/2022 in
maintenance mode
Office Integrated
Build-in Office apps
Microsoft 365
No install needed
Other
Mobile clients
Adobe Acrobat
RMS Sharing
Can read label
information
More functions to
come
29. #ScottishSummit2022
Auto-classification – Office Apps
• Uses a tooltip within Office apps (Word, Excel, Outlook
and PowerPoint)
• Either recommend the label or automatically apply it -
set in the label itself
• Works in Office apps and Office Online – beware the
differences
• Outlook requires an advanced policy setting for
matching highest classification
• Some differences between Windows, Mac and mobile
• Uses sensitive information types and/or trainable
classifiers
30. #ScottishSummit2022
Auto-classification – Data @ rest
• Automatic classification for SharePoint Online, OneDrive for
Business and Exchange Online
• SPO/OfB: Word, Excel, PowerPoint
• EXO: PDF attachments
• Some limitations:
• List attachments are not supported
• Open files cannot be auto-labeled
• Maximum of 25,000 files per day
• Maximum of 100 policies per tenant, each max 100 sites
• Parent labels cannot be used
• Existing metadata are not changed
• Uses sensitive information types
31. #ScottishSummit2022
Auto-classification –
non-Microsoft cloud
• Automatic classification using file-policies
in Microsoft Defender for Cloud Apps (on
access)
• Requires integration with MIP
• Works with Word, Excel, PowerPoint and
PDF documents
• Works for Box and Google Workspace -
more cloud apps will be supported in
future
• Amazon AWS S3 is supported using
Azure Purview
32. #ScottishSummit2022
Auto-classification – on-premises
• Automatic classification for on-premises
fileshares, SharePoint Server en NAS
storage
• Uses the Azure Information Protection
scanner
• Requires the Unified Labeling client
• Also used for on-premises DLP
35. #ScottishSummit2022
Advanced configurations
(get-label -Identity “labelname").immutableid
Get the label id, needed in other cmdlets
Set-Label -Identity “labelname” -AdvancedSettings @{color="#40e0d0"}
Specify the color of a label – option not available in the GUI
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{DisableMandatoryInOutlook="True"}
Exempt Outlook messages from mandatory labeling – the GUI policy applies to
documents and email messages
36. #ScottishSummit2022
Advanced configurations
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{EnableCustomPermissions="False"}
Disable the custom permissions option in the Windows File Explorer
Set-LabelPolicy -Identity “Policyname” -AdvancedSettings
@{OutlookWarnUntrustedCollaborationLabel=“Labelid"}
Warn, justify or block labeled messages or messages with specific labeled
attachments using a default message
37. #ScottishSummit2022
Advanced configurations
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{OutlookJustifyTrustedDomains="contoso.com,fabrikam.com”}
Disregard the warn, justify or block action for specific (trusted) domains
Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true
Remove the encryption from email attachments when downloaded using the
browser – when “Encrypt only” is used
38. #ScottishSummit2022
Create your own warning
• Warn, justify or block labeled messages or messages
with specific labeled attachments using a custom
message
• Message and settings are configured using a .json-file
• Multiple rules can be set-up, all are numbered
• Be very careful...
$filedata = Get-Content “policyfile.json"
Set-LabelPolicy -Identity “Policyname" -
AdvancedSettings
@{OutlookCollaborationRule_1 =“$filedata"}
39. #ScottishSummit2022
Create your own warning
• Warn, justify or block labeled messages or messages
with specific labeled attachments using a custom
message
• Message and settings are configured using a .json-file
• Multiple rules can be set-up, all are numbered
• Be very careful...
$filedata = Get-Content “policyfile.json"
Set-LabelPolicy -Identity “Policyname" -
AdvancedSettings
@{OutlookCollaborationRule_1 =“$filedata"}
41. #ScottishSummit2022
Tips, tricks and other things
• Sharing an encrypted file | working with
guests
• Label/encrypt using DLP rules
• Decrypt file in SPO: Unlock-
SensitivityLabelEncryptedFile
• Metadata change, MSIP_ cannot be used
anymore
• Container based – don’t affect documents
& require AAD CA policies
• Difference in clients
• Custom configuration for UL client
42. #ScottishSummit2022
Tips, tricks and other things
• Visual markings per app and restrictions
• Use Defender for Cloud Apps to block downloads for
labeled content or to apply label when downloading a
document
• Super User role
• Encrypted PDF’s (Adobe Acrobat | Microsoft Edge) |
Digitally signed PDF’s
• Adobe Acrobat public preview
• Custom permissions/encryption and eDiscovery