File Protection Solutions Recommended architectures for protecting files in

Office 365

in Office 365
This topic is 1 of 4 in a series 1 2 3 4

Three types of data

1 Baseline data
Microsoft recommends you establish a minimum standard for protecting data,
as well as the identities and devices that access your data. Microsoft provides
strong default protection that meets the needs of many organizations. Some
organizations require additional capabilities to meet their baseline
requirements.

2 Sensitive data
Some organizations have a subset of data that personally identifiable information, and some
needs to be protected both internally and categories of regulated data. Apply increased
externally from accidental oversharing and protection to targeted files within your Office
leakage. Examples include executive strategy 365 environment.
plans, product specifications, files with

3 Highly regulated or classified data

Some organizations may have a very small amount of data that is highly
classified, trade secret, or regulated data. Microsoft provides capabilities to
help organizations meet these requirements, including added protection for
identities and devices.

File protection capabilities Microsoft provides a range of capabilities to protect your data. This document describes capabilities for
protecting files so you can choose the best options to protect your organization s data.

Baseline protection Increased data protection Protection for highly regulated data

Bring Your Own Key (BYOK) with Azure Information

Default file encryption Classification, labeling, and protection
Protection and SharePoint Online

Permissions for SharePoint and OneDrive for Hold Your Own Key (HYOK) with Active Directory
Data Loss Prevention (DLP) in Office 365
Business libraries Rights Management Service and SharePoint Online

Office 365 service encryption with

External sharing policies
Customer Key (coming soon)

Device access policies for SharePoint Online and Windows 10 capabilities: Bitlocker and Windows
OneDrive for Business Information Protection (WIP)

Capabilities are additive

Identity and device capabilities Microsoft recommends protecting your identities and devices at similar levels that you protect your
data. These capabilities can be used together with file protection capabilities. For more information, see
Identity and Device Protection for Office 365.

Baseline protection Increased protection Protection for highly regulated data

Intune mobile application management Intune device management

Azure Active Directory multi-factor authentication

Azure Active Directory conditional access

Azure Active Directory Identity Protection

Microsoft Cloud App Security -or- Office 365 Advanced Security Management

Azure Active Directory Privileged Identity Management

See topics 2-4 for more information and resources.

July 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop [email protected].
 File Protection Solutions
Recommended architectures for protecting files in
Office 365

in Office 365
This topic is 2 of 4 in a series 1 2 3 4

Baseline protection This topic describes capabilities you can use to increase the baseline level of protection of files
in Office 365. Some of these capabilities apply broadly. Some of these capabilities can be
targeted to specific data sets.

Default file encryption

By default, all files stored in Office 365 are encrypted with the Protection of files in the datacenter
strongest encryption and detection technologies available. This Once the file reaches the Microsoft datacenter, the files are encrypted
protects files from attackers and people outside of your organization. through two components: BitLocker disk-level encryption and per-file
encryption. BitLocker encrypts all data on a disk. Per -file encryption goes
Protection of files in transit even further by including a unique encryption key for each file. Further, every
Every file in SharePoint and OneDrive is encrypted in transit (TLS 1.0, 1.1, and update to every file is encrypted using its own encryption key. Before they re
1.2) between the user s browser, PC, Mac, or mobile device and our stored, the keys to the encrypted files are themselves encrypted and stored in
datacenters. All connections are established using 2048-bit keys. a physically separate location.
This applies to protocols on any device used by clients, such as Skype for Every step of this encryption uses Advanced Encryption Standard (AES) with
Business Online, Outlook, and Outlook on the web. 256-bit keys and is Federal Information Processing Standard (FIPS) 140 -2
compliant. The encrypted content is distributed across several containers
throughout the datacenter, and each container has unique credentials.
More information:
For more information about encryption used by Microsoft cloud services and
Whitepaper download: File Security in Microsoft Office 365
datacenters, see the Data Encryption in OneDrive for Business and SharePoint
Microsoft Trust Center — Encryption Online.

Permissions for SharePoint and OneDrive for Business libraries

You can use permissions in SharePoint to provide or restrict user
access to the site or its contents.

Default SharePoint groups

Owners You can add individual users or
SharePoint sites come with several default groups full control Azure Active Directory groups
that you can use to manage permissions.
These are not related to Office 365 groups.
Members Azure Active Directory
edit group

Visitors
read

Create a custom group for finer-grain control

Custom groups in SharePoint Online let you choose finer-grain permission
levels. You can also determine who can view the membership of the group
and whether users can request to join the group.

Full Control Design Edit Contribute Read View Only

Contribute + Contribute + add, View, add, update, View and View, no
approve and edit and delete lists delete list items download download
customize (not just list items) and documents

More information:
Understanding permission levels in SharePoint
Understanding SharePoint groups

Office 365 Groups and Microsoft Teams

In addition to configuring the default permissions for a SharePoint site, you Microsoft Teams
can take advantage of Office 365 Groups or Microsoft Teams.
Microsoft Teams is the chat-centered workspace in Office 365. Currently
Office 365 private group Microsoft Teams are all private. When a new team is created, a new Office
365 Group is also created, including the group SharePoint site
Content in a private group can only be seen by the members of the group.
People who want to join a private group have to be approved by a group Chat data is encrypted in transit and encrypted at rest. Files are stored in a
owner. group SharePoint library and restricted to members of the team.
Groups cannot be seen or accessed by people outside of your organization Administrator settings for Microsoft Teams
unless those people have been specifically invited as guests.
For users—Microsoft Teams Quick Start
Learn about Office 365 Groups

Continued on next page

 External sharing policies
Be sure to configure external sharing policies to support your Some polices can be set for individual site collections. This can help
collaboration and file protection objectives. you protect sensitive files at a higher level than other files. However,
An external user is someone outside of your organization who is policies for individual site collections cannot be less restrictive than
invited to access your SharePoint Online sites and documents but what is set for the entire SharePoint Online environment.
does not have a license for your SharePoint Online or Microsoft Office Manage external sharing for your SharePoint Online environment
365 subscription. Share sites or documents with people outside your organization

External sharing policies apply to both

SharePoint Online and OneDrive for Office 365
Business.

You must be a SharePoint Online SharePoint Online OneDrive for

admin to configure sharing policies.
Business
You must be a Site Owner or have full
control permissions to share a site or
document with external users.

Type of sharing What external users can do Notifications

• Don t allow sharing outside your • Prevent external users from sharing files, Currently only available in OneDrive for Business.
organization folders, sites they don t own Notify owners when:
• Allow sharing to authenticated external users • Require external users to accept sharing • Users invite additional external users to
only (allow new or limit to existing) invitations with the same account the shared files
• Allow sharing to external users with an invitation was sent to • External users accept invitations to access
anonymous access link files
• Limit external sharing using domains (allow • An anonymous access link is created or
and deny list) changed
• Choose the default link type (anonymous,
company shareable, or restricted)

These policies can be set for individual site

collections.

Device access policies for SharePoint Online and OneDrive for Business
Conditional access and network location policies let you determine Azure Active Directory — The device based policies require two conditional
whether access to data is limited or blocked. access rules in Azure AD. These rules can be targeted to specific user groups,
otherwise they apply tenant-wide.
The device-based policies require Microsoft Intune (or another mobile device
management tool) and Azure Active Directory Premium P1. The network Microsoft Intune — Intune or another mobile device management tool is
location policy does not require additional licensing. required to enforce device compliance requirements. Devices must be
enrolled. Other mobile device management tools can only enforce these
Network location policy (in preview) — You can configure network location
conditional access rules for Windows 10 computers.
policies both in SharePoint admin center and in Azure Active Directory. Azure
Active Directory enforces this policy at sign in. Office 365 enforces this policy Settings apply tenant-wide unless conditional access policies in Azure Active
when resources are accessed. You can configure this in one or both places. Directory are targeted to specific users or groups. Coming soon is the ability
There is no dependency for configuring this in SharePoint admin center. to configure device access policies at the site level.
The chart below summarizes the capabilities and dependencies.

Dependencies for using device access policies in SharePoint admin center

Objective Only allow access from Prevent users from Block access on non- Prevent users from Block access on non-
specific IP address downloading files to non- domain joined devices downloading files to compliant devices
locations domain joined devices non-compliant devices
SharePoint
admin center

Azure Active
Directory

Microsoft Intune

More information
SharePoint Online admin center: Control access from unmanaged devices

For information about implementing conditional access, see page two in this
content: Identity and Device Protection for Office 365.

July 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop [email protected].
 File Protection Solutions Recommended architectures for protecting files in
Office 365

in Office 365
This topic is 3 of 4 in a series 1 2 3 4

Sensitive data protection

This topic describes capabilities you can use to protect sensitive files
in Office 365. Some of these capabilities apply broadly. Some of these
capabilities can be targeted to specific data sets.

Classification, labeling, and protection

Microsoft recommends you classify and label your data. Microsoft Today labels can be created in Office 365 and Azure Information
capabilities make it easy for your organization to classify and label Protection. These solutions complement each other to provide full
data in intuitive ways based on the source, context, and content of the protection through the data lifecycle, starting as data is born and
data. Classification can be fully automatic, user-driven, or both. Once stored and persisting as data travels. Start today, leverage both
data is classified and labeled, protection can be applied automatically capabilities. Over time these technologies will converge into a unified
on that basis. labeling and classification engine and you will be able to achieve even
more.

On-premises
Office 365 Other SaaS services Other cloud provider
datacenters

SharePoint Online and Exchange Highly regulated & File repositories &
OneDrive for Business Online trade secret files other applications

Office 365 labels

Azure Information Protection (AIP) labels

Protecting files in Office 365

You can use both types of labels for files in Office 365. These labels
can be used together for increased protection.

Start with Office 365 labels Add Azure Information Protection to make sure
Office 365
Use Office 365 labels for files and mail in Office your data remains protected and your polices are
365. honored as files travel outside of Office 365
• Users can manually apply labels. Azure Information Protection labels can be
• SharePoint libraries can automatically assign additionally applied to files that require protection
labels. that travels with the files and persists outside of
Office 365.
• DLP rules can automatically assign labels.
• Any type of file that require protection or policy
• DLP rules can take action based on labels, such compliance inside and outside of your org, such
as blocking mail or files from being shared as visual markings, encryption, and permissions.
externally.
• Files that are shared across SaaS applications.
• Files stored on-premises or with other cloud
providers.
Office 365 DLP rules can also be used to take action
based on these labels.

Continued on next page

More information

Office 365 labels Azure Information Protection labels

Recommended use cases Retention and Office DLP. Sensitivity protection and persistency across apps and
environments.

Applying labels Choose labels from the document panel in SharePoint Online Choose labels within Office client apps from the Azure
and OneDrive for Business. Information Protection client ribbon. The client works with
Office versions 2010, 2013, and 2016. Azure Information
For mail, apply labels directly from Outlook 2016, Outlook
Protection policies can be configured to automatically
2013, or Outlook Web Access.
suggest or assign labels based on the contents of the file.
Use Office 365 DLP rules to automatically find and label
files. Users can also classify files by using Windows File Explorer.
Select a file, multiple files, or a folder. Right-click, and select
Configure SharePoint Online libraries to automatically Classify and protect.
label documents.
Additionally, administrators can use PowerShell with the
client to efficiently label files in bulk on Windows computers
and file shares. Similar support for SharePoint is coming
soon.
Azure Information Protection user guide

Using File Explorer to classify and protect files

Using PowerShell with the Azure Information Protection client

Protect and encrypt files Use DLP rules to protect files based on labels. Apply visual markings (such as watermarks) based on these
labels.
Protection does not currently include encryption.
Use DLP rules in Office 365 to protect files based on labels.
Use Azure Rights Management templates in Azure to
automatically apply encryption based on labels. This
protection includes defining rights for files. You can encrypt
using the defualt service encryption key, your own key (Bring
Your Own Key), or your own key that you hold on premises
(Hold Your Own Key).

File type support Office 365 labels work with all file types that are allowed File types supported by the Azure Information Protection
by the service. client
Types of files that cannot be added to a list or library

Office 365 labels and data loss protection (DLP)

Office 365 labels are included with Office 365 E1, E3, and E5 plans for Labels work with Office 365 data loss prevention (DLP). You can
manual application by users. Automated labeling using data loss automate the application of labels and use DLP policies to protect
protection policies is a part of Office Advanced Data Governance and data based on labels.
requires the Office 365 E5 plan or the Advanced Compliance
Automated labeling with DLP works across Exchange Online,
standalone license.
SharePoint Online, and OneDrive for Business.
Labels are available in SharePoint Online, OneDrive for Business,
Outlook, Outlook Web Access, and Office 365 Groups.

Office 365 labels Automated DLP policies

• Labels are created in the Security and Compliance Center. • Start with a template and identify what type of content to
• Publish labels to specific audiences (users or groups). automatically detect and label, such as content with passport
• Choose which locations to publish labels to—Exchange, numbers or social security numbers.
SharePoint, OneDrive accounts, and Office 365 Groups. • Apply the policy to all content in Office 365 or define specific
• Users apply labels or you can automatically apply labels by using locations. Specific locations include Exchange, SharePoint, and
a query (KQL query language) or other condition. OneDrive accounts. You can choose specific SharePoint sites and
OneDrive accounts.
• Add labels to DLP policy conditions.
• Detect when content is shared and determine what action to
SharePoint Online integration includes: take. Actions include, block sharing, alert user that sharing is not
• Labels show up in the document panel where users can easily allowed, allow the user to override the policy, and alert on the
apply them. sharing.
• Use labels as a library column and group documents by More information:
classification label.
New Office 365 capabilities help you proactively manage security and
• Configure a library to automatically classify all documents with a compliance risk
specific label.

Continued on next page

Azure Information Protection classification and labeling
You can use Azure Information Protection with the Azure Information
Protection client for classification and labeling. This requires a license
Microsoft Azure
that includes Azure Information Protection.

Azure Information Protection

Default Azure Information Protection Policy
Labels are defined in an Azure Information Protection Policy. Microsoft Azure Information
recommends using the default policy and customizing this, if needed. Protection policy
Default
Here s how it works:
• Configured in Azure.
• Downloaded to the Azure Information Protection client.
• Includes five labels: Personal, Public, General, Confidential, and
Highly Confidential.
• Labels determine how the file is
classified and additional conditions or
protections that are applied.
• You can customize labels and sub-
labels and add new labels.
Decide what classification labels to apply
to your sensitive data and update the
labels to support your decision.

Azure Rights Management encryption

While Azure Information Protection works with Azure Rights If Azure Rights Management encryption is applied to files in Office
Management to apply protection, you do not need to encrypt your 365, the service cannot process the contents of these files. Co-
sensitive data to protect it in Office 365. We don t recommend you authoring, eDiscovery, search, Delve, and other collaborative features
encrypt Office 365 files using Azure Rights Management unless you do not work. Data loss prevention can take action based on labels, but
have a business requirement that justifies the tradeoffs. not on the contents of the files.

Deployment

1 Activate Azure Rights Management 2 Decide what classification label(s) to 3 Update the labels to support your
apply to your sensitive files decisions
If you have implemented IRM with
SharePoint, this service is already You can customize the default labels and add Reconfigure the default Azure Information
activated. new labels. Protection labels to make any changes you
Default Azure Information Protection policy need to support your classification
Activating Azure Rights Management
settings decisions.
How to configure a label to apply Rights
Management protection

4 Get ready to train users 5 Install the Information Protection client

Produce user guidance that explains You can script and automate the installation,
which label to apply and when. or users can install the client manually.

Azure Information Protection user guide The client side of Azure Information
Protection
Installing the Azure Information Protection
client

Using the solution

1 Install the Information Protection client 2 Use the client toolbar to apply labels 3 Upload files to the SharePoint library
If installation isn t automated, users can Be sure users know which IRM-protected
install the client manually. SharePoint library to use for your sensitive
A
files.
Download page for manual installation

Continued on next page

Office 365 service encryption with Customer Key
Coming soon. To help customers meet their compliance requirements, Customer Key is applied tenant-wide for all files in SharePoint Online
customers have the option to manage and control their own and OneDrive for Business.
encryption keys for Office 365. Encrypting at the service level offers an
added layer of protection for files in SharePoint Online and OneDrive
for Business.

Microsoft Azure Office 365

Azure Key Vault SharePoint Online

Your customer key

OneDrive for
Business

Deployment

1 Create your own key vault in Azure 2 Add your key to the key vault 3 Enable your key with Office 365
Create a hardened container (a vault) in Generate your own key and transfer it to the Authorize your Office 365 tenant to use the
Azure, to store and manage cryptographic keys Azure Key Vault or create it directly in the vault. encryption key for files in OneDrive and
and secrets in Azure. SharePoint Online.
Add a key or secret to the key vault
Get started with Azure Key Vault

Windows 10 capabilities for file protection

A couple of Windows 10 capabilities contribute to file protection for All content that is categorized as business content by WIP is
Office 365 files. These capabilities require fully managed devices. encrypted. Here s how this works:
• Content that is downloaded to the device from a business location
Bitlocker protects data when devices are lost or stolen is automatically categorized as business content and encrypted.
BitLocker Drive Encryption provides full disk encryption on Windows • All new content created using business-only apps (such as a line of
10 PCs. If the device is lost or stolen unauthorized users can t gain business app) is automatically categorized as business content and
access to files on the protected drives, including files synced from encrypted.
OneDrive for Business.
• New content created in dual purpose apps (apps used for both
Bitlocker overview personal and business use, such as Word) is categorized by the
user. Business content is encrypted when the content is saved to
Windows Information Protection (WIP) protects against data the device. Personal content is not encrypted.
leakage On Windows 10 devices that use BitLocker, WIP provides an additional
WIP separates work content from personal content and helps prevent layer of protection. While BitLocker encrypts all data at rest on the
accidental data leaks on enterprise-owned devices and personal device, WIP provides additional protection to your business content to
Windows 10 devices that employees bring to work. help prevent accidental leaks. This includes copying files to removable
media, such as a USB drive.
For example, WIP helps prevent a user from syncing or copying files in
OneDrive for Business or SharePoint Online to a personal OneDrive or You can use WIP in combination with Office 365 data governance
other personal cloud storage location. It also helps prevent a user capabilities and Azure Information Protection. WIP protects against
from copying and pasting business content inside files or business the most common accidental leaks while Office 365 and Azure
apps to a non-business location, such as a personal document or a Information Protection provide advanced protection capabilities. For
public website. example, you can use automated DLP rules to protect files that are e-
mailed outside of your organization.
As an administrator, you can determine which apps are approved and
have access to business content. You can also determine whether to
block users from copying and pasting content to non-business Protect your enterprise data using Windows Information Protection
locations or to just warn the user and audit the action. (WIP)

Windows 10 WIP protects business content on devices with file

level encryption that helps prevent accidental
data leaks to non-business documents,
unauthorized apps, and unapproved locations.

BitLocker Drive Encryption protects data when

devices are lost or stolen.

July 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 File Protection Solutions Recommended architectures for protecting files in
Office 365

in Office 365
This topic is 3 of 4 in a series 1 2 3 4

Highly regulated or classified data protection solutions

A few organizations require protection for a small subset of
data that is classified or highly regulated. Microsoft BYOK with SharePoint HYOK with SharePoint
provides advanced capabilities to help organizations meet
these requirements while taking advantage of cloud storage Complexity Complex Most complex
and other cloud-based information protection capabilities.
Azure Information
Encryption technology AD RMS on premises
These solutions allow you to protect targeted data sets at Protection service
much higher levels than other data in your organization.
Where protection is Azure Rights Management AD RMS rights policy
Choose one of these options: defined Templates (in Azure) template (on premises)
• Bring Your Own Key (BYOK) with Azure Information
Protection and SharePoint Online — all components are Where classification labels Azure Information Azure Information
cloud-based. Apply protection before or after uploading are defined Protection policy (in Azure) Protection policy (in Azure)
files to SharePoint Online.
• Hold Your Own Key (HYOK) with Active Directory Rights Requires user action Yes Yes
Management Service (on-prem product) and SharePoint
Online — this is a hybrid solution. Use HYOK and RMS Works with search, Delve,
to encrypt files on premises before uploading them to a eDiscovery, co-authoring, and
other collaborative features of No No
SharePoint site.
Office 365
Because of the complexity, implement the HYOK solution
only if the BYOK solution does not meet your requirements. Requires federated identity
No Yes
Both of these options can be used with an Office 365 integration (such as AD FS)
private group or Microsoft Teams to manage permissions
to these files and to limit who can see these libraries. Requires on-premises
No Yes
components

Configuring protection for BYOK and HYOK solutions

Protection is applied to a file by using the Azure
Information Protection client to select a label. See the
description for Azure Information Protection classification
and labeling earlier in this content.
For these scenarios consider creating a custom sub-label.
The protection that is applied is configured in different
places for BYOK and HYOK.

For both BYOK and HYOK solutions: For BYOK: For HYOK:
• Review the classification labels and • Modify one of the default Azure Rights • Create a custom AD RMS rights policy
make any changes you need. Management Templates or create a new template on-premises for your highly
template with the desired protection. classified or regulated data.

Cloud On premises

Azure Information Labels

Azure Information policy Azure Rights Management Templates AD RMS rights policy template
Protection policy
Default (apply classification) (apply protection and optionally target (control rights for users and groups)
Default
individual users and groups)

Confidential
Confidential
(Default template)

Highly Custom policy

Confidential template

Custom label Custom template

You can customize the default labels and add You can associate one of the default Azure For HYOK file protection solutions, create an
new labels to the default Azure Information Rights Management templates to a label. You AD RMS rights policy template for the on-
Policy. can also customize the two default Azure premises AD RMS cluster.
The default Azure Information Protection Rights Management templates.
Then, associate the AD RMS protection policy
policy You can create new Azure Rights Management with an Azure Information Protection
Create a new label for Azure Information templates and apply these to a label. classification label by copying the AD RMS
Protection Create, configure, and publish a custom template GUID and cluster licensing URL into
template your Azure Information Protection admin
How to configure a label to apply Rights
portal.
Management protection Configure usage rights for Azure Rights
Management AD RMS Policy Templates
Continued on next page See Configuring HYOK in this blog
Bring Your Own Key (BYOK) with Azure Information Protection and
SharePoint Online
This solution is all in the cloud.
Microsoft Azure
• You generate an encryption key based on
your requirements and store it in Azure Key
Vault. Azure Rights Management Azure Key Vault
• You customize or create a new Azure Rights
Management template with the protections Azure Rights Management template Your BYOK key
needed for your data. Authorize your key to be
used by Azure Rights
• You associate this policy template with a
Management
label in the Azure Information policy.
Azure Information Protection
• Users apply protection by using the Azure
Information Protection client toolbar to Azure Information Protection Policy
select a label. Default
Highly
• You can use a private Office 365 Group or a Confidential
Labels Associate a
Microsoft Teams team to manage label with the
permissions to these files, including who can Confidential template
see the library.
General

Public

Personal

When users open an Office application,

the Azure Information Protection client
checks for new and updated policies

Azure Information Protection client toolbar

Office 365

SharePoint Online

SharePoint Online
When users apply the label, the BYOK encryption key is used library
to encrypt the file. Labels can be applied before or after
adding the file to a SharePoint library. Labels can be modified.

Deployment

1 Create your own key vault in Azure 2 Add your key to the key vault 3 Activate Azure Rights Management
Create a hardened container (a vault) in Generate your own key and transfer it to the This service might already be activated for
Azure, to store an d manage cryptographic keys Azure Key Vault or create it directly in the your organization.
and secrets in Azure. vault.
Activating Azure Rights Management
Get started with Azure Key Vault Add a key or secret to the key vault

4 Configure the Azure Rights Management 5 Decide what classification labels) to 6 Update the labels to support your
service to use your encryption key apply to your sensitive files decisions
Authorize the Azure Rights Management You can customize the default labels and add Reconfigure the default Azure Information
service to use the key. new labels. Protection labels to make any changes you
Planning and implementing your Azure Default Azure Information Protection policy need to support your classification
Information Protection tenant key settings decisions.
How to configure a label to apply Rights
Management protection

7 Configure Azure Rights Management 8 Create a private Office 365 group or a 9 Install the Information Protection client
templates and associate these with labels Microsoft Teams team and add members and train users
Modify one of the default templates or create a You can script and automate the installation, You can script and automate the installation,
new template. Choose the protections to apply or users can install the client manually. or users can install the client manually.
to your sensitive data, in addition to encryption. The client side of Azure Information
Create an Office 365 Group in the admin center
Create, configure, and publish a custom template Protection
Turn on Microsoft Teams
Configure usage rights for Azure Rights Installing the Azure Information Protection
Management Microsoft Teams Help client

Continued on next page

 Using the solution

1 Install the Information Protection client 2 Use the client toolbar to apply labels 3 Upload files to the SharePoint library
If installation isn t automated, users can HYOK encryption is applied, including Be sure users know which SharePoint library
install the client manually. additional protections that are configured in to use for your highly confidential or
the RMS policy template. A
regulated data. Be sure the SharePoint
Download page for manual installation library is NOT IRM protected.

Hold Your Own Key (HYOK) with RMS and SharePoint Online
This solution brings together
components on premises and in the Microsoft Azure
cloud. On-premises network

• AD RMS uses RMS policy Azure Information Protection

templates to apply protection to
files. Azure Information Protection Policy
Default
• You define a custom RMS policy Highly
AD RMS custom
template for your highly confidential Labels
policy template
classified or regulated data.
Confidential
• You associate this policy
template with a label in the AD RMS cluster General
Azure Information policy.
Public
This solution requires federated identity integration with
Office 365 to make use of encryption using an on-premises Personal
encryption key. This solution does not work with
synchronized identities.

Deployment

1 Activate Azure Rights Management 2 Decide what classification label(s)s to 3 Update the labels to support your
Azure Information Protection services are
apply to your sensitive files decisions
always cloud hosted but they enable you to You can customize the default labels and add Reconfigure the default Azure Information
operate in a cloud-only, hybrid, or on- new labels. Protection labels to make any changes you
premises only deployment. Default Azure Information Protection policy need to support your classification
settings decisions.
Activating Azure Rights Management
How to configure a label to apply Rights
Management protection

4 Deploy an Active Directory RMS cluster 5 Create, configure, and deploy a custom 6 Associate the AD RMS policy template
on premises RMS policy template with an Azure Information Protection
Hold your own key (HYOK) requirements and This policy template is part of the on-
classification label
restrictions for AD RMS protection premises RMS deployment. Copy the AD RMS template GUID and
Active Directory Rights Management Services cluster licensing URL into our Azure
AD RMS Policy Templates
Overview Information Protection admin portal.
AD RMS Rights Policy Templates
Test Lab Guide: Deploying an AD RMS Cluster See Configuring HYOK in this blog: Azure
Deployment Step-by-Step Guide Information Protection with HYOK

7 Create a private Office 365 group or a 8 Get ready to train users 9 Install the Information Protection client
Microsoft Teams team and add members
Produce user guidance that explains You can script and automate the
You can script and automate the installation, which label to apply and when. installation, or users can install the client
or users can install the client manually. manually.
Create an Office 365 Group in the admin center The client side of Azure Information
Protection
Turn on Microsoft Teams
Installing the Azure Information Protection
Microsoft Teams Help client

Using the solution

1 Install the Information Protection client 2 Use the client toolbar to apply labels 3 Upload files to the SharePoint library
If installation isn t automated, users can HYOK encryption is applied, including Be sure users know which SharePoint library
install the client manually. additional protections that are configured in to use for your highly confidential or
the RMS policy template. A
regulated data. Be sure the SharePoint
Download page for manual installation library is NOT IRM protected.

July 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].