In a previous post on how to dynamically assign Intune licenses using Azure dynamic user security groups.
When an organisation has configured global labels like the default labels displayed below. An organisation can choose to apply a policy to all users or all Azure Information Protection Plan 1 licensed users or all Azure Information Protection Plan 2 licensed users.
Azure Information Protection Plan 1 Azure Security Group
Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 1 licensed users.
user.assignedPlans -any (assignedPlan.servicePlanId -eq “6c57d4b6-3b23-47a5-9bc9-69f17b4947b3” -and assignedPlan.capabilityStatus -eq “Enabled”)
Azure Information Protection Plan 2 Azure Security Group
Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 2 licensed users.
user.assignedPlans -any (assignedPlan.servicePlanId -eq “689bec4-755d-4753-8b61-40975025187c” -and assignedPlan.capabilityStatus -eq “Enabled”)
If the during the creation of the group , it fails with an error , delete the “” that encapsulates the “guid” and “enabled” within the query and use your keyboard to replace the “” if you are copying them from this blog post.
So this solution enables administrators to apply policies to all AIP plan 1 and plan 2 licensed users and because it is dynamic , it will catch all new employees in the organisation.
I recently rolled out AIP in one my customer sites and they presented me with an interesting challenge. One of their departments wanted the option to choose whether or not to classify and protect data.
This has been made possible with custom configurations to the AIP client. At the time of writing this post there are 18 items that have custom configurations available.
More info HERE
The next part of this blog is a step by step guide on how to set up a custom label that will recommend that the user apply the label, protection.
- Login to the Azure Information Protection portal in Azure and create a new label as per the image below.
- Select Protect and accept defaults and add the users assigned to the label or Security Group, as per image below
- Add a keyword condition, as per image below
- Select the protect option , accept the defaults and add the users or security group that the label will apply to, as per image below
- Save the configuration changes, next we will create a policy.
- Create a policy, I always match the name of the label that the policy will apply to, add the users or security group and accept defaults except for one item. Change the selection to recommended as per the image below
- Add the new label created in the previous section and ensure default label remains set to none
- The final piece is to modify the advanced settings of the policy, as per the image below
- Use the values specified in the image below
- Attempting to save a word document with the keyword specified, prompts the user as follows, giving the user a recommendation and not enforcing protection or classification
- When attempting to send an email which the key word specified, a pop up is presented from the AIP client as per the image below.
- The Azure Information Protection custom features, is currently in PREVIEW
- Always use the latest version of AIP client
- If the label is not appearing in the Windows client , It may be due to too many Modern Authentication tokens in credential manager. This is something that happened on my laptop due to connecting to multiple Office365 tenants.
- I will post some new blogs on more custom options,custom sensitive information types & AIP scanner.
- When data is protected in the sample label above, Only users that are specified in the label and policy will be able to access the data.
- Always ensure users that the label and policy applies to have an AIP license.