Skip to content

Latest commit

 

History

History
1525 lines (985 loc) · 81.5 KB

01-AIP.md

File metadata and controls

1525 lines (985 loc) · 81.5 KB

Azure Information Protection Lab

Introduction

Estimated time to complete this lab

60-120 minutes*

Objectives

After completing this lab, you should be able to (depending on the exercises you choose):

  • Discover sensitive data using the Azure Information Protection scanner
  • Configure Azure Information Protection labels
  • Configure Azure Information Protection policies
  • Classify and protect content with Azure Information Protection in Office applications
  • Bulk Protect documents using the AIP client Windows integration
  • Enable and Publish labels and policies in the Security and Compliance Center
  • Classify and Protect sensitive data discovered by the AIP Scanner
  • Monitor Usage, User Activity, and Data Risk using the Azure Log Analytics AIP dashboards
  • Configure Exchange Online Mail Flow Rules to protect content and enhance AIP usability

Prerequisites

Before working on this lab, you must have:

  • Familiarity using Windows 10
  • Familiarity with PowerShell
  • Familiarity with Office 365 applications

Lab machine technology

This lab is designed to be completed on either a native Windows 10 machine or a VM with the following characteristics:

  • Windows 10 Enterprise
  • Office 365 ProPlus
  • Azure Information Protection client (1.41.51.0)

Microsoft 365 E5 Tenant credentials will be provided during the event. If you want to run through this lab after the event, you may use a tenant created through https://demos.microsoft.com or your own Microsoft 365 Tenant. This Lab Guide will be publicly available after the event at https://aka.ms/AIPHOL.

*:memo: Not all exercises can be completed within 60 minutes but time estimates are provided to aid in exercise selection.

===

Log Analytics Configuration

⬅️ Home

In order to collect log data from Azure Information Protection clients and services, you must first configure the log analytics workspace.

  1. [] Switch to @lab.VirtualMachine(Client01).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] In the Azure portal, type the word info into the search bar and press Enter, then click on Azure Information Protection.

    !IMAGE2598c48n.jpg

    [!HINT] If you do not see the search bar at the top of the portal, click on the Magnifying Glass icon to expand it.

    !IMAGEny3fd3da.jpg

  3. [] In the Azure Information Protection blade, under Manage, click Configure analytics (preview).

  4. [] Next, click on + Create new workspace.

    !IMAGEqu68gqfd.jpg

    [!ALERT] The reason we recommend creating a new workspace here is that, by default, only the creator and subscription administrators have access to an Azure Log Analytics workspace.

    The data contained in this workspace will contain details about the location and contents of files containing sensitive information.

    Restricting access to this workspace only to trusted administrators with a need to know is highly recommended.

  5. [] Configure the Log analytics workspace using the values in the table below and click OK.
    OMS Workspace Type a unique Workspace Name
    Resource Group AIP-RG
    Location East US (Or a location near the event)

    ^IMAGEOpen Screenshot

  6. [] Next, back in the Configure analytics (preview) blade, check the Boxes next to the workspace and next to Enable Content Matches, and click OK.

    !IMAGEgste52sy.jpg

  7. [] Click Yes, in the confirmation dialog.

    !IMAGEzgvmm4el.jpg

===

Azure Information Protection Lab

Introduction

Estimated time to complete this lab

60-120 minutes*

Objectives

After completing this lab, you should be able to (depending on the exercises you choose):

  • Discover sensitive data using the Azure Information Protection scanner
  • Configure Azure Information Protection labels
  • Configure Azure Information Protection policies
  • Classify and protect content with Azure Information Protection in Office applications
  • Bulk Protect documents using the AIP client Windows integration
  • Enable and Publish labels and policies in the Security and Compliance Center
  • Classify and Protect sensitive data discovered by the AIP Scanner
  • Monitor Usage, User Activity, and Data Risk using the Azure Log Analytics AIP dashboards
  • Configure Exchange Online Mail Flow Rules to protect content and enhance AIP usability

Prerequisites

Before working on this lab, you must have:

  • Familiarity using Windows 10
  • Familiarity with PowerShell
  • Familiarity with Office 365 applications

Lab machine technology

This lab is designed to be completed on either a native Windows 10 machine or a VM with the following characteristics:

  • Windows 10 Enterprise
  • Office 365 ProPlus
  • Azure Information Protection client (1.45.32.0)

Microsoft 365 E5 Tenant credentials will be provided during the event. If you want to run through this lab after the event, you may use a tenant created through https://demos.microsoft.com or your own Microsoft 365 Tenant.

===

Log Analytics Configuration

⬅️ Home

In order to collect log data from Azure Information Protection clients and services, you must first configure the log analytics workspace.

  1. [] Switch to @lab.VirtualMachine(Client01).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] Open a new InPrivate tab and browse to https://aka.ms/AIPConsole.

    [!NOTE] If necessary, log in using the credentials below:

    @lab.CloudCredential(134).Username

    @lab.CloudCredential(134).Password

  3. [] In the Azure Information Protection blade, under Manage, click Configure analytics (preview).

  4. [] Next, click on + Create new workspace.

    !IMAGEqu68gqfd.jpg

    [!ALERT] The reason we recommend creating a new workspace here is that, by default, only the creator and subscription administrators have access to an Azure Log Analytics workspace.

    The data contained in this workspace will contain details about the location and contents of files containing sensitive information.

    Restricting access to this workspace only to trusted administrators with a need to know is highly recommended.

  5. [] Configure the Log analytics workspace using the values in the table below and click OK.
    Log Analytics Workspace Type a globally unique Workspace Name (random characters usually works)
    Resource Group AIP-RG
    Location Choose a location near the event
    Pricing tier Per GB

    [!HINT] The Log Analytics Workspace name must be unique across all of Azure. The name is not relevant for this lab, so feel free to use random characters.

  6. [] Next, back in the Configure analytics (preview) blade, check the boxes next to the workspace and next to Enable Content Matches and click OK.

    !IMAGE1547437013585

    [!KNOWLEDGE] Checking the box next to Enable Content Matches allows the actual matched content to be stored in the Azure Log Analytics workspace. This could include many types of sensitive information such as SSN, Credit Card Numbers, and Banking Information. This option is typically used during testing of automatic conditions and not widely used in production settings due to the sensitive nature of the collected data. If this is used in a production setting, extreme caution should be taken with securing access to this workspace.

  7. [] Click Yes, in the confirmation dialog.

    !IMAGEzgvmm4el.jpg

===

Azure Information Protection

⬅️ Home

Overview

Azure Information Protection (AIP) is a cloud-based solution that can help organizations to protect sensitive information by classifying and (optionally) encrypting documents and emails on Windows, Mac, and Mobile devices. This is done using an organization defined classification taxonomy made up of labels and sub-labels. These labels may be applied manually by users, or automatically by administrators via defined rules and conditions.

The phases of AIP are shown in the graphic below.

!IMAGEPhases.png

In this lab, we will give you options for addressing each of these phases using various features of AIP.

The AIP Scanner Discovery exercise, will guide you through performing Discovery using the AIP scanner. We recommend that everyone complete this exercise first as this step is important to help show the current state of sensitive data in on-premises repositories. This enables you to make data based risk decisions that can help drive appropriate levels of urgency around the rest of your AIP deployment. 🕙 10-15 min

The Base Configuration exercise, contains information on configuring and testing Global and Scoped Policy and Labels. This will also include demonstrating Recommended and Automatic labeling via the AIP client in Office 365 on Windows 10. This is the longest exercise in the lab as it requires configuration of policy and the use of multiple clients. We recommend this exercise if you have minimal experience with AIP. 🕙 30-45 min

The Bulk Classification exercise, shows how to manually classify, label, and protect content using the Windows integration features of the AIP client. 🕙 5 min

The Security and Compliance Center exercise, will help you understand how to Enable and Publish labels in the Security and Compliance Center so they can be used with Mac, Mobile, ISVs (like Adobe PDF), and other unified clients. We will demonstrate this functionality using the Adobe PDF reader during the AIP Scanner CLP exercise. 🕙 5-10 min

The AIP Scanner Classification, Labeling, and Protection exercise, will show how to use the AIP scanner in Enforce mode to take advantage of features like Automatic Conditions to help you Classify, Label, and Protect the discovered information easily. This exercise has a dependancy on completion of the AIP Scanner Dicovery exercise. 🕙 5-10 min

In the AIP Analytics Dashboards exercise, we will show how to Monitor AIP Usage, User Activity, and Data Risk using the new Azure Log Analytics dashboards built into the AIP Azure Portal. 🕙 5 min

In the Exchange IRM exercise, we will use Exchange PowerShell to create a Mail Flow Rule to prevent sensitive information from leaving your network in the clear. We will also create a mail flow rule that prevents internal protected messages from accidentally being sent to external recipients who will be unable to open the content. 🕙 10-15 min

Click on one of the options below to begin. At the end of each section, there will be a summary and links to the other sections so you may continue from that point.

===

AIP Scanner Discovery

⬅️ Home

Even before configuring an AIP classification taxonomy, customers can scan and identify files containing sensitive information based on the built-in sensitive information types included in the Microsoft Classification Engine.

!IMAGEahwj80dw.jpg

Often, this can help drive an appropriate level of urgency and attention to the risk customers face if they delay rolling out AIP classification and protection.

In this exercise, we will configure an AIP scanner profile in the Azure portal and install the AIP scanner. Initially, we will run the scanner against repositories in discovery mode. Later in this lab (after configuring labels and conditions), we will revisit the scanner to perform automated classification, labeling, and protection of sensitive documents. This Exercise will walk you through the items below.

AIP Scanner Profile Configuration

⬆️ Top

The new AIP scanner preview client (1.45.32.0) and future GA releases will use the Azure portal central management user interface. You are now able to manage multiple scanners without the need to sign in to the Windows computers running the scanner, set whether the scanner runs in Discovery or Enforcement mode, configure which sensitive information types are discovered and set repository related settings, like file types scanner, default label etc. Configuration from the Azure portal helps your deployments be more centralized, manageable, and scalable.

!IMAGEScannerUI

To make the admin’s life easier we created a repository default that can be set one time on the profile level and can be reused for all added repositories. You can still adjust settings for each repository in case you have a repository that requires some special treatment.

The AIP scanner operational UI helps you run your operations remotely using a few simple clicks. Now you can:

  • Monitor the status of all scanner nodes in the organization in a single place
  • Get scanner version and scanning statistics
  • Initiate on-demand incremental scans or run full rescans without having to sign in to the computers running the scanners

!IMAGEScannerUI2

In this task, we will configure the repository default and add a new profile with the repositories we want to scan.

  1. [] On @lab.VirtualMachine(Client01).SelectLink, in the Azure Information Protection blade, under Scanner, click Profiles (Preview).

    !IMAGEScannerProfiles

    [!NOTE] If the Azure portal is not already open, navigate to https://aka.ms/ScannerProfiles and log in with the credentials below.

    @lab.CloudCredential(134).Username

    @lab.CloudCredential(134).Password

  2. [] In the Scanner Profiles blade, click the + Add button.

  3. [] In the Add a new profile blade, enter East US for the Proflie name.

    [!Note] The default Schedule is set to Manual, and Info types to be discovered is set to All.

  4. [] Under Policy Enforcement, set the Enforce switch to Off.

  5. [] Note the various additional settings, but do not modify them. Click Save to complete initial configuration.

    [!KNOWLEDGE] For additional information on the options available for the AIP scanner profile, see the documentation at https://aka.ms/ProfileConfiguration

  6. [] Once the save is complete, click on Configure repositories.

    !IMAGEConfigure Repository

  7. [] In the Repositories blade, click the + Add button.

  8. [] In the Repository blade, under Path, type \\Scanner01\documents.

  9. [] Under Policy enforcement, make the modifications shown in the table below.

    Policy Value
    Default label Custom
    Confidential \ All Employees
    Default owner Custom
    adamj@@lab.CloudCredential(134).TenantName

    !IMAGERepo

    [!NOTE] These Policy enforcement settings will set a custom default label of Confidential \ All Employees for all files that do not match a policy in this repository.

    It will also set the default owner for all files protected by the Scanner to adamj@@lab.CloudCredential(134).TenantName. This can be used to assign the Rights Management Owner of all protected files for a repository to a specific user rather than the AIP scanner service account. For instance, if an executive has a shared folder on a server, this can be used to allow that executive to be the rights management owner of all of the files contained in their folder.

  10. [] Click Save.

  11. [] In the Repositories blade, click the + Add button.

  12. [] In the Repository blade, under Path, type C:\PII.

  13. [] Under Policy enforcement, make the modifications shown in the table below.

    Policy Value
    Label files based on content Off
    Default label Custom
    Highly Confidential \ All Employees
    Relabel files On

    !IMAGERepo2

    [!KNOWLEDGE] These Policy enforcement settings will cause all files in the repository to have the same label (Highly Confidential \ All Employees). Additionally, if a file with a different label is added to this repository, the scanner will relabel the label to Highly Confidential \ All Employees.

  14. [] Click Save.

  15. [] In the Repositories blade, click the + Add button.

  16. [] In the Repository blade, under Path, type http://Scanner01/documents.

  17. [] Leave all policies at Profile default, and click Save.

[!NOTE] We have now configured all three supported AIP Scanner repository types (CIFS File Share, Local Directory, and on-premises SharePoint Document Library). Note that scanning local folders on the AIP scanner server is not recommended in a production setting as it could affect performance of the scanner service. This is included to demonstrate the capabilities of the scanner profile.

AIP Scanner Setup

⬆️ Top

In this task we will use a script to install the AIP scanner service and create the Azure AD Authentication Token necessary for authentication.

Installing the AIP Scanner Service

The first step in configuring the AIP Scanner is to install the service and connect the database. This is done with the Install-AIPScanner cmdlet that is provided by the AIP Client software. The AIPScanner service account has been pre-staged in Active Directory for convenience.

  1. [] Switch to @lab.VirtualMachine(Scanner01).SelectLink and log in using the Credentials below.

    +++AIPScanner+++

    +++Somepass1+++

  2. [] Open an Administrative PowerShell Window and type C:\Scripts\InstallScannerPreview.ps1 and press Enter.

  3. [] When prompted, enter the Global Admin credentials below:

    @lab.CloudCredential(134).Username

    @lab.CloudCredential(134).Password

  4. [] In the popup box, click OK to accept the default Profile value East US.

    [!NOTE] This script installs the AIP scanner Service using the local domain user account (Contoso\AIPScanner) provisioned for the AIP Scanner. SQL Server is installed locally and the default instance will be used. The script will prompt for Tenant Global Admin credentials, the AIP scanner Profile name, and finally the AIP Scanner cloud account. In a production environment, this will likely be the synced on-prem account, but for this demo we created a cloud only account during AAD Configuration earlier in the lab.

    This script only works if logged on locally to the server as the AIP scanner Service Account, and the service account is a local administrator. Please see the scripts at https://aka.ms/ScannerBlog for aadditional instructions.

    [!KNOWLEDGE] This script will run the code below. This script is available online as Install-ScannerPreview.ps1 at https://aka.ms/labscripts

    Add-Type -AssemblyName Microsoft.VisualBasic

    $daU = "contoso\AIPScanner" $daP = "Somepass1" | ConvertTo-SecureString -AsPlainText -Force $dacred = New-Object System.Management.Automation.PSCredential -ArgumentList $daU, $daP

    $gacred = get-credential -Message "Enter Global Admin Credentials"

    Connect-AzureAD -Credential $gacred

    $SQL = "Scanner01"

    $ScProfile = [Microsoft.VisualBasic.Interaction]::InputBox('Enter the name of your configured AIP Scanner Profile', 'AIP Scanner Profile', "East US")

    Install-AIPScanner -ServiceUserCredentials $dacred -SqlServerInstance $SQL -Profile $ScProfile

    $Date = Get-Date -UFormat %m%d%H%M $DisplayName = "AIPOBO" + $Date $CKI = "AIPClient" + $Date

    New-AzureADApplication -DisplayName $DisplayName -ReplyUrls http://localhost $WebApp = Get-AzureADApplication -Filter "DisplayName eq $DisplayName" New-AzureADServicePrincipal -AppId $WebApp.AppId $WebAppKey = New-Guid $Date = Get-Date New-AzureADApplicationPasswordCredential -ObjectId $WebApp.ObjectID -startDate $Date -endDate $Date.AddYears(1) -Value $WebAppKey.Guid -CustomKeyIdentifier $CKI

    $AIPServicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq $DisplayName } $AIPPermissions = $AIPServicePrincipal | Select-Object -expand Oauth2Permissions $Scope = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $AIPPermissions.Id, "Scope" $Access = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" $Access.ResourceAppId = $WebApp.AppId $Access.ResourceAccess = $Scope

    New-AzureADApplication -DisplayName $CKI -ReplyURLs http://localhost -RequiredResourceAccess $Access -PublicClient $true $NativeApp = Get-AzureADApplication -Filter "DisplayName eq $CKI" New-AzureADServicePrincipal -AppId $NativeApp.AppId

    Set-AIPAuthentication -WebAppID $WebApp.AppId -WebAppKey $WebAppKey.Guid -NativeAppID $NativeApp.AppId

    Restart-Service AIPScanner Start-AIPScan

  5. [] When prompted, enter the AIP Scanner cloud credentials below:

    AIPScanner@@lab.CloudCredential(134).TenantName

    Somepass1

  6. [] In the Permissions requested window, click Accept.

    !IMAGEnucv27wb.jpg

    [!NOTE] If you get any errors, copy the command from C:\scripts\Set-AIPAuthentication.txt and run it in the Admin PowerShell prompt. Next run the commands below to start the discovery scan

    Restart-Service AIPScanner

    Start-AIPScan

    [!NOTE] An AIP scanner Discovery scan will start directly after aquiring the application access token.

    [!ALERT] If you see a Visual Studio Just-In-Time Debugger dialog with a .NET exception, press OK in the dialog. This is due to SharePoint startup in the VM environment.

===

AIP Scanner Discovery Exercise Complete

In this exercise, we installed the AIP scanner and performed a discovery scan against an on premises CIFS repository and SharePoint document library. Although this was a very limited demonstration of the capabilities of the AIP scanner for discovery, it helps to show how quickly you can configure this tool and get actionable information which can be used to make data driven decisions about your security posture. Choose one of the exercises below or click the Next button to continue sequentially.

===

Base Configuration

⬅️ Home

This exercise demonstrates using the Azure Information Protection blade in the Azure portal to configure policies and sub-labels. We will create a new sub-label and configure protection and then modify an existing sub-label. We will also create a label that will be scoped to a specific group.

Next, we will configure AIP Global Policy to use the General sub-label as default, and finally, we will configure a scoped policy to use the new scoped label by default for Word, Excel, and PowerPoint while still using General as default for Outlook. This Exercise will walk you through the items below.

Creating, Configuring, and Modifying Sub-Labels

In this task, we will configure a label protected for internal audiences that can be used to help secure sensitive data within your company. By limiting the audience of a specific label to only internal employees, you can dramatically reduce the risk of unintentional disclosure of sensitive data and help reduce the risk of successful data exfiltration by bad actors.

However, there are times when external collaboration is required, so we will configure a label to match the name and functionality of the Do Not Forward button in Outlook. This will allow users to more securely share sensitive information outside the company to any recipient. By using the name Do Not Forward, the functionality will also be familiar to what previous users of AD RMS or Azure RMS may have used in the past.

  1. [] On @lab.VirtualMachine(Client01).SelectLink, log in with the password [email protected](Client01).Password+++.

  2. [] In the Azure Information Protection blade, under Classifications in the left pane, click on Labels to load the Azure Information Protection – Labels blade.

    ^IMAGEOpen Screenshot

  3. [] In the Azure Information Protection – Labels blade, right-click on Confidential and click Add a sub-label.

    ^IMAGEOpen Screenshot

  4. [] In the Sub-label blade, type Contoso Internal for the Label display name and for Description enter text similar to Confidential data that requires protection, which allows Contoso Internal employees full permissions. Data owners can track and revoke content.

    ^IMAGEOpen Screenshot

  5. [] Then, under Set permissions for documents and emails containing this label, click Protect, and under Protection, click on Azure (cloud key).

    ^IMAGEOpen Screenshot

  6. [] In the Protection blade, click + Add Permissions.

    ^IMAGEOpen Screenshot

  7. [] In the Add permissions blade, click on + Add contoso – All members and click OK.

    ^IMAGEOpen Screenshot

  8. [] In the Protection blade, click OK.

    ^IMAGEOpen Screenshot

  9. [] In the Sub-label blade, scroll down to the Set visual marking (such as header or footer) section and under Documents with this label have a header, click On.

    Use the values in the table below to configure the Header.

    Setting Value
    Header text Contoso Internal
    Header font size 24
    Header color Purple
    Header alignment Center

    [!NOTE] These are sample values to demonstrate marking possibilities and NOT a best practice.

    ^IMAGEOpen Screenshot

  10. [] To complete creation of the new sub-label, click the Save button and then click OK in the Save settings dialog.

    ^IMAGEOpen Screenshot

  11. [] In the Azure Information Protection - Labels blade, expand Confidential (if necessary) and then click on Recipients Only.

    ^IMAGEOpen Screenshot

  12. [] In the Label: Recipients Only blade, change the Label display name from Recipients Only to Do Not Forward.

    ^IMAGEOpen Screenshot

  13. [] Next, in the Set permissions for documents and emails containing this label section, under Protection, click Azure (cloud key): User defined.

    ^IMAGEOpen Screenshot

  14. [] In the Protection blade, under Set user-defined permissions (Preview), verify that only the Box next to In Outlook apply Do Not Forward is checked, then click OK.

    ^IMAGEOpen Screenshot

    [!knowledge] Although there is no action added during this step, it is included to show that this label will only display in Outlook and not in Word, Excel, PowerPoint or File Explorer.

  15. [] Click Save in the Label: Recipients Only blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  16. [] Click the X in the upper right corner of the blade to close.

    ^IMAGEOpen Screenshot

Configuring Global Policy

⬆️ Top

In this task, we will assign the new sub-label to the Global policy and configure several global policy settings that will increase Azure Information Protection adoption among your users and reduce ambiguity in the user interface.

  1. [] In the Azure Information Protection blade, under Classifications on the left, click Policies.

  2. [] Click the Global policy.

    ^IMAGEOpen Screenshot

  3. [] In the Policy: Global blade, wait for the labels to load.

    [!knowledge] The policies should look like the image below. If they show as loading, refresh the full browser on this page and go back into the Global policy and they should load.

    !IMAGElabels.png

  4. [] Below the labels, click Add or remove labels.

  5. [] In the Policy: Add or remove labels blade, ensure that the Boxes next to all labels including the new Contoso Internal label are checked and click OK.

  6. [] In the Policy: Global blade, under the Configure settings to display and apply on Information Protection end users section, configure the policy to match the settings shown in the table and image below.

    Setting Value
    Select the default label General
    All documents and emails must have a label… On
    Users must provide justification to set a lower… On
    For email messages with attachments, apply a label… Automatic
    Display the Information Protection Bar in Office apps On
    Add the Do Not Forward button to the Outlook ribbon Off

    !IMAGEOpen Screenshot

  7. [] Click Save, then OK to complete configuration of the Global policy.

    ^IMAGEOpen Screenshot

  8. [] Click the X in the upper right corner to close the Policy: Global blade.

    ^IMAGEOpen Screenshot

Creating a Scoped Label and Policy

⬆️ Top

Now that you have learned how to work with global labels and policies, we will create a new scoped label and policy for the Legal team at Contoso.

  1. [] Under Classifications on the left, click Labels.

    ^IMAGEOpen Screenshot

  2. [] In the Azure Information Protection – Labels blade, right-click on Highly-Confidential and click Add a sub-label.

    ^IMAGEOpen Screenshot

  3. [] In the Sub-label blade, enter Legal Only for the Label display name and for Description enter Data is classified and protected. Legal department staff can edit, forward and unprotect..

    ^IMAGEOpen Screenshot

  4. [] Then, under Set permissions for documents and emails containing this label, click Protect and under Protection, click Azure (cloud key).

    ^IMAGEOpen Screenshot

  5. [] In the Protection blade, under Protection settings, click the + Add permissions link.

    !IMAGEozzumi7l.jpg

  6. [] In the Add permissions blade, click + Browse directory.

    ^IMAGEOpen Screenshot

  7. [] In the AAD Users and Groups blade, wait for the names to load, then check the Boxes next to Adam Jones and Alice Anderson, and click the Select button.

    ^IMAGEOpen Screenshot

    [!Note] In a production environment, you will typically use a synced or Azure AD Group rather than choosing individuals.

  8. [] In the Add permissions blade, click OK.

    ^IMAGEOpen Screenshot

  9. [] In the Protection blade, under Allow offline access, reduce the Number of days the content is available without an Internet connection value to 3 and press OK .

    [!Knowledge] This value determines how many days a user will have offline access from the time a document is opened, and an initial Use License is acquired. While this provides convenience for users, it is recommended that this value be set appropriately based on the sensitivity of the content.

    ^IMAGEOpen Screenshot

  10. [] Click Save in the Sub-label blade and OK to the Save settings prompt to complete the creation of the Legal Only sub-label.

    ^IMAGEOpen Screenshot

  11. [] In the Azure Information Protection blade, under Classifications on the left, click Policies then click the +Add a new policy link.

    ^IMAGEOpen Screenshot

  12. [] In the Policy blade, for Policy name, type No Default Label Scoped Policy and click on Select which users or groups get this policy. Groups must be email-enabled.

    !IMAGE1sjw3mc7.jpg

  13. [] In the AAD Users and Groups blade, click on Users/Groups.

  14. [] Then in the second AAD Users and Groups blade, wait for the names to load and check the Boxes next to AIPScanner, Adam Jones, and Alice Anderson.

    [!NOTE] The AIPScanner account is added here to prevent all scanned documents from being labeled with a default label.

  15. [] Click the Select button.

  16. [] Finally, click OK.

    ^IMAGEOpen Screenshot

  17. [] In the Policy blade, under the labels, click on Add or remove labels to add the scoped label.

    !IMAGEb6e9nbui.jpg

  18. [] In the Policy: Add or remove labels blade, check the Box next to Legal Only and click OK.

    ^IMAGEOpen Screenshot

  19. [] In the Policy blade, under Configure settings to display and apply on Information Protection end users section, under Select the default label, select None as the default label for this scoped policy.

    !IMAGE4mxceage.jpg

  20. [] Click Save, then OK to complete creation of the No Default Label Scoped Policy.

    ^IMAGEOpen Screenshot

  21. [] Click on the X in the upper right-hand corner to close the policy.

Configuring Advanced Policy Settings

⬆️ Top

There are many advanced policy settings that are useful to tailor your Azure Information Protection deployment to the needs of your environment. In this task, we will cover one of the settings that is very complimentary when using scoped policies that have no default label or a protected default label. Because the No Default Label Scoped Policy we created in the previous task uses a protected default label, we will be adding an alternate default label for Outlook to provide a more palatable user experience for those users.

  1. [] In the Azure Information Protection blade, under Classifications on the left, click on Labels and then click on the General label.

    ^IMAGEOpen Screenshot

  2. [] In the Label: General blade, scroll to the bottom and copy the Label ID and close the blade using the X in the upper right-hand corner.

    !IMAGE8fi1wr4d.jpg

  3. [] In the AIP Portal, under Classifications on the left, click on Policies.

  4. [] Right-click on the No Default Label Scoped Policy and click on Advanced settings.

    ^IMAGEOpen Screenshot

  5. [] In the Advanced settings blade, in the textBox under VALUE, paste the Label ID for the General label you copied previously. In the textBox under NAME, type OutlookDefaultLabel, then click Save and close.

    [!ALERT] CAUTION: Please check to ensure that there are no spaces before or after the Label ID when pasting as this will cause the setting to not apply.

    !IMAGEezt8sfs3.jpg

    [!HINT] This and additional Advanced Policy Settings can be found at https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations

Defining Recommended and Automatic Conditions

⬆️ Top

One of the most powerful features of Azure Information Protection is the ability to guide your users in making sound decisions around safeguarding sensitive data. This can be achieved in many ways through user education or reactive events such as blocking emails containing sensitive data.

However, helping your users to properly classify and protect sensitive data at the time of creation is a more organic user experience that will achieve better results long term. In this task, we will define some basic recommended and automatic conditions that will trigger based on certain types of sensitive data.

  1. [] Under Analytics on the left, click on Data discovery (Preview) to view the results of the discovery scan we performed previously.

    !IMAGEDashboard.png

    [!KNOWLEDGE] Notice that there are no labeled or protected files shown at this time. This uses the AIP P1 discovery functionality available with the AIP Scanner. Only the predefined Office 365 Sensitive Information Types are available with AIP P1 as Custom Sensitive Information Types require automatic conditions to be defined, which is an AIP P2 feature.

    [!NOTE] Now that we know the sensitive information types that are most common in this environment, we can use that information to create Recommended conditions that will help guide user behavior when they encounter this type of data.

    [!ALERT] If no data is shown, it may still be processing. Continue with the lab and come back to see the results later.

  2. [] Under Classifications on the left, click Labels then expand Confidential, and click on Contoso Internal.

    ^IMAGEOpen Screenshot

  3. [] In the Label: Contoso Internal blade, scroll down to the Configure conditions for automatically applying this label section, and click on + Add a new condition.

    !IMAGEcws1ptfd.jpg

  4. [] In the Condition blade, in the Select information types search Box, type EU and check the Boxes next to the items shown below.

    !IMAGExaj5hupc.jpg

  5. [] Next, before saving, replace EU in the search bar with credit and check the Box next to Credit Card Number.

    ^IMAGEOpen Screenshot

  6. [] Click Save in the Condition blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

    [!Knowledge] By default the condition is set to Recommended and a policy tip is created with standardized text.

    !IMAGEqdqjnhki.jpg

  7. [] Click Save in the Label: Contoso Internal blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  8. [] Press the X in the upper right-hand corner to close the Label: Contoso Internal blade.

    ^IMAGEOpen Screenshot

  9. [] Next, expand Highly Confidential and click on the All Employees sub-label.

    ^IMAGEOpen Screenshot

  10. [] In the Label: All Employees blade, scroll down to the Configure conditions for automatically applying this label section, and click on + Add a new condition.

    ^IMAGEOpen Screenshot

  11. [] In the Condition blade, select the Custom tab and enter Password for the Name and in the textBox below Match exact phrase or pattern, type pass@word1.

    !IMAGEra7dnyg6.jpg

  12. [] Click Save in the Condition blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  13. [] In the Labels: All Employees blade, in the Configure conditions for automatically applying this label section, click Automatic.

    !IMAGE245lpjvk.jpg

    [!HINT] The policy tip is automatically updated when you switch the condition to Automatic.

  14. [] Click Save in the Label: All Employees blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  15. [] Press the X in the upper right-hand corner to close the Label: All Employees blade.

    ^IMAGEOpen Screenshot

===

Testing AIP Policies

⬅️ Home

Now that you have 3 test systems with users being affected by different policies configured, we can start testing these policies. This exercise will run through various scenarios to demonstrate the use of AIP global and scoped policies and show the functionality of recommended and automatic labeling. This Exercise will walk you through the items below.

[!ALERT] If you see a warning about a metered connection in Office, click Connect anyway to allow Office to connect. If you do not do this you will get errors when connecting to the AIP service. The VMs are set to metered to increase network speed.

Testing User Defined Permissions

⬆️ Top

One of the most common use cases for AIP is the ability to send emails using User Defined Permissions (Do Not Forward). In this task, we will send an email using the Do Not Forward label to test that functionality.

  1. [] On @lab.VirtualMachine(Client03).SelectLink, log in using the password [email protected](Client01).Password+++.
  2. [] Launch Microsoft Outlook, and click Accept and start Outlook.
  3. [] In the username Box, type EvanG@@lab.cloudcredential(134).TenantName and click Connect.
  4. [] When prompted, type pass@word1 and Sign in.
  5. [] On the Use this account everywhere page, click Yes then click Done.
  6. [] Once configuration completes, uncheck the Box to Set up Outlook Mobile and click OK.
  7. [] Close Outlook and reopen to complete activation.
  8. [] Once Outlook opens, if you receive a metered connection warning, click Connect anyway.
  9. [] Click on the New email button.

!IMAGE6wan9me1.jpg

> [!KNOWLEDGE] Note that the **Sensitivity** is set to **General** by default.
>
> !IMAGE[5esnhwkw.jpg](\Media\5esnhwkw.jpg)
  1. [] Send an email to Adam Jones and Alice Anderson (Adam Jones;Alice Anderson). You may optionally add an external email address (preferably from a major social provider like gmail, yahoo, or outlook.com) to test the external recipient experience. For the Subject and Body type Test Do Not Forward Email.

^IMAGEOpen Screenshot

  1. [] In the Sensitivity Toolbar, click on Confidential and then the Do Not Forward sub-label and click Send.

!IMAGEw8j1w1lm.jpg

> [!Knowledge] If you receive the error message below, click on the Confidential \ Contoso Internal sub-label to force the download of your AIP identity certificates, then follow the steps above to change the label to Confidential \ Do Not Forward.
>
> !IMAGE[6v6duzbd.jpg](\Media\6v6duzbd.jpg)
  1. [] Switch over to @lab.VirtualMachine(Client01).SelectLink, log in using the password [email protected](Client01).Password+++ and open Outlook.
  2. [] Run through setup, this time using the credentials adamj@@lab.CloudCredential(134).TenantName and pass@word1.
  3. [] Review the email in Adam Jones’s Outlook. You will notice that the email is automatically shown in Outlook natively.

!IMAGE0xby56qt.jpg

> [!Hint] The **Do Not Forward** protection template will normally prevent the sharing of the screen and taking screenshots when protected documents or emails are loaded.  However, since this screenshot was taken within a VM, the operating system was unaware of the protected content and could not prevent the capture.  
>
>It is important to understand that although we put controls in place to reduce risk, if a user has view access to a document or email they can take a picture with their smartphone or even retype the message. That said, if the user is not authorized to read the message then it will not even render and we will demonstrate that next.

> [!KNOWLEDGE] If you elected to send a Do Not Forward message to an external email, you will have an experience similar to the images below.  These captures are included to demonstrate the functionality for those that chose not to send an external message.
>
> !IMAGE[tzj04wi9.jpg](\Media\tzj04wi9.jpg)
> 
> Here the user has received an email from Evan Green and they can click on the **Read the message** button.
>
>!IMAGE[wiefwcho.jpg](\Media\wiefwcho.jpg)
>
>Next, the user is given the option to either log in using the social identity provider (**Sign in with Google**, Yahoo, Microsoft Account), or to **sign in with a one-time passcode**.
>
>If they choose the social identity provider login, it should use the token previously cached by their browser and display the message directly.
>
>If they choose one-time passcode, they will receive an email like the one below with the one-time passcode.
>
>!IMAGE[m6voa9xi.jpg](\Media\m6voa9xi.jpg)
>
>They can then use this code to authenticate to the Office 365 Message Encryption portal.
>
>!IMAGE[8pllxint.jpg](\Media\8pllxint.jpg)
>
>After using either of these authentication methods, the user will see a portal experience like the one shown below.
>
>!IMAGE[3zi4dlk9.jpg](\Media\3zi4dlk9.jpg)

Testing Global Policy

⬆️ Top

In this task, we will create a document and send an email to demonstrate the functionality defined in the Global Policy.

  1. [] Switch to @lab.VirtualMachine(Client03).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] In Microsoft Outlook, click on the New email button.

    ^IMAGEOpen Screenshot

  3. [] Send an email to Adam Jones, Alice Anderson, and yourself (Adam Jones;Alice Anderson;@lab.User.Email). For the Subject and Body type Test Contoso Internal Email.

    ^IMAGEOpen Screenshot

  4. [] In the Sensitivity Toolbar, click on Confidential and then Contoso Internal and click Send.

^IMAGEOpen Screenshot

  1. [] On @lab.VirtualMachine(Client01).SelectLink, log in using the password [email protected](Client01).Password+++ and observe that you are able to open the email natively in the Outlook client. Also observe the header text that was defined in the label settings.

    !IMAGEbxz190x2.jpg

  2. [] In your email, note that you will be unable to open this message. This experience will vary depending on the client you use (the image below is from Outlook 2016 for Mac) but they should have similar messages after presenting credentials. Since this is not the best experience for the recipient, later in the lab we will configure Exchange Online Mail Flow Rules to prevent content classified with internal only labels from being sent to external users.

    !IMAGE52hpmj51.jpg

Testing Scoped Policy

⬆️ Top

In this task, we will create a document and send an email from one of the users in the Legal group to demonstrate the functionality defined in the first exercise. We will also show the behavior of the No Default Label policy on documents.

  1. [] Switch to @lab.VirtualMachine(Client01).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] In Microsoft Outlook, click on the New email button.

    ^IMAGEOpen Screenshot

  3. [] Send an email to Alice Anderson and Evan Green (Alice Anderson;Evan Green). For the Subject and Body type Test Highly Confidential Legal Email.

  4. [] In the Sensitivity Toolbar, click on Highly Confidential and the Legal Only sub-label, then click Send.

    ^IMAGEOpen Screenshot

  5. [] Switch to @lab.VirtualMachine(Client02).SelectLink and log in with the password [email protected](Client01).Password+++.

  6. [] Run through setup, this time using the credentials AliceA@@lab.CloudCredential(134).TenantName and pass@word1.

  7. [] Review the email in Alice Anderson’s Outlook. You should be able to open the message natively in the client as Alice.

    !IMAGEqeqtd2yr.jpg

  8. [] Switch to @lab.VirtualMachine(Client03).SelectLink and log in with the password [email protected](Client01).Password+++.

  9. [] Click on the email. You should be unable to open the message as Evan.

    !IMAGE6y99u8cl.jpg

    [!Knowledge] You may notice that the Office 365 Message Encryption wrapper message is displayed in the preview pane. It is important to note that the content of the email is not displayed here. The content of the message is contained within the encrypted message.rpmsg attachment and only authorized users will be able to decrypt this attachment.

    !IMAGEw4npbt49.jpg

    If an unauthorized recipient clicks on Read the message to go to the OME portal, they will be presented with the same wrapper message. Like the external recipient from the previous task, this is not an ideal experience. So, you may want to use a mail flow rule to manage scoped labels as well.

    !IMAGEhtjesqwe.jpg

  10. [] Switch to @lab.VirtualMachine(Client01).SelectLink and log in with the password [email protected](Client01).Password+++.

  11. [] Open Microsoft Word.

  12. [] Create a new Blank document and type This is a test document and save the document.

    [!ALERT] When you click Save, you will be prompted to choose a classification. This is a result of having None set as the default label in the scoped policy while requiring all documents to be labeled. This is a useful for driving active classification decisions by specific groups within your organization. Notice that Outlook still has a default of General because of the Advanced setting we added to the scoped policy. This is recommended because user send many more emails each day than they create documents. Actively forcing users to classify each email would be an unpleasant user experience whereas they are typically more understanding of having to classify each document if they are in a sensitive department or role.

  13. [] Choose a classification to save the document.

Testing Recommended and Automatic Classification

⬆️ Top

In this task, we will test the configured recommended and automatic conditions we defined in Exercise 1. Recommended conditions can be used to help organically train your users to classify sensitive data appropriately and provides a method for testing the accuracy of your dectections prior to switching to automatic classification. Automatic conditions should be used after thorough testing or with items you are certain need to be protected. Although the examples used here are fairly simple, in production these could be based on complex regex statements or only trigger when a specific quantity of sensitive data is present.

  1. [] Switch to @lab.VirtualMachine(Client03).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] Launch Microsoft Word.

  3. [] In Microsoft Word, create a new Blank document and type My AMEX card number is 344047014854133. The expiration date is 09/28, and the CVV is 4368 and save the document.

    [!NOTE] This card number is a fake number that was generated using the Credit Card Generator for Testing at https://developer.paypal.com/developer/creditCardGenerator/. The Microsoft Classification Engine uses the Luhn Algorithm to prevent false positives so when testing, please make sure to use valid numbers.

  4. [] Notice that you are prompted with a recommendation to change the classification to Confidential \ Contoso Internal. Click on Change now to set the classification and protect the document.

    !IMAGEurl9875r.jpg

    [!Knowledge] Notice that, like the email in Task 2 of this exercise, the header value configured in the label is added to the document.

    !IMAGEdcq31lz1.jpg

  5. [] In Microsoft Word, create a new Blank document and type my password is pass@word1 and save the document.

    [!HINT] Notice that the document is automatically classified and protected wioth the Highly Confidential \ All Employees label.

    !IMAGE6vezzlnj.jpg

  6. [] Next, in Microsoft Outlook, click on the New email button.

    ^IMAGEOpen Screenshot

  7. [] Draft an email to Alice Anderson and Adam Jones (Alice Anderson;Adam Jones). For the Subject and Body type Test Highly Confidential All Employees Automation.

    ^IMAGEOpen Screenshot

  8. [] Attach the second document you created to the email.

    !IMAGE823tzyfd.jpg

    [!HINT] Notice that the email was automatically classified as Highly Confidential \ All Employees. This functionality is highly recommended because matching the email classification to attachments provides a much more cohesive user experience and helps to prevent inadvertent information disclosure in the body of sensitive emails.

    !IMAGEyv0afeow.jpg

  9. [] In the email, click Send.

===

Base Configuration Exercise Complete

In this exercise, we walked through the configuration of Global and Scoped policies and labels. We demonstrated the use of these and showed how recommended and automatic conditions function within the Office applications. Choose one of the exercises below or click the Next button to continue sequentially.

===

Bulk Classification

⬅️ Home

In this task, we will perform bulk classification using the built-in functionality of the AIP client. This can be useful for users that want to classify/protect many documents that exist in a central location or locations identified by scanner discovery. Because this is done manually, it is an AIP P1 feature.

  1. [] On @lab.VirtualMachine(Scanner01).SelectLink, log in with the password [email protected](Scanner01).Password+++.

  2. [] Browse to the C:\.

  3. [] Right-click on the PII folder and select Classify and Protect.

    !IMAGECandP.png

  4. [] When prompted, click use another account and use the credentials below to authenticate:

    AIPScanner@@lab.CloudCredential(134).TenantName

    Somepass1

  5. [] In the AIP client Classify and protect interface, select Highly Confidential\All Employees and press Apply.

    !IMAGECandP2.png

[!Alert] If you are unable to see the Apply button due to screen resolution, click Alt+A and Enter to apply the label to the content.

[!NOTE] You may review the results in a text file by clicking show results, or simply close the window.

===

Bulk Classifiation Exercise Complete

In this exercise, we performed bulk classification using the built-in functionality of the AIP client. This can be useful for users that want to classify/protect many documents that exist in a central location or locations identified by scanner discovery. Choose one of the exercises below or click the Next button to continue sequentially.

===

Security and Compliance Center

⬅️ Home

In this exercise, we will migrate your AIP Labels and activate them in the Security and Compliance Center. This will allow you to see the labels in Microsoft Information Protection based clients such as Office 365 for Mac and Mobile Devices.

Although we will not be demonstrating these capabilities in this lab, you can use the tenant information provided to test on your own devices.

Activating Unified Labeling

⬆️ Top

In this task, we will activate the labels from the Azure Portal for use in the Security and Compliance Center.

  1. [] On @lab.VirtualMachine(Client01).SelectLink, in the AIP blade, click on Unified labeling (Preview).

    !IMAGEUnified Labeling

  2. [] Click Activate and Yes.

    !IMAGEo0ahpimw.jpg

    [!NOTE] You should see a message similar to the one below.

    !IMAGESCCMigration.png

  3. [] In a new tab, browse to https://protection.office.com/ and click on Classifications and Labels to review the migrated labels.

    [!NOTE] Keep in mind that now the SCC Sensitivity Labels have been activated, so any modifications, additions, or deletions will be syncronised to Azure Information Protection in the Azure Portal. There are some functional differences between the two sections (DLP in SCC, HYOK & Custom Permissions in AIP), so please be aware of this when modifying policies to ensure a consistent experience on clients.

Deploying Policy in SCC

⬆️ Top

The previous step enabled the AIP labels for use in the Security and Compliance Center. However, this did not also recreate the policies from the AIP portal. In this step we will publish a Global policy like the one we used in the AIP portal for use with unified clients.

  1. [] In the Security and Compliance Center, under Classifications, click on Label policies.

  2. [] In the Label policies pane, click Publish labels.

    ^IMAGEOpen Screenshot

  3. [] On the Choose labels to publish page, click the Choose labels to publish link.

    ^IMAGEOpen Screenshot

  4. [] In the Choose labels pane, click the + Add button.

    ^IMAGEOpen Screenshot

  5. [] Click the box next to Display name to select all labels, then click the Add button.

    ^IMAGEOpen Screenshot

  6. [] Click the Done button.

    ^IMAGEOpen Screenshot

  7. [] Back on the Choose labels to publish page, click the Next button.

    ^IMAGEOpen Screenshot

  8. [] On the Publish to users and groups page, notice that All users are included by default. If you were creating a scoped policy, you would choose specific users or groups to publish to. Click Next.

    ^IMAGEOpen Screenshot

  9. [] On the Policy settings page, select the General label from the drop-down next to Apply this label by default to documents and email.

  10. [] Check the box next to Users must provide justification to remove a label or lower classification label and click the Next button.

    !IMAGEOpen Screenshot

  11. [] In the Name textbox, type Global Policy and for the Description type This is the default global policy for all users. and click the Next button.

    ^IMAGEOpen Screenshot

  12. [] Finally, on the Review your settings page, click the Publish button.

    !IMAGEOpen Screenshot

===

Security and Compliance Center Exercise Complete

In this exercise, we enabled and published labels and policies in the Security and Compliance Center for use with clients based on the MIP SDK. We demonstrated this using Adobe PDF integration. Choose one of the exercises below or click the Next button to continue sequentially.

===

AIP Scanner Classification, Labeling, and Protection

⬅️ Home

The Azure Information Protection scanner allows you to classify and protect sensitive information stored in on-premises CIFS file shares and SharePoint sites.

In this exercise, you will configure conditions for automatic classification. After that, we will run the AIP Scanner in enforce mode to classify and protect the identified sensitive data. This Exercise will walk you through the items below.

[!Alert] This exercise requires completion of the previous AIP Scanner Discovery exercise. If you did not already complete that exercise, please do so prior to continuing.

Defining Automatic Conditions

⬅️ Home

The Azure Information Protection scanner requires Automatic conditions to enforce labeling and protection on discovered files in repositories. In this task, we will configure Automatic conditions for use with the scanner.

  1. [] Switch to @lab.VirtualMachine(Client01).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] In the AIP blade, under Analytics on the left, click on Data discovery (Preview) to view the results of the discovery scan we performed previously.

    !IMAGEDashboard.png

    [!KNOWLEDGE] The screenshot above shows a discovery only scan. Notice that there are no labeled or protected files shown at this time. This uses the AIP P1 discovery functionality available with the AIP Scanner. Only the predefined Office 365 Sensitive Information Types are available with AIP P1 as Custom Sensitive Information Types require automatic conditions to be defined, which is an AIP P2 feature.

    [!ALERT] It is very likely that the dashboard in your lab will not be populated at this point as you have just started the discovery scan. Continue with the lab and we will come back to see the results later.

  3. [] Under Classifications on the left, click Labels then expand Confidential, and click on All Employees.

    ^IMAGEOpen Screenshot

  4. [] In the Label: All Employees blade, scroll down to the Configure conditions for automatically applying this label section, and click on + Add a new condition.

    !IMAGEcws1ptfd.jpg

  5. [] In the Condition blade, in the Select information types search box, type EU and check the boxes next to the items shown below.

    !IMAGExaj5hupc.jpg

  6. [] Click Save in the Condition blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  7. [] In the Labels: All Employees blade, in the Configure conditions for automatically applying this label section, click Automatic.

  8. [] Click Save in the Label: All Employees blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  9. [] Press the X in the upper right-hand corner to close the Label: All Employees blade.

    ^IMAGEOpen Screenshot

  10. [] Next, expand Highly Confidential and click on the All Employees sub-label.

    ^IMAGEOpen Screenshot

  11. [] In the Label: All Employees blade, scroll down to the Configure conditions for automatically applying this label section, and click on + Add a new condition.

    ^IMAGEOpen Screenshot

  12. [] In the Condition blade, in the search bar type credit and check the box next to Credit Card Number.

    ^IMAGEOpen Screenshot

  13. [] Click Save in the Condition blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  14. [] In the Labels: All Employees blade, in the Configure conditions for automatically applying this label section, click Automatic.

    [!HINT] The policy tip is automatically updated when you switch the condition to Automatic.

    !IMAGE245lpjvk.jpg

  15. [] Click Save in the Label: All Employees blade and OK to the Save settings prompt.

    ^IMAGEOpen Screenshot

  16. [] Press the X in the upper right-hand corner to close the Label: All Employees blade.

    ^IMAGEOpen Screenshot

Enforcing Configured Rules

⬆️ Top

In this task, we will modify the AIP scanner Profile to enforce the conditions we set up and have it run on all files using the Start-AIPScan command.

  1. [] On @lab.VirtualMachine(Client01).SelectLink, return to Scanner > Profiles (Preview) in the Azure Portal.

    [!NOTE] If needed, navigate to https://aka.ms/ScannerProfiles and log in with the credentials below:

    @lab.CloudCredential(134).Username

    @lab.CloudCredential(134).Password

  2. [] Click on the East US profile.

  3. [] In the East US profile, under Profile settings, configure the settings in the table below.

    Policy Value
    Schedule Always
    Info types to be discovered Policy only
    Enforce On

    !IMAGEEnforce

    [!NOTE] These settings will cause the scanner to run continuously on the repositories, make the scanner only look for the sensitive information types we defined in conditions, and Enforce the labeling and protection of files based on those conditions. Leave all other settings in their current state.

  4. [] Click Save then click the X to close the blade.

  5. [] Next, under Scanner, click on Nodes.

    !IMAGENodes

  6. [] Highlight the row containing Scanner01.Contoso.Azure, and click Scan now in the command list above.

    !IMAGEScanNow

  7. [] The previous command can take up to 5 minutes to run on the AIP scanner Server. Follow the commands below to accelerate the process.

    1. [] Switch to @lab.VirtualMachine(Scanner01).SelectLink and log in with the password [email protected](Scanner01).Password+++.

    2. [] In an Administrative PowerShell window, run the Start-AIPScan command.

Reviewing Protected Documents

⬆️ Top

Now that we have Classified and Protected documents using the scanner, we can review the documents to see their change in status.

  1. [] Switch to @lab.VirtualMachine(Client01).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] Navigate to \\Scanner01.contoso.azure\documents.

    If needed, use the credentials below:

    Contoso\LabUser

    Pa$$w0rd

    ^IMAGEOpen Screenshot

  3. [] Open one of the Contoso Purchasing Permissions documents.

  4. [] When prompted, provide the credentials below:

    EvanG@@lab.CloudCredential(134).TenantName

    pass@word1

  5. [] Click Yes to allow the organization to manage the device.

    [!NOTE] Observe that the document is classified as Highly Confidential \ All Employees.

    !IMAGEs1okfpwu.jpg

  6. [] Next, in the same documents folder, open one of the pdf files.

  7. [] When prompted by Adobe, enter EvanG@@lab.CloudCredential(134).TenantName and press Next.

  8. [] Check the box to save credentials and press Yes.

  9. [] Click Accept in the Permissions requested dialog.

    [!NOTE] The PDF will now open and display the sensitivity across the top of the document.

    !IMAGEPDF

    [!Knowledge] The latest version of Acrobat Reader DC and the MIP Plugin have been installed on this system prior to the lab. Additionally, the sensitivity does not display by default in Adobe Acrobat Reader DC. You must make the modifications below to the registry to make this bar display.

    In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP, create a new DWORD value of bShowDMB and set the Value to 1.

    !IMAGE1547416250228

===

AIP Scanner CLP Exercise Complete

In this exercise, we configured the AIP scanner to use automatic conditions to classify, label, and protect documents in our defined repositories. Choose one of the exercises below or click the Next button to continue sequentially.

===

AIP Analytics Dashboards

⬅️ Home

In this exercise, we will go to the AIP Analytics dashboards and observe them after completing all of the steps in the various exercises. These dashboards give actionable data to AIP admins and their management related to how users are classifying and protecting data and where sensitive data is located throughout the environment. Depending on which exercises you completed these may look different from the screenshots.

  1. [] On @lab.VirtualMachine(Client01).SelectLink, open the browser that is logged into the Azure Portal.

  2. [] In the AIP Portal, under Analytics, click on Usage report (Preview).

    [!NOTE] Observe that there are now entries from the AIP scanner, File Explorer, Microsoft Outlook, and Microsoft Word based on our activities in this lab.

    !IMAGEUsage.png

  3. [] Next, under Analytics, click on Activity logs (preview).

    [!NOTE] We can now see activity from various users and clients including the AIP Scanner and specific users.

    !IMAGEactivity.png

    You can also very quickly filter to just the Highly Confidential documents and identify the repositories and devices that contain this sensitive information.

    !IMAGEactivity2.png

  4. [] Finally, click on Data discovery (Preview).

    [!NOTE] In the Data discovery dashboard, you can see a breakdown of how files are being protected and locations that have sensitive content.

    !IMAGEDiscovery.png

    If you click on one of the locations, you can drill down and see the content that has been protected on that specific device or repository.

    !IMAGEdiscovery2.png

===

AIP Analytics Dashboard Exercise Complete

In this exercise, we reviewed the new AIP Azure Log Analytics dashboards. Choose one of the exercises below or click the Next button to continue sequentially.

===

Exchange Online IRM Capabilities

⬅️ Home

Exchange Online can work in conjunction with Azure Information Protection to provide advanced capabilities for protecting sensitive data being sent over email. You can also manage the flow of classified content to ensure that it is not sent to unintended recipients. This Exercise will walk you through the items below.

Configuring Exchange Online Mail Flow Rules

In this task, we will configure a mail flow rule to detect sensitive information traversing the network in the clear and encrypt it using the Encrypt Only RMS Template. We will also create a mail flow rule to prevent messages classified as Confidential \ All Employees from being sent to external recipients.

  1. [] Switch to @lab.VirtualMachine(Client01).SelectLink and open an Admin PowerShell Prompt.

  2. [] In an Administrative PowerShell window, type C:\Users\LabUser\Desktop\EncryptSensitiveMFR.ps1 and press Enter.

  3. [] When prompted, provide the credentials below:

    @lab.CloudCredential(134).Username

    @lab.CloudCredential(134).Password

    [!NOTE] If prompted to remove a transport rule, hit Enter.

    [!KNOWLEDGE] This mail flow rule can be used to encrypt sensitive data leaving via email. This can be customized to add additional sensitive data types. A breakdown of the command is listed below.

    New-TransportRule

    -Name "Encrypt external mails with sensitive content"

    -SentToScope NotInOrganization

    -ApplyRightsProtectionTemplate "Encrypt"

    -MessageContainsDataClassifications @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="Drug Enforcement Agency (DEA) Number"; minCount="1"},@{Name="International Classification of Diseases (ICD-10-CM)"; minCount="1"},@{Name="International Classification of Diseases (ICD-9-CM)"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"})

    [!KNOWLEDGE] The script runs the code below. This script is available online at https://aka.ms/labscripts

    $UserCredential = Get-Credential

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session

    If(Get-TransportRule Delete){Remove-TransportRule Delete}

    New-TransportRule -Name "Encrypt external mails with sensitive content" -SentToScope NotInOrganization -ApplyRightsProtectionTemplate "Encrypt" -MessageContainsDataClassifications @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="Drug Enforcement Agency (DEA) Number"; minCount="1"},@{Name="International Classification of Diseases (ICD-10-CM)"; minCount="1"},@{Name="International Classification of Diseases (ICD-9-CM)"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"})

    [!HINT] Next, we need to capture the Label ID for the Confidential \ All Employees label.

  4. [] Switch to the Azure Portal and under Classifications click on Labels, then expand Confidential and click on All Employees.

    !IMAGEw2w5c7xc.jpg

    [!HINT] If you closed the azure portal, open an Edge InPrivate window and navigate to https://portal.azure.com.

  5. [] In the Label: All Employees blade, scroll down to the Label ID and copy the value.

    !IMAGElypurcn5.jpg

    [!ALERT] Make sure that there are no spaces before or after the Label ID as this will cause the mail flow rule to be ineffective.

  6. [] Next, paste the copied value into a new txt file to use in the next step.

  7. [] In an Administrative PowerShell window, type C:\Users\LabUser\Desktop\BlockInternal.ps1 and press Enter.

  8. [] When prompted, provide the credentials below:

    @lab.CloudCredential(134).Username

    @lab.CloudCredential(134).Password

    [!NOTE] If prompted to remove a transport rule, hit Enter.

    [!KNOWLEDGE] This mail flow rule can be used to prevent internal only communications from being sent to an external audience.

    New-TransportRule

    -name "Block Confidential Contoso All Employees"

    -SentToScope notinorganization

    -HeaderContainsMessageHeader "msip_labels"

    -HeaderContainsWord $labeltext

    -RejectMessageReasonText “Contoso internal messages cannot be sent to external recipients.”

    [!KNOWLEDGE] The script runs the code below. This script is available online at https://aka.ms/labscripts

    $UserCredential = Get-Credential

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session

    Add-Type -AssemblyName Microsoft.VisualBasic

    $labelid = [Microsoft.VisualBasic.Interaction]::InputBox('Enter the LabelId for your All Employees Label', 'LabelId')

    If(Get-TransportRule Delete){Remove-TransportRule Delete}

    $labeltext = "MSIP_Label_"+$labelid+"_enabled=true" New-TransportRule -name "Block Confidential Contoso All Employees" -SentToScope notinorganization -HeaderContainsMessageHeader "msip_labels" -HeaderContainsWord $labeltext -RejectMessageReasonText “Contoso internal messages cannot be sent to external recipients.”

    [!NOTE] In a production environment, customers would want to create a rule like this for each of their labels that they did not want going externally.

Demonstrating Exchange Online Mail Flow Rules

⬆️ Top

In this task, we will send emails to demonstrate the results of the Exchange Online mail flow rules we configured in the previous task. This will demonstrate some ways to protect your sensitive data and ensure a positive user experience with the product.

  1. [] Switch to @lab.VirtualMachine(Client03).SelectLink and log in with the password [email protected](Client01).Password+++.

  2. [] Open an InPrivate browsing session and browse to https://outlook.office365.com/owa/.

  3. [] Log in using the credentials below.

    EvanG@@lab.CloudCredential(134).TenantName

    pass@word1

  4. [] Send an email to Adam Jones, Alice Anderson, and yourself (Adam Jones;Alice Anderson;@lab.User.Email). For the Subject, type Test Credit Card Email and for the Body, type My AMEX card number is 344047014854133. The expiration date is 09/28, and the CVV is 4368, then click Send.

  5. [] Switch to @lab.VirtualMachine(Client01).SelectLink and log in with the password [email protected](Client01).Password+++.

  6. [] Review the received email.

!IMAGEpidqfaa1.jpg

> [!Knowledge] Note that there is no encryption applied to the message.  That is because we set up the rule to only apply to external recipients.  If you were to leave that condition out of the mail flow rule, internal recipients would also receive an encrypted copy of the message.  The image below shows the encrypted message that was received externally.
>
>!IMAGE[c5foyeji.jpg](\Media\c5foyeji.jpg)
>
>Below is another view of the same message received in Outlook Mobile on an iOS device.
>
>!IMAGE[599ljwfy.jpg](\Media\599ljwfy.jpg)
  1. [] Next, in Microsoft Outlook, click on the New email button.

^IMAGEOpen Screenshot . [] Send an email to Evan Green, Alice Anderson, and yourself (Evan Green;Alice Anderson;@lab.User.Email). For the Subject and Body type Another Test Contoso Internal Email.

^IMAGEOpen Screenshot

  1. [] In the Sensitivity Toolbar, click on Confidential and then All Employees and click Send.

^IMAGEOpen Screenshot

  1. [] In about a minute, you should receive an Undeliverable message from Exchange with the users that the message did not reach and the message you defined in the previous task.

!IMAGEkgjvy7ul.jpg

> [!NOTE] This rule may take a few minutes to take effect, so if you do not get the undeliverable message, try again in a few minutes.

> [!HINT] There are many other use cases for Exchange Online mail flow rules but this should give you a quick view into what is possible and how easy it is to improve the security of your sensitive data through the use of Exchange Online mail flow rules and Azure Information Protection.

===

Exchange IRM Exercise Complete

In this exercise, we created several Exchange Online Mail Flow Rules to protect sensitive data or improve user experience. Choose one of the exercises below or click the Next button to complete the Lab.

===

AIP Lab Complete

⬅️ Home

Congratulations! You have completed the Azure Information Protection Hands on Lab.

===