After configuration and after a few minutes, the AzureIP tenant notices the conditional access policies. In the following examples, I tried to sign in to AzureIP if (Figure 1) multi-factor authentication was required and (Figure 2) if my device was not trusted. Yes, as a preview public offering, you can now receive a warning about abnormal data access in Azure Information Protection. This alert is triggered when unusual attempts are made to access data protected by Azure Information Protection. For example, accessing an unusually high volume of data at an unusual time of day or accessing it from an unknown location. The following is a list of some common scenarios that occur when conditional access policies are enabled for AIP-protected content: for example, suppose your tenant administrator has configured a conditional access policy so that all users need multi-factor authentication when accessing AIP-protected documents on the Windows platform. as shown below. However, file policies apply to more than just the location, so consider other users. For example, identify all the files that user X owns. are shared with user X or domain X. Really any type of file filter supported by MCAS.
I am saying that we can do it in one way or another because it is a bit limited. For starters, there is a limit of 50 accounts for file policies, a limit of 100 labels per tenant per day, and you also have to manually select folders, you cannot have dynamic rules such as „Folder name contains X“. For me, this feature has its place, but still has a long way to go. As a general warning about MCAS-protected files, they cannot be opened in web apps when they are hosted in SharePoint Online and OneDrive for Business, as described here. Conditional access policies that include device status options must also exclude external users. Figure 10 Logon risk level as a condition in a conditional access policy If you continue the conditional access trend, you can use it to perform reverse proxy traffic through Microsoft Cloud App Security (MCAS) using session policies, among others. For apps and users in the scope, traffic is routed as a subdomain of mcas.ms to the user, giving the administrator, not just the app, the ability to control (and monitor) activity in web app sessions. Identity management is an important part of AIP, as users must have a valid username and password to access protected content. Azure Information Protection is available as a selectable cloud application in CA policies, which means you can apply grant controls under different conditions. In session policies, you can apply a predefined label (e.B.e.B Confidential) or set custom permissions instead: viewer, reviewer, co-author, or co-owner.
If you follow the animation below, you can see that the file hosted in SharePoint Online does not contain a privacy flag (check the Empty Sensitivity column), but if you open it locally after downloading, it has a confidential label. This means that the deprivation of access with the default settings is not immediate, as shown in the following screenshot. You can find much more information on this blog 🙂 here: cloudblogs.microsoft.com/enterprisemobility/2017/10/17/conditional-access-policies-for-azure-information-protection/ As shown below, the administrator can configure a conditional access policy so that users with a high-risk login cannot access AIP-protected content. With conditional access policies, you can control not only whether and through which protocols a user can access a service, but also on which devices they do so and whether those devices comply with the policies defined in Intune. When we work with information, we sometimes need to share information with internal or external people and organizations. Usually, it is difficult to enforce strict privacy policies if it is not sensitive data. With document tracking, we can check who is accessing shared documents, when and from where. It also allows you to set up notifications so we know when someone is accessing them.
If the document is displayed in places where it should not be displayed, we can also revoke permissions. In this blog post, I`m going to show you how we can do that. The client continues to function as expected, but administrators cannot update policies in the portal and no other fixes or changes are provided for the classic client. When a user accesses protected content, they receive a license to use it. It is possible to remove access to a protected file by revoking the license to use the file so that users can no longer see the protected content even if they have the encrypted file. Data is really the most important thing here. While the security of your network is still important, the trend is that data is increasingly stored in SaaS (e.B. Office 365) services and data is accessible on mobile devices from different locations means that simply securing the on-premises infrastructure is no longer enough. Because Azure Information Protection uses Azure Active Directory as its identity provider, it is also possible to control access to the service (in this case, Azure RMS) with conditional access. But let`s say we want to add other protections. For example, we don`t want AzureIP-protected content to be opened from an unsecured location or unmanaged device. Or, more fundamentally, we want to verify the identity of our users using multi-factor authentication.
This is where conditional access comes into play. Another piece of the puzzle. I noticed this when I first saw AzureIP protected by conditional access policies to Ignite last September. And in this part, you can manage how your users can access protected and marked AzureIP content. • When other users access the file (after successful Azure AD authentication), Azure RMS decrypts the file and applies the access policy to it. Aside from multi-factor authentication, we can really use any of CA`s granting controls, including allowing access only to managed devices, restricting access to known IP addresses, or denying access when there is an identity protection risk. One use case for this is usually unmanaged access to the device. For example, suppose you want to allow users to download and edit corporate files on PCs that you don`t control, but you still keep those files safe. When users upload files in Office or pdf format (up to 50 MB), a label can be applied using a session policy. and not just Office 365 content – this can apply to other SaaS apps you`ve integrated with MCAS, including services like Google Workspace.
For files that you cannot protect (para. B an unsupported format, an unsupported size, or a service, you can block these downloads completely. An unwanted side effect can also occur when using labels with encryption and external recipients. If the conditional access policy uses the All Users condition, it means all accesses, including those from external recipients. As a result, sharing encrypted files with external parties is only possible if they are also present as guests in the tenant. This side effect can also occur when CA policies are configured with the All Cloud Applications pane. That`s strange. I didn`t notice it.
Have you tried a newer (or pre-release) version of this client? Or have you tried changing the conditional access settings? The primary use of conditional access + Azure Information Protection is multi-factor authentication, the most common use case for conditional access in general. Important for multi-factor authentication, the user does not receive the mFA prompt if they have already met the authentication requirements for the Office application, including from Windows single sign-on. For the same reason, this does not apply to files that can be accessed in SharePoint Online/OneDrive for Business and accessed through web apps when you browse through them after you have already authenticated. Microsoft Information Protection licensing with AIP P2 provides a native way to automatically protect content in ODfB and SPO with automatic labeling policies created in the Compliance Center or locally with the AIP analyzer. However, if you need to protect content in a third-party SaaS, see MCAS. Summary: Below is the ability to control access files that have been classified and protected by Azure Information Protection (AIP), and then manage which devices access files from Active Directory or Microsoft Intune to access them. If the devices are not managed, they will not have access to the data. The data is thus encrypted using AES (more information here) and rendered unusable without meeting the requirement.
When it comes to automatically labeling files by containers, we can use the file policy options of MCAS. Although we cannot select an entire team or website, we can select folders for which we automatically apply file labels. Just like session policies, labels can be applied widely or you can use content analysis services based on the data that is actually in the file. I`m going to ignore this for now and focus on protecting all the files in a folder. We can do this not only for SharePoint and OneDrive, but also for Dropbox and Box if they have been integrated into MCAS via app connectors. I`ve noticed that I see relatively few connection logs in applications in multiple environments, and even with a policy that still requires MFA, I`m only asked for MFA once on a new client. .