Azure Information Protection

Last updated: January 6, 2022

Azure Information Protection (AIP) provides data encryption and protection capabilities leveraging cloud-issued, short-lived access keys with support across a broad set of client platforms. It may require additional purchase.

Background

AIP was previously called Azure Rights Management Services (RMS), and some of the capabilities are still called RMS.

AIP is a foundational technology that enables a variety of other Microsoft features like Office 365 Message Encryption (OME), Office 365 Data Loss Protection (DLP), Information Protection for Office 365, Microsoft Information Protection, and others.

Licensing

Azure Information Protection has three levels of licensing:

  • Free: generally available to anyone. Only permits a user to read a document which has been protected with AIP for which they have permissions.
  • AIP Premium P1: not in use at the UW.
  • AIP Premium P2: available to users with the Microsoft 365 A5 for faculty license package. NOTE: Microsoft 365 A5 for students does NOT include AIP Premium P2. Permits the user to label and otherwise apply AIP protections to documents.

There are a variety of technologies which are based on the AIP foundation but which have different licensing. For example, most of the features noted above with “Office 365” in their name are included in Microsoft 365 A5 for students, but are not included in the Office 365 A1.

Use

With AIP, a customer can protect files or other resources via encryption at that object level. The file might be stored anywhere, but the ability to open the file is protected by AIP and the access controls specified. This means that system administrators (or even those with physical access) of the file storage do not have access to the file. This technology provides protection against most breach scenarios and is excellent for confidential data. Since access requires an Azure AD issued access token, you must have internet connectivity to access an AIP protected file. Because all access is brokered via a centrally issued token, there is definitive auditing & tracking of AIP protected files–and you can easily revoke access to a given file regardless of where the file is stored.

The technology provides enterprise data recovery options so when access to a given file is lost, highly trusted individuals can recover the file. To exercise recovery of an AIP protected file, UW-IT uses an approval process that has been established by the Washington state Attorney General’s Office.

Because Azure Information Protection is embedded in other product features, there are several general scenarios where it might be in use:

  • Use directly via the Azure Information Protection client. Users apply labels to files, which trigger application of policies that protect the file.
  • Use indirectly via Office 365 features like OME or DLP. Users apply policies which Office 365 administrators have determined are commonly needed.
  • Use indirectly via bulk classification/labeling engines. System administrators for a file server might apply rules which result in protection of files.

Because access to AIP protected files or resources requires internet access, some thought and care should be applied when choosing which files should be protected–anyone who might need to access an AIP protected file should be prepared.

More Info

If you are interested in this technology, please send an email to help@uw.edu.

Additional planned topics for future documentation include:

  • Existing AIP policies and what controls they apply (short version: default policies at this time)
  • Platforms AIP supports (short version: MS documents this and the support is very broad)
  • How to get the direct AIP option