Cloud Computing

What Is Azure Information Protection?

Security Hero

In today’s Ask the Admin, I’ll take a detail look at the components of Microsoft’s new Azure Information Protection service.

A couple of weeks back, Microsoft announced its new Azure Information Protection (Azure IP) service, which is now available in preview. A cloud-based service designed to protect not only data in the cloud but also on premises, Azure IP keeps data secure when it’s at rest or moving across the wire.

Identity-Driven Security

Identity-driven security is the basis for most of Microsoft’s security products, and Azure IP is no exception. And whether users are internal or external to your organization, Azure Active Directory is used for authentication. Azure Rights Management Services (RMS) is at the core of Azure IP, which will replace Azure RMS when Azure IP reaches general availability.

Sponsored Content

Devolutions Remote Desktop Manager

Devolutions RDM centralizes all remote connections on a single platform that is securely shared between users and across the entire team. With support for hundreds of integrated technologies — including multiple protocols and VPNs — along with built-in enterprise-grade password management tools, global and granular-level access controls, and robust mobile apps to complement desktop clients.

If you’re not familiar with Azure RMS, it protects data by using encryption, identity, and authorization policies, and works on phones and tablets (no mobile device extension required), as well as PCs and Macs with Office 2016. Even when files leave your organization, the protection provided by RMS remains in place.

One of the advantages of the identity-driven approach is that unlike peer-to-peer encryption technologies, while data is kept from prying eyes, it can still be accessed by indexing and data mining services, ensuring it stays discoverable and valuable to the business. Data owners can control what users can do with files once they receive them. For instance, you might want to prevent users for forwarding an email that contains a sensitive attachment.


Azure RMS encrypts data using RSA 2048 for public key cryptography and SHA 256 for signing operations, and is FIPS 140-2 compliant. The default option is to let Microsoft store your encryption keys, but Bring Your Own Key (BYOK) is also supported, with some caveats attached. For more information on using Azure RMS with BYOK, see Azure RMS, Exchange Online, and BYOK on IT Unity.

Information Rights Management

Office 365 users on some enterprise plans currently get access to Information Rights Management (IRM), which also works off the back of Azure RMS to protect sensitive data. Using IRM templates, organizations can define sets of rules that determine what users can do with data once it has been manually classified in Office. Azure IP promises to remove the manual classification step using technology Microsoft purchased from Israeli startup, Secure Islands, in late 2015.

Automatic Classification

Secure Islands solution enables policy-driven intelligent content categorization that analyzes data content and context in real time from any source. This provides fully automated, user-driven or ‘according to system recommendation’ policy-based classification that stays with the data wherever it goes. So in other words, it’s possible to take users out of the equation when classifying data based on a number of different criteria. And as you’re likely already aware, users are the weakest link in any security system.

Once a file is classified, whether automatically or manually, a label is attached that determines whether it’s encrypted and which users can access the data and what they can do with it once received. Azure IP will allow users to override automatic classification based on policies and rules set by the organization, and users will also be able to track the activities performed on their data and revoke access if necessary.

Azure Information Protection

Combining Azure RMS and improving existing features provided by Information Rights Management, Azure IP adds to the mix tracking and reporting features, providing a complete solution for organizations that want to protect data but retain the flexibility to work with that data in ways that traditional encryption solutions don’t allow.

Keep an eye out for more detailed how-to articles on Azure IP in the near future.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
The World’s Most Comprehensive Teams to Teams Migration Checklist

Whether you have just started thinking about migration or have already begun to move, our Microsoft Teams Migration Checklist can help guide you through the different phases for a Teams migration to another tenant.

This detailed six-step guide will walk you through key decision points while also providing more prescriptive best practice recommendations where appropriate.

Discover key insights for the following phases of a Teams migration: 

  • Discovery
  • Pilot
  • Planning
  • Communication
  • Execution
  • Validation

Sponsored by: