What Is Azure Information Protection?

Security Hero

In today’s Ask the Admin, I’ll take a detail look at the components of Microsoft’s new Azure Information Protection service.

A couple of weeks back, Microsoft announced its new Azure Information Protection (Azure IP) service, which is now available in preview. A cloud-based service designed to protect not only data in the cloud but also on premises, Azure IP keeps data secure when it’s at rest or moving across the wire.

Identity-Driven Security

Identity-driven security is the basis for most of Microsoft’s security products, and Azure IP is no exception. And whether users are internal or external to your organization, Azure Active Directory is used for authentication. Azure Rights Management Services (RMS) is at the core of Azure IP, which will replace Azure RMS when Azure IP reaches general availability.

If you’re not familiar with Azure RMS, it protects data by using encryption, identity, and authorization policies, and works on phones and tablets (no mobile device extension required), as well as PCs and Macs with Office 2016. Even when files leave your organization, the protection provided by RMS remains in place.

One of the advantages of the identity-driven approach is that unlike peer-to-peer encryption technologies, while data is kept from prying eyes, it can still be accessed by indexing and data mining services, ensuring it stays discoverable and valuable to the business. Data owners can control what users can do with files once they receive them. For instance, you might want to prevent users for forwarding an email that contains a sensitive attachment.


Azure RMS encrypts data using RSA 2048 for public key cryptography and SHA 256 for signing operations, and is FIPS 140-2 compliant. The default option is to let Microsoft store your encryption keys, but Bring Your Own Key (BYOK) is also supported, with some caveats attached. For more information on using Azure RMS with BYOK, see Azure RMS, Exchange Online, and BYOK on IT Unity.

Information Rights Management

Office 365 users on some enterprise plans currently get access to Information Rights Management (IRM), which also works off the back of Azure RMS to protect sensitive data. Using IRM templates, organizations can define sets of rules that determine what users can do with data once it has been manually classified in Office. Azure IP promises to remove the manual classification step using technology Microsoft purchased from Israeli startup, Secure Islands, in late 2015.

Automatic Classification

Secure Islands solution enables policy-driven intelligent content categorization that analyzes data content and context in real time from any source. This provides fully automated, user-driven or ‘according to system recommendation’ policy-based classification that stays with the data wherever it goes. So in other words, it’s possible to take users out of the equation when classifying data based on a number of different criteria. And as you’re likely already aware, users are the weakest link in any security system.

Once a file is classified, whether automatically or manually, a label is attached that determines whether it’s encrypted and which users can access the data and what they can do with it once received. Azure IP will allow users to override automatic classification based on policies and rules set by the organization, and users will also be able to track the activities performed on their data and revoke access if necessary.

Azure Information Protection

Combining Azure RMS and improving existing features provided by Information Rights Management, Azure IP adds to the mix tracking and reporting features, providing a complete solution for organizations that want to protect data but retain the flexibility to work with that data in ways that traditional encryption solutions don’t allow.

Keep an eye out for more detailed how-to articles on Azure IP in the near future.