Rights management

The Azure Information Protection team recently published an interesting post about making a “cloud exit.” In other words, how to move your encrypted data out of a cloud service like Office 365. As it turns out, this is feasible if you plan. But how many organizations have even thought about how they might decrypt protected content?

Microsoft says that the Office desktop Windows apps will have native support for Office 365 sensitivity labels in the second half of 2019. Native support means that users won’t need to install the Azure Information Protection (AIP) client to apply labels. However, if they want to continue using the AIP client (because it is more functional), they need to deploy a system registry update.

Exchange Online transport (mail flow) rules are a powerful way to ensure that email from Office 365 tenants to specific recipients are encrypted in a consistent manner. Using rules relieves the need for users to become involved and makes sure that email is protected in a way that recipients can read messages. It’s a good way to use the protection features built into Office 365.

The signs are that Office 365 will store more encrypted content as time goes by. But ISV products might not be able to process that content because they cannot decrypt it. All of which creates the prospect that you might archive or move data somewhere only to discover later that it is inaccessible. And that’s a bad thing.

Microsoft plans to create an automatic policy to encrypt outbound email containing sensitive data for all Office 365 tenants. It sounds like a good idea until you begin looking at the operational consequences of such an action. For instance, how to insert a new transport rule into a complex set of existing rules. All in all, this is not a good plan.

Given the increased ways to apply rights management protection (encryption) to Exchange Online messages, the volume of encrypted traffic should rise. That’s good for users because their email is protected, but it’s not so good for ISVs who must deal with encrypted email. One such example is autosignature products, where server-based components can’t touch protected email to add their text.

Sensitivity labels allow Office 365 tenants to encrypt messages and documents very easily. That is, as long as you have applications that understand labels. A preview version of the AIP client integrates a Sensitivity button in the Office desktop applications, but we must wait for native integration across desktop, web, and mobile clients.

The new sensitivity labels available in Office 365 bring marking and protection functionality for Exchange and SharePoint that was previously only available with Azure Information Protection. In this article, we consider how to migrate AIP labels to Office 365 so that users can encrypt their way to happiness.

Office 365 Groups and Teams support guest users, who enjoy full access to the SharePoint document libraries. You might not want this, because not every document in those libraries are suitable for sharing with guests. The question is how to collaborate with guests while maintaining some control over information. Rights management seems like a good way to accomplish the task.