This post is part of the Windows Information Protection (WIP) series. Firstly I walked through the basic, the actual WIP configuration and deployment. Secondly I wrote about the user experience on both MDM enrolled (company owned) and BYO devices (personally owned). Finally in this post I will focus on Azure Rights Management and how it works together with WIP.
Microsoft Azure Rights Management (Azure RMS) helps secure files when users want to share data using removable USB drives. For this to work , you must have Azure Rights Management set up. When Users copy WIP protected files to a USB drive, the protection stays with the data.
This post is part of a series. Have a look at my other posts for more information about WIP.
- Introduction to Windows Information Protection
- Configuring MDM user scope and MAM user scope
- WIP-WE / MAM – Windows Information Protection without enrollment
- Windows Information Protection with Enrollment
- Windows Information Protection User Experience
- WIP-WE User Experience – WIP Without MDM enrollment
- Set up Azure Rights Management for WIP (this post)
- WIP Without Enrollment Selective Wipe
- Troubleshooting Windows Information Protection
- Monitoring and collecting WIP audit event logs
- WIP Learning mode
- Limiting Access to SharePoint Online on unmanaged devices
- Limiting Access to Exchange Online on unmanaged devices
Make sure you have all the prerequisites in place;
- Intune enabled as the MDM authority
- Windows 10 1703 and above (Pro, Enterprise, Education)
- EMS E3 licenses (or at the very least Intune and Azure AD premium P1)
- I have configured and assigned WIP policies
- In this scenario I have configured Azure RMS
Azure Information Protection Labels
It might get confusing from here on because I’ll be referring to Azure Rights Management (Azure RMS) and Azure Information Protection (AIP). Azure Rights Management is the protection technology used by Azure Information Protection. Azure RMS uses encryption, identity, and authorization policies to secure files and protection remains with your files, even when it’s saved on a USB drive. Please read the official documentation about what Azure RMS is to fully understand the solution.
AIP protect documents and emails by applying labels. Azure RMS with WIP only works when you configure Azure Information Protection labels and template. That is what we will do first.
Go to your Azure Portal and then lookup Azure Information Protection. When you’re there, click on Labels and then Add new Label.
Configure your Azure Information Protection Labels (on the left side) and the actual protection template on the right. Read the Microsoft documentation on How to configure a label for Rights Management protection if you are not familiar with AIP labels.
First configure your label and save it. Now the Protection template ID is automatically generated after the template is saved. You will need this ID later when you configure your WIP Policy and enable RMS. Finally, the label will be available on the Azure Information Protection – Labels blade:
Open your Label again to get the Protection Template ID. Click on Protection on the left side. Copy the Protection Template ID.
Please note that a lot is going to change. Read the deprecation notice for more info.
Windows Information Protection mode
I’ve configured the ‘Windows Information Protection mode’ to Allow Overrides. The Network boundaries are configured as described in my previous post Windows Information Protection with Enrollment. I’ve only configured Azure RMS for WIP for company owned, MDM enrolled devices.
Open the policy and edit the advanced settings. Scroll down to Use Azure RMS for WIP and set the switch to On.
Finally paste the Protection Template ID and save your WIP policy.
Azure RMS for WIP User experience
When Users copy Azure RMS WIP protected files to a USB drive, the protection stays with your documents. Now everyone who has access to the protection policies will be able to open these files. Because I’ve configured my WIP policy to allow override, I need to copy documents as work protected to benefit from Azure RMS for WIP.
When you copy files as work protected, the File ownership will show the protected domain.
Everyone who has access to the protection template, will be able to open these files. This is just one method to protect data on USB drives without the risk of data leaks. Another method is to force USB drives or external storage to be Bitlocker encrypted before corporate data can be stored on it.
Preventing data leaks on USB drives
Should these devices be stolen or lost, the corporate data stored on the USB drive would be accessible by anybody that came to be in its possession. Most of the time, these drives are not even encrypted by BitLocker so this is a total GDPR nightmare.
Now Imagine I’ve lost the USB drive with corporate data and another me, found it on the street corner. Next, I plugin the USB drive to my personal Windows 10 device and see there is data stored on it.
Warning: Don’t plugin any USB drives you find on the street! It may well be infected with a virus or other malicious content!
Imagine again, I ignored the warning above. Have a look at the picture below:
Some of these files show a key-lock in the icons and some don’t. Files that don’t show the key-lock are personal files (or corporate files that have been saved as personal) and I can open these without any issues. On the other hand, the files that have the key-lock in the icons are protected by Azure RMS for WIP. When I try to open any of these files, I see the next error:
The USB drive itself is not Bitlocker encrypted, but the data is protected and includes a policy that defines who can access the data. As a result, I can’t open the work protected files on the lost USB drive I found on the street corner. Your corporate data is safe!
Azure RMS for WIP helps protect your corporate data even better because the protection stays with the data wherever it may be. There is a lot more to Azure RMS than what I’ve handled here in this post and I strongly advice you read up on Azure Right Management and Azure Information Protection. I’ve collected some of the resources I think might be a good start.
- Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
- What is Azure RMS?
- How does Azure RMS work? Under the hood
- How to configure a label for Rights Management protection
- What is Azure Information Protection?
- Configuring secure document collaboration by using Azure Information Protection
- How to configure the policy settings for Azure Information Protection
- Configuring and managing templates for Azure Information Protection
- Frequently asked questions for Azure Information Protection
- Azure Information Protection deployment roadmap
- Announcing timelines for sunsetting label management in the Azure portal and AIP client (classic)
- Learn about sensitivity labels
- How to migrate Azure Information Protection labels to unified sensitivity label
- Restrict access to content by using sensitivity labels to apply encryption
- How can I determine if my tenant is on the unified labeling platform?
- How Windows Information Protection (WIP) protects a file that has a sensitivity label