Azure Information Protection unified administration available in Preview. The protection part of AIP (the encryption, formerly known as Azure RMS) being in the classic, and the Classification and Labelling part being in the new. Microsoft release into Preview the new unified administrative experience which brings the Protection configuration (Azure RMS templates) into the AIP configuration.

So what does this mean to you?

  • From an admin perspective, we have unified access to all configuration into a single location to define your classification taxonomy, labels and any specific actions including protection.
  • You can try out this new unified admin experience right now, just log into https://portal.azure.com
  • Until now, an admin had to first create RMS templates in the Azure classic portal, then go to the Azure portal to configure labels, and then link RMS templates to labels.
  • Moving forward, everything is now configured via the Azure portal. Protection becomes an optional setting of a label, just like visual marking or classification automation with conditions.
  • Based on your feedback, we have also removed the need for an admin to be a Global Admin! Security Admins can create labels and configure protection settings.
  • Following our release of new collaboration features in February, we have now added UI based configuration options to protect content to:
    • anyone within your company (e.g. @contoso.com)
    • anyone at another company (e.g. @fabrikam.com)
    • a group of people at another company (e.g. finance@fabrikam.com)

Let’s take a deeper look

When you log into the portal and open a label, you will see that we have added an option to set Protection permissions on the label (which also means sub-labels, for brevity we will just say “labels”):

Once you choose the option “Custom (Preview)” you can define the same settings that were previously in the classic portal, including content expiration, offline access policy, users/groups and their rights. In the example below, we are giving the Big Wigs group and Bonnie as a specific user the Co-Owner rights.

You can also optionally provide “everyone” within your organization rights:

If you wish to collaborate on protected content with people outside your organization, you can use the custom or external option to add users (i.e. jane@contoso.com), groups (i.e. projects@contoso.com) or entire organizations (@contoso.com):

Once the settings are configured and saved, the AIP service creates Protection templates in the background. We still create these templates to preserve backward compatibility for applications that use RMS templates without requiring any updates to adopt labels.

A note on templates: The AIP client refreshes templates that are associated with labels, and this refresh happens whenever you relaunch the client. For users without the AIP client (i.e. just using RMS) these templates refresh on a regular basis, the default is 7 days but you can tune this.