Azure Information Protection- part 2: Admin portal

In this blog, I would like to show and explain to you the back end side/admin side of Azure Information Protection. What does it look like, what can you configure, which options do you have. As I mentioned before in part 1, setting up/configuring and using Azure Information Protection is quite easy. Defining the corporate data policy will require some thinking.

Azure Information Protection (AIP) can be found in the Azure Portal and can be added to your dashboard. From there it is very easy to jump to AIP and start configuring.

First item you will see is the policy. In my screenshot you see a policy called “Global” and applies to all users in my tenant. I can add multiple policies and apply those to different groups within my tenant/organisation. So, different groups can have different classifications and labels. In my opinion, keep things simple.

So, everything I will talk about after this, all settings apply to my policy “Global”.

The next part in the AIP portal are the labels. Default labels are defined but you can radjust them- different names, colors and descriptions but also add more labels and sub labels. These labels are what users will see as a ribbon in the Windows Office apps- Excel, Outlook, Powerpoint and Word (I will deiscuss the end user part in another post). Basically, these labels represent your content policy. You translate that policy in labels.

Below the label section, you find some more settings; the title end users see in the ribbon and the tooltip. Also, if all documents and emails must have a label; in other words, is it required for users to classify documents and email or not. A pretty good setting if you want to enforce classification. Another great setting to start using classifying content is the setting to have a default label applied for documents and emails. This means that e new email or a new document automatically will have a classification- in my case; “General”. Users will be able to change the label. You can configure that in the case of a lower label/remove label by a user, a justification needs to be entered by that user. This is being logged in Azure so you can trace all this. Removing a label can be done, but a user always will do this on purpose/with a reason and never by accident.

As I mentioned before, you can name the labels as you want. The description part is pretty important. This description is shown to end users when they hoover over the labels in the Office apps. Good descriptions will help users use the right labels and thus protect the right documents and emails.

Optionally you can attach a Microsoft Right Management Service template to a label. You have to configure this template in the RMS portal . I will discuss the options in RMS in a different post but to summarize it; with an RMS template you can define with which users/groups  the document with that specific label can be shared and what these users/groups can do with that document/email, among other settings.

You also can configure visual settings with your labels like:

  • header/footer text,
  • color,
  • font,
  • watermark,
  • alignment.



One of the best settings are saved for last: automatic labeling/recommendations. Within AIP, you can define 1 or multiple conditions within a label. When a document/email matches that condition you can either automatically apply that label to the document/email or visually show the user a recommendation with a reason.

In my example, a user will see a recommendation to classify/label the document/email as Confidential- Internal Recipients, when a document contains the word “draft”. You can define custom conditions, like phrases. You can set it to exactly matching or match as expression. There also are built in conditions like IBAN and Swift. In this case, you can automate/enforce classification based on what you believe is important, and you can take human error out of it.

Hopefully this post gives you a general understanding of what you can do on the admin side with AIP.


Leave a Reply

Your email address will not be published. Required fields are marked *