Azure Information Protection- part 3: the end user with the Office apps

I have written a couple of posts around Azure Information Protection- what the solution is and the admin side of the solution. In this post, I would like to discuss the end user side of Azure Information Protection. What do end users see and how can they use classification, labeling and share documents? Luckily, it is very simple from an end user perspective, and that is a great thing!

I have mentioned it before; AIP starts with the creation of a document. When a user is creating a document, either a default classification/label has been applied by AIP (based on a company’s policy) or a user classifies/labels the document (also based on the company’s policy around document classification). From that moment on, optionally encryption applies with access control, a user policy and tracking+revocation possibilities.


After installing the AIP plug in on a user’s Windows system ( which you can download for free from here), when a user opens Word, Powerpoint, Outlook of Excel, the user will see a new ribbon in the Office app’s interface with the labels. If the automatic default label policy is applied, one of the labels will be grey, thus applied. On the left in the ribbon, you also can see which label is applied.

Which label to chose from all depends on the classification/labeling policy of documents within an organization. Needless to say you need to train/educate your users about the labels and what they stand for. Within the user interface, when a user hoovers over the labels, a textbox pops up with a description of that specific label. Companies can put in their description of liking. Also an open door but don’t use too many labels and add a clear description so users will understand easily which label to pick with different kind of content.

I discussed automatic classification and recommended classification in the post on the admin side of AIP. So, what’s the flow there and how does it look from an end user? Let’s say all documents with the word “draft” need to be classified internal or confidential. A user created a Word document, is typing away and somewhere is the word “draft”. Now the user wants to save the file on its machine (and it doesn’t matter where the user wants to save it). After picking the location and hitting save, the user will be prompted to change the classification of the document, with a reason (wording is up to the company’s policy). The user can change the classification of the document or dismiss the recommendation. Remember, AIP isn’t to prevent intentional behavior or fraud. In this case, the user will be made aware of the situation and can decide, after thinking about it, to change the classification or not. Also, you have the option to enforce the policy automatically, so users don’t have a recommendation. After changing the classification, the user will see the marking, set my the companies policy in the back end of AIP.

In the above case, meta data has been added to the document. When you right-click the document and open the properties, you will see and extra tab called “custom” where you can see the meta data. Besides meta data, the document, in this case, also has RMS attached to it. A users most likely doesn’t know about this and in my opinion, shouldn’t know this. The user classifies the document and based on the classification, the document gets encrypted, has specific access control and user policies attached.

Because of the specific classification/label and the attached RMS template, the user cannot just send the document to people outside the organization (RMS templates apply to users/groups inside the organization/(Azure) Active Directory/Azure tenant. If, by accident, a user would send the document to someone outside the organization (or maybe a user inside the organisation who wasn’t in the RMS template user/groups list), that recipient of the document couldn’t authenticate to open the document. With Echange Online and the Data Loss Prevention tools, you even can set rules on the AIP classifications/labels. Exchange Online and AIP work together.

AIP is easy to use for end users. Success depends on a clear, easy to understand company policy around classifying and labeling content and education of the users. Awareness how to handle content is one of the major benefits when using AIP. It is fair to say it can prevent user mistakes till a certain level but it won’t help you when someone intentionally is trying to get around the system.

My next post will be about the AIP client and sharing documents externally.

Leave a Reply

Your email address will not be published. Required fields are marked *