With Azure Information Protection (AIP), you can secure your emails and documents that you exchange within or outside your organization.
Microsoft Azure is a public cloud computing platform developed to provide a set of cloud services to address your business challenges. It gives you the ability to build, manage, and deploy applications across a massive global network using your favorite tools and frameworks. Azure Information Protection (AIP) is one of the services offered by Microsoft Azure.
AIP protects the sensitive information of your company. It allows your organization to encrypt, classify, and protect your emails and documents at the time of creation or modification. With AIP, you can:
AIP provides an excellent end-user experience by allowing users to secure their information by simply applying the label. Organizations can also boost their security and Data Loss Prevention policies with a comprehensive and unified approach for the data protection.
For more information on AIP, see What is Azure Information Protection?.
As an admin, you can use the Azure portal to configure the Azure Information Protection sensitivity labels for your organization. You must also configure Workspace ONE Boxer using a key-value pair to enable the AIP feature.
Sign in to the Azure portal. For more information about the Azure portal, see Configuring the Azure Information Protection policy.
Enable the following options in the organization settings of your Office 365 account.
a. Azure Information Protection
b. Microsoft Information Protection API
Activate the Data Protection and the Unified labeling options in AIP.
Configure the labels in the Classification settings of AIP.
Add and enable the PolicySensitivityLabelsEmailClassification key in the Workspace ONE UEM console. To know how to configure this key, see Enable AIP Sensitivity Labels in Workspace ONE Boxer.
When you enable the PolicySensitivityLabelsEmailClassification key,
The following key-value pairs become inactive and cannot be enabled:
As an admin, you must provide consent to your tenant users to use the sensitivity labels. Otherwise, each user has to consent manually. Users cannot use the labels without the consent.
If your administrator has not provided you the consent to access the AIP sensitivity labels, you must consent manually.
To enable the sensitivity labels in Workspace ONE Boxer, tap the Enable option in the banner displayed on the inbox screen.
If you have multiple managed accounts and you are on All Accounts screen, you must select an account for which you want to enable the sensitivity labels. When you have a single managed account, you are directly redirected to the Microsoft page, where you have to consent manually.
Tap Accept on the Microsoft page and consent manually.
After receiving the consent, Boxer fetches all the labels from Azure. You can apply these labels to your emails and also receive emails with labels.
To update the older emails with sensitivity labels, you can resynchronize Boxer.
Even if you do not receive the consent, you can still access the emails, but you cannot apply any restrictions and classification to the email content.
You can apply a sensitivity label when you compose a new email, reply, or forward a received email. To apply a label on your email, you must tap the label icon. Upon tapping, you can see a list of all the labels configured in Azure.
When you apply a label to an email, you can see the following things in the email body:
A solid red line appears under the subject of the email.
Note: Sensitivity labels do not support delegated accounts.
When you receive an email with an applied sensitivity label, you can see the name of the applied label and a label icon marked in red. You can also see the header and footer text if the label has the settings for it. The header and footer text that appears in the email body is according to the label settings in Azure.
Based on the settings of the label, sender can restrict you to perform actions such as Reply, Reply all, or Forward on the received email.
When you tap the label name, you can view the additional label details such as name, permissions, and restrictions applied on the received email. If the sender gives you the permission, you can also change the label of the received email. Sometimes you are asked to provide a valid reason for changing the label. The policy setting in Azure controls such requests.
You cannot access sensitivity labels in the cases where:
Combination of IRM templates and Sensitivity labels
Combination of S/MIME and Sensitivity labels