Let’s say that we have a super secret text file with the contents shown above that we want to share with an external contact outside our Microsoft 365 tenant. We want to ensure that the document is encrypted and only viewable by those we have deemed to have permissions. We also want to restrict external users to have read only access to the file. How can we achieve that? With Azure Information Protection (AIP).
The first step in the process is to define an Azure Information Protection label with the permissions desired. You can see in the above that access for this label is defined for a Gmail account and the permissions for this account are set to “Viewer” (i.e. read only).
This label then needs to be added to a policy and pushed out to those Microsoft 365 users who will be creating documents, so it is available on their machines.
Users should already have the Microsoft Azure Information Protection Clients for Windows client installed on their machines. Doing so will add an Azure Information Protection banner to their Office desktop applications as well as an extension to Windows Explorer when they right mouse click on a file as shown above.
You typically use this Windows Explorer extension when you want to protect non-Office documents. You do this by selecting Classify and Protect as shown above.
This will launch the AIP client and allow you to apply the protection label that was created previously in the Azure portal. To apply that specific label to protect the document simply select the label name as shown above. You should then see the Sensitivity set to that level in the top left. Don’t forget to select the Apply button in the bottom right to actually protect the file!
You should now see that the file is a “Protected Text File” and that it has a new icon. You will also notice that the extension here is now .PTXT for protected text file.
That file can now be uploaded to OneDrive for Business and appears as shown.
If that protected file is now sent outside the organisation, using any method, and is opened with the native viewer, here Notepad, you’ll note the message saying that the file is protected and to view it you must download the Microsoft’s protected file viewer. This is actually exactly the same client that was used earlier – Microsoft Azure Information Protection Clients for Windows client. So, this will need to be downloaded and installed on the destination machine to allow viewing/access of the file.
Once the Microsoft Azure Information Protection Clients for Windows client has been installed, when you open the file it should open automatically in the Azure Information Protection Viewer. If it doesn’t just launch the Azure Information Protection Viewer first, and then use it to open the protected document.
Because the document is protected the user will now be asked to enter their credentials as shown. This will be their email address.
In this case, the email address with permissions is a Gmail account which isn’t an Azure AD account like say an Office 365 account. Access will therefore be granted in a very similar way to the way OneDrive for Business does it’s sharing. This means, that after entering a non-Azure AD account, the account will be sent a verification code that needs to be entered as shown above.
Checking back in the Gmail account, the user sees the Account verification code and enters that at the prompt. You’ll also notice that this code is good for 30 minutes. Access outside that will require re-authorisation and a new code.
With the code entered, the user can view the document as shown above. You’ll notice that both the Print and Save As are greyed out.
Upon selecting the View Permissions option for the file, the user can see which permissions they are allowed. Here, as expected, the only permissions available are View.
Now there are some restrictions around the file types supported for classification, labelling and protection. You can read more about those here:
Admin Guide: File types supported by AIP unified labelling client
However, you should be able to protect just about any file and allow the Save As upon delivery to protect the file contents during transmission.
Azure Information Protection basically allows you to apply unique permissions to an individual document. This ensures that the permissions travel with, and are obeyed, no matter where or to whom the document is sent. That is a very powerful way to protection your information and as you can see, once you have configured the label it is very easy to apply to any document directly using Windows Explorer.
Azure Information Protection in some form is included in most Office 365 Enterprise SKUs but is also importantly included in Microsoft 365 Business. You cab also purchase it as a stand alone offering. Have a look at:
Requirements for Azure Information Protection
for more details.