This is a deployment guide for Azure Information Protection. I couldn’t find what I needed in the Microsoft Documentation so I have written a complete deployment guide. This guide includes the following subjects:
Azure Information Protection Deployment Guide
Azure Log Analytics deployment to check activity
Microsoft 365 compliance integration (SharePoint & OneDrive)
Examples for labeling and Log Analytics
For Azure Information Protection you need at least the license Azure Active Directory Premium P1 (or P2). Exact pricing can be found here.
You need to install the Azure Information Protection client which can be downloaded here
You need to have an Azure subscription where you can create a Log Analytics.
Access to the Microsoft 365 Compliance center.
Azure Information Protection Deployment Guide
We start with creating the information protection option in Azure. Go to the Azure Portal and logon.
Go to create a resource:
Search for “Azure Information Protection” and click on create:
When you search in the top bar for “Azure Information Protection” this will show up:
Click on “Azure Information Protection”.
You are now in the control plane for Azure Information Protection.
Firstly, we need to create some labels. Go to labels:
I choose to generate the default labels because these served exactly what I needed. If you want to create your own labels you can do that here:
These are the default labels:
Please take a look at the marking and protection. These are generated by default. Furthermore you can configure, based on these settings, that these documents can’t be shared via the Microsoft 365 platform.
Next we need to create a policy:
Go to policies:
The global policy is created by default. Create a new one because we want to target specific users. Click “Add a new policy”:
Name the policy, fill in a description, add the users and add the labels:
Furthermore, The generated labels are added automatically.
Next is the activation of protection for Azure Information Protection. Go to “Protection Activation” and check for the Activiation Status:
Check the protection status. This must say “Activated”.
Continue at “Azure Log Analytics” to create dashboards for Azure Information Protection.
Azure Log Analytics
The second step is to configure Log Analytics. For Example, this is a dashboard:
Information is shown about which document has which label and which user assigned this label to the document. This very usefull information to check whether and how Azure information protection is used.
To configure Log Analytics for Information Protection go to:
I advise you to create a new “Log Analytics Workspace” because labels could overlap with another workspace.
Name the resource group and choose the location:
When the Log Analytics workspace has been created go back to the Configure Analytics settings and select the new workspace:
NOTE: Enabling the checkbox for deeper analytics stores all the analytics for your documents in Log Analytics. Your company policies needs to agree with this.
After you have selected the Log Analytics workspace the dashboard are available:
Go to the next step.
Microsoft 365 Compliance & Azure Information Protection Client
The next step is to configure Microsoft 365 Compliance to publish the labels from Azure Information Protection.
Go the Microsoft 365 Compliance center
After you log on please go to “Catalog”:
Go to “Information Protection”:
Click open solution:
NOTE: If you need this feature skip this step:
Click on Turn On Now:
Optional: After this enable the support for SharePoint Online and OneDrive. Open up SharePoint Online Powershell and run:
Set-SPOTenant -EnableAIPIntegration $true
We now need to publish the labels to the client, go to “Publish Labels”:
Click on “Choose sensitivity labels to publish”:
I choose to select all labels:
See the labels that need to be published, check these and click on next:
If you want to limit this choose the group to publish these labels to and click on next:
Choose the settings that apply and click next:
Provide a name and description and click next:
Review the settings and if they are oké click on Submit:
The labels are now visible in Information Protection:
These labels are now visible on the Windows Clients that have Azure Information Protection Client installed.
You can download the client here, I have distributed the client via Intune via the MSI installer. For test purpose just download and install the client via the webpage.
If the client is correctly installed you will see this button in Microsoft Word (for example):
I have enrolled a Windows 10 machine via Windows 10 Autopilot. I have written a guide about this. You can check the guides here:
Hybrid Azure AD Joined
Azure AD joined
As I said earlier I have pushed the Azure Information Protection Client via Intune on to the device. The installation status via Intune is:
When we open Microsoft Word on this machine this bar is shown immediately:
These are the labels that we have pushed to the devices earlier on.
Furthermore, the options within Confidential and Highly Confidential are also available:
I have set a label for a document as Highly Confidential and when I open this documents this is what is shown:
When you click on “View Permissions” this is what you see:
It is also possible to edit these permissions based on the labels in the Microsoft 365 Compliance center, Azure information Protection and SharePoint Online.
This is also available in the Log Analytics workspace we created in section 2:
Here you can see the document and the properties it contains.
This was all I could write down in the short amount of time I had available to research this. If you have any questions or want to share more information please contact me.