featured engagements - meetupfiles.meetup.com/18381594/azure information protection.pdf ·...
TRANSCRIPT
Featured Engagements
Agenda
Other IPC
AIP Integration
End User Workflows
On PremisesAIP
Service
Classification
Protection
• Azure RMS Connector
• B2B
• B2C
• AIP Bar
• Office Suite
• Sharing App
Key Management
• Azure Key Vault
Tracking & Monitoring
Azure Information Protection (AIP)
• Topics
Requirements
OverviewLicensing
Plans
Service Discovery &
AuthN
Azure IP Service
Client Software
Overview
• Key Drivers• Cyber attacks expose private company information to public (i.e. Sony Pictures).• Compliance requirements.• Growth in cloud and mobile.• Data leaks (intentional/accidental).
• What about Existing Solutions?• Scalability and collaboration challenges (i.e. partners, consumers).• Identifying sensitive data can be/is difficult.• Some are complicated and hard to manage (i.e. S/MIME encryption).• Platform incompatibilities (i.e. mobile device email).• Policies can be very restrictive or limiting
• RMS: Do Not Forward permission does not work well externally.• You may be asked to resend email unencrypted.
Requirements
• Identity and Service Providers
• Clients and Applications
• Subscription and Licensing
Identity and Service Providers
• Azure Active Directory or Active Directory (AD)• Identity providers.
• Azure AD Connect• Synchronization service.
• Azure Information Protection• Classification service.
• Azure Rights Management• Protection service.
• Azure RMS Connector• Relay service.
Clients and Applications
• Clients OS • Windows 10 (x86, x64).
• Windows 8/8.1 (x86, x64).
• Windows 7 Service Pack 1 (x86, x64).
• Mac OS, iOS and Android.
• Applications• Office Professional Plus 2016.
• Office Professional Plus 2013 with Service Pack 1.
• Office Professional Plus 2010.
Licensing Plans
Licensing Plans (cont.)
Licensing Plans (cont.)
Azure Information Protection (AIP)
• What’s AIP?• New Azure multi-tenant cloud-hosted service.• Ability to classify and label documents.• Ability to track and revoke documents as needed.
• Service Request Url• https://api.informationprotection.azure.com/
• Milestones• General Availability (GA): October 4th, 2016.• Public Preview: July 12th, 2016.• Service Announcement: June 22nd, 2016.• Microsoft Acquisition of Secure Island: November 9th, 2015.
Why AIP?
• Also see• https://support.office.com/en-us/article/Plan-for-Office-365-security-and-information-
protection-capabilities-3d4ac4a1-3920-4ff9-918f-011f3ce60408?ui=en-US&rs=en-US&ad=US
AIP (cont.)
• Installation• Log on to Azure as Global Administrator.
• Search for and click Azure Information Protection.
AIP (cont.)
• Installation (cont.)• Click Create.
AIP (cont.)
• Configuration• Configure and publish organization Policy.
• Default policy may be all you need—if so, no additional configuration needed.
AIP Service Discovery
• Establish TCP/IP Session with Azure RMS service• TCP/IP 3-way handshake with *-a-rms .<region>.cloudapp.net on TCP port 443.
where <region> is one or ncu, eus, etc.
• TLS Handshake: Client Hello service message request• Azure Rights Management discovery service at https://discovery.aadrm.com.
• TLS Handshake: Server Hello hostname message response • With value of id-at-commonName set to: ssl.<region>.aadrm.com.
where <region> is one or na, eu, etc.
AIP Service Authentication
• Authenticate to Azure Information Protection service• Connect to company’s Azure tenant at
• https://<yourTenant>/_wmcs/licensing where <yourTenant> is represented as
<GUID>. api.informationprotection.azure.com (classification and labeling)
or
<GUID>.rms.<region>.aadrm.com (protection)
and <region> is the region.
AIP Service Authentication (cont.)
• Prompt User for Authentication• TLS Handshake: Client Hello service message request
• Azure login service at https://login.microsoftonline.com.
• TLS Handshake: Server Hello hostname message response • With value of id-at-commonName set to stam2.login.microsoftonline.com
• SSO Redirection to On Premise STS• TLS Handshake: Client Hello service message request
• Company’s on premise STS at https://sts.company.com.
• TLS Handshake: Server Hello hostname message response • With value of id-at-commonName set to: sts.company.com.
AIP Service Authentication (Workflow)• Must authenticate to Azure IP service on
company’s Azure tenant. • May be redirected to company federation
server.
• Must obtain license/policy (Policy.msip).
• Must authenticate to Azure Rights Management service if protection is requested.
Client Software
• Software Installer• Download at https://www.microsoft.com/en-us/download/details.aspx?id=53018.
• Client• Install Azure Information Protection client v1.2.4.0.
Client Software
• Policy File
Classification
• Topics
Labels
Classification Methods
Tooltips
Rules & Conditions
Azure IP Client
Classification: Methods
Manual Classification
Performed by users at content creation/modification time.
Assumes user is more familiar with the content.
Automatic Classification
Enforced through rules and conditions defined by
administrators.
Recommended Classification
Users are offered recommendations on how to best handle a type of content.
Classification: Methods (cont.)
• Manual Classification• User-driven task which involves:
• Tagging documents and emails with visual markers/indicators.• Protection can later be added based on the classification label.• Classification information is persisted to document’s metadata.
• Allows it to safely travel outside company premises.
• Automatic Classification• Makes bulk classification easier.• Targets large document repositories (e.g. FCI).
• Recommended Classification• Combination of manual and automatic.• Recommendations based on content detection rules and conditions.
Classification: Label
• Classification Type/Maker• Used to identify a type of
document or email during classification.
• Persisted in header, footer or watermark.
• Can give a better meaning to the data being handled.• Confidential vs. High Business
Impact (HBI).
Classification: Label
• Classification Type/Maker (cont.)• By default, user must provide
justification when loweringclassification of a file/document.• For example, from Confidential to
General .
Classification: Label
• Classification Type/Maker (cont.)• Lowering classification label is audited.
• Event ID 1000 is logged in the Application log on client’s machine.
• Log Analytics can be used to centrally manage events. • OMS service capable of ingesting logs
from a variety of formats.
OMS – Operations Management Suite
Classification: Label (cont.)
• Default Labels
Classification: Label (cont.)
• Custom Labels
Classification: Custom Label (cont.)
• Adding a custom label• Click Add a new label link (see Default Labels side above)
• Configure Rules and Conditions for applying label (see previous slide)• Name: Evaluation
• Tooltip: This information can be used by members of the product evaluation team
• Color: Yellow
• RMS template: Azure RMS: Revalida - Confidential
• Visual marking: Off, Off, Off
• Condition: Product Evaluation
• Click Save.
• Publish label.
Classification: Custom Label (cont.)
• Adding a custom label (cont.)
Classification: Custom Label (cont.)
• AIP Policy Enforcement• Configure the Evaluation label as the default classification
Classification: Sub-Label
• Sub-Labels• Right-click the Evaluation label to add a sub-label to it
• Click Add a sub-label.
• Fill-in the rules and conditions for the new sub-label.
Classification: Sub-Label (cont.)
• Sub-Labels (cont.)• Expand the Evaluation label to reveal sub-labels
• Collaboration sub-label now appears.
Classification: Tooltip
• Visual Indicator• Used to offer recommendations
to users on how best to label a particular type of data (i.e. SSN, DL, CC, etc.).
Classification: Rules and Conditions
• One or more administrator-defined label setting • Used to identity a type of data.
• Can be combined with tootips to offer recommendations to users on how a type of data should be classified.
• How to configure a Condition?• Click Add new condition link, choose condition type, select matching criteria
(see next slide).
• Choose how label is applied.
• Add tooltip and notes.
• Click Save.
Classification: Rules and Conditions (cont.)
File and Document Protection
• Fundamentals
Service Architecture
Azure Rights Management
Service
Protection Methods
Rights Policy Templates
Permissions
Azure Rights Management service
• What is It?• Azure multi-tenant cloud-hosted service.• Ability to collaborate securely with partners and consumers.• Ability to enforce protection policies when appropriate.
• Provides comprehensive protection across users, devices, and applications.• Enterprise Mobility + Security (EMS) suite.
• Service Request Url• https://<guid>.rms.<region>.aadrm.com/where • <guid> is an unique organization id.• <region> represents the region.
Azure RMS Service
• Configure Azure RMS• From the Azure Classic
Portal, go to All Items
• Click Active Directory to list your identity tenants.
Azure RMS Service
• Configure Azure RMS• From the Active Directory
tile, select the tenant you want to manage (i.e. Revalida in this case).
• Click Rights Management.
Azure RMS Service
• Configure Azure RMS• From the Rights
Management menu, click Activate to activate service.
Azure RMS Service
• Configure Azure RMS• Click Yes at the prompt.
Azure RMS Service
• Configure Azure RMS• The Rights Management
service status switches from Inactive to Active.
Azure RMS Service
• Configure Azure RMS• Office 365 Admin Center
also shows the service status as activated.
• Also offers the option to Deactivate the service.
Protection: Service Architecture (cont.)
Protect any file type
Delight with Office docs, PDF, Text, and Images.
Important applications and services are enlightened
Delight with Office docs, PDF, Text, and Images.
CSOs and Services can ‘reason over data’
Delegated access to datawith bring-your-own-key
Protect in place, and in flight
Data is protected all the time
Share with anyone
B2B sharing is most important with
B2C on the rise
Meet the varied organizational needs
Protection enforced in the cloud, or on-premises; with
data in both places.
Protection: Methods
• Manual Protection• User conscious choice which involves:
• Applying RMS template to protect documents and emails.• User must decide when to apply protection to documents and emails
• Choice made easier through visual tootips.
• Protection information is persisted to document’s metadata.• Allows it to safely travel outside company premises while still protected.
• Automatic Protection• Administrators define rules and conditions
• Targeting specific type of content (e.g. SSN, CC, DL, etc.).
• Wired tasks automatically trigger protection• When a condition is met (i.e. RMS-encrypt document if found to contain SSNs).
Rights Policy Templates
• Default Templates (2)• Company – Confidential.
• Company – Confidential View Only.• Can be archived, but not deleted.
• Can be copied but not modified.
• Custom Templates• Allow for more granular control over use rights, expiration, and offline access.
• Departmental Templates• Custom template with specified scope.
Rights Management Applications
• Client Mode• Clients with the RMS Client installed.
• Mobile devices with the RMS Sharing application installed.
• Server Mode• Workloads such as Exchange, SharePoint, File Classification Infrastructure (FCI).
Permissions
• Usage Rights and Restrictions
• Bulk Encrypt File/Folder• Super User
• Decrypt File/Folder• Super User.
• Owner or Extract rights.
Tracking and Monitoring
• Topics
Tracking Portal
Logging & Reporting
Tracking Portal
• Portal• Url: https://track.azurerms.com.
• Purpose: Track and revoke documents you’ve shared with others.
Tracking Portal (cont.)
• Portal (cont.)• View your shared documents.
• Export to CSV.
Tracking Portal (cont.)
• Portal (cont.)• Click Revoke access to revoke documents you’ve shared with others.
Logging and Reporting
• Event Logs• Tracks label changes in Application log.
• Usage Logs• Tracks and logs all key usage and key management operations.
• Log data stored in Azure blob storage.
• Can be managed using PowerShell• Use the Get-AadrmUserLog cmdlet to save log.
• Use the Disable-AadrmUsageLogFeature cmdlet to disable logging.
• Use the Enable-AadrmUsageLogFeature cmdlet to resume logging.
• Use the Get-AadrmUsageLogFeature cmdlet to query the logging state of the service.
Logging and Reporting (cont.)
• Saving a Log Example
Logging and Reporting(cont.)
• Saving a Log Example (cont.)• View of the output file from the previous PowerShell command.
Logging and Reporting (cont.)
• Log Table• Row definitions
Key Management
• Topics
Azure Key Vault
Tenant Keys
Azure Key Management
• Azure Key Vault• Azure cloud-hosted cryptographic key management service.
• Allows customer’s to safeguard with high degree of assurance the following:• Their must valuable key asset (e.g. ‘root key’).
• Secrets (i.e. passwords).
• Software-protected asymmetric keys.
• Symmetric keys used in bulk encryption operations
• Security Assurances• Asymmetric keys stored in tamperproof hardware security modules (HSMs).
• Use of Thales nShield HSMs validated to FIPS 140-2 Level 2.
• All crypto operations using HSM-protected keys occur inside HSM.
Azure Key Vault (cont.)
• How Does It Work• Key Vault
• Responsible for performing the requested key operation on behalf of application.• Performs all crypto operations (w/ HSM-protected or software-protected keys).
• Vault• Collection of cryptographic keys managed by one or more individuals in an organization
• Keys• Set of bits or cryptographic asset for securing service/role (e.g. Azure RMS, SQL Server TDE, etc.).• 2048 size, symmetric RSA key.• Can be HSM or software-protected.
NOTE #1: You can import or generate keys in hardware security modules (HSM). NOTE #2: Must have Azure Key Vault Premium service to support HSM-protected keys.
Azure Key Vault (cont.)
• How Does It Work (cont.)• Secrets
• Small data blobs, typically less than 25 bytes in size, which are protected by a key.
• Usage Logs• Tracks and logs all key usage and key management activity.
• Logs are stored in Azure storage blobs, but can be saved locally using PowerShell.
• Application Support• Applications can make use of Azure Key Vault by making the appropriate Web Service calls.
• Only Azure Active Directory registered application can benefit.
Tenant Keys
• Microsoft Managed Keys• Microsoft safeguards and manages your tenant encryption keys.
• Bring Your Own Key (BYOK)• You own and control your tenant encryption keys.
• Hold Your Own Key (HYOK)• You own and control your tenant encryption keys.
• Encryption keys stay local—it’s never transferred to Azure
• Like AD RMS (refer to next few slides).
Tenant Keys (cont.)
• BYOK On Boarding• Create your tenant key into your on premise Thales HSM.
• Securely transfer key to Microsoft-managed HSMs in the Azure Key Vault region of choice.
• Authorize AIP service to use key• Use Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet.
• Configure AIP to use the key as your organization’s tenant key • Use Use-AadrmKeyVaultKey PowerShell cmdlet.
• Track and monitor key usage • With Azure Key Vault and/or Azure Information Protection logging.
AD-RMS
• Architecture
Identity Store(Active Directory)
ADRMS01 (172.30.12.10)
ADRMS01 (172.30.12.10)
ADRMS02 (172.30.12.11)
ADRMS02 (172.30.12.11)
ADRMS03 (172.30.12.12)
ADRMS03 (172.30.12.12)
SQLServer Cluster
Domain Controllers
Domain Controllers
Internal FirewallExternal Firewall
Firewall Device
Inte
rna
l V
IP –
17
2.3
0.1
2.1
ad
rms.
co
nto
so.c
om
Exte
rna
l V
IP –
Pu
bli
c I
P
External User
Internal User
AD-RMS (cont.)
• Management Console
Tenant Keys (cont.)
• Migrating from AD RMS• Export from AD RMS
• Export Trusted Publishing Domains (TPDs) configuration to an .xml file.
• Use Export-RmsTPD PowerShell cmdlet.
• Import to Azure Information Protection• Use Import-AadrmTpd PowerShell cmdlet.
• Microsoft-managed Key
• If password key protection was used.
• Bring Your Own Key (BYOK)• All other AD-RMS key options.
On Premise Integration
• Topics
Architecture
Azure RMS Connector
Installation & Configuration
Configure Servers to use
RMS Connector
Diagnostics
Azure RMS Connector
• Enables on premise hybrid solutions • With Azure Information Protection.
• How Does It Work1. Information Worker (IW) sends a request for license/policy to endpoint
• IW needs information to publish/consume file or content.
• IW is unaware of RMS Connector or Azure RMS service.
• IW’s machine sends request to server running a particular workload (i.e. Exchange).
2. Server running workload sends requests to RMS Connector• Must be authorized in Active Directory
• Must be configured to communicate with RMS Connector over HTTP/HTTPS.
Azure RMS Connector (cont.)
• Configure servers to use RMS Connector• Run the following PowerShell command from an elevated command prompt
PS C:\> .\GenConnectorConfig.ps1 –ConnectorUri https://<rmsconnector_fqdn> -<flag>
where <rmsconnector_fqdn> is the connector Url and <flag> is one of the following parameters:
• SetExchange2010 or SetExchange2013
• SetSharePoint2010 or SetSharePoint2013• SetFCI2012
• Authorized server workloads to access RMS Connector• Using RMS Connector Administrator tool to add each workload instance by type. • Use either group or service account as the workload identity.
Azure RMS Connector (cont.)
• Server Configuration• For SharePoint 2016/2013
• Determine your organization’s MicrosoftRMSUrl• Use Get-AadrmConfiguration PowerShell cmdlet.
• Registry # 1Path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\LicensingRedirection
Type: Reg_SZ
Value: https://MicrosoftRMSURL/_wmcs/licensing
Data: One of the following, depending on whether you are using HTTP or HTTPS from your SharePoint server to the RMS connector:
• http://ConnectorFQDN/_wmcs/licensing
• https://ConnectorFQDN/_wmcs/licensing
Azure RMS Connector (cont.)
• How Does It Work (cont.)• Server Configuration (SharePoint 2016 or 2013)
• Registry # 2Path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification
Type: Reg_SZ
Value: Default
Data: One of the following, depending on whether you are using HTTP or HTTPS from your SharePoint server to the RMS connector:
• http://ConnectorFQDN/_wmcs/certification
• https://ConnectorFQDN/_wmcs/certification
Azure RMS Connector (cont.)
• How Does It Work (cont.)• Server Configuration (SharePoint 2016 or 2013)
• Registry # 3Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterprisePublishing
Type: Reg_SZ
Value: Default
Data: One of the following, depending on whether you are using HTTP or HTTPS from your SharePoint server to the RMS connector:
• http://ConnectorFQDN/_wmcs/licensing
• https://ConnectorFQDN/_wmcs/licensing
Azure RMS Connector (cont.)
• How Does It Work (cont.)3. RMS Connector relays request to Azure Information Protection service
• Must allow egress communication with service on TCP port 443.
4. Azure Information Protection service sends response to RMS Connector.• Must allow ingress communication with connector on TCP port 443.
5. RMS Connector relays response to endpoint.6. Endpoint sends response to Information Worker
• IW is allowed/denied access to file or content based on policy response.
• On Premise Workloads• Exchange 2010, 2013 SP1.• SharePoint 2013.• Windows Server FCI (File Classification Infrastructure).
Azure RMS Connector (cont.)
• Architecture (stack)
TCP 443 to *.aadrm.com (Rights Management)
TCP 443 to *.cloudapp.net (rmsoprod*-b-rms*.cloudapp.net) (Rights Management)TCP 443 to api.informationprotection.azure.com (Azure IP)
TCP 443 to *.aadrm.com (Rights Management)
TCP 443 to *.cloudapp.net (rmsoprod*-b-rms*.cloudapp.net) (Rights Management)TCP 443 to api.informationprotection.azure.com (Azure IP)
Url
RMS R
elay
Tie
r
· RMSCon #1· RMSCon #2· RMS Connector clients
Active Directory
Iden
tity T
ier
DNS
· User identities· Service identities
Url
Info
rmat
ion
Tier
· Exchange IRM· SharePoint IRM· FCI IRM
Azure RMS Connector (cont.)
• Architecture (publisher/consumer)• With AIP client software installed.
• Can classify (and optionally) protect/consume information.
Azure RMS Connector (cont.)
• Architecture (relay service)• Works with HTTP, but HTTPS is recommended.
• Load-balanced cluster (min. of 2 nodes recommended).
Azure RMS Connector Installation
• Requirements• Installer
• Download at https://www.microsoft.com/en-us/download/details.aspx?id=40839.
• Azure Identity and Access (one of three options)• Office 365 Global Administrator.
• RMS Tenant Global Administrator.
• Azure RMS Connector Administrator.
• Active Directory Identity and Access• RMS connector servers must be domain joined.
• Authorized servers need service account or be members of domain group.
Azure RMS Connector (cont.)
• Installer Details • There are 3 files to download
• RMSConnectorSetup.exe
Connector setup tool.
• RMSConnectorAdminToolSetup_x86.exe
Used to install RMS connector Admin console on 32 bits clients.
• GenConnectorConfig.ps1
PowerShell script used to configure authorized servers to use the RMS connector• un either locally on the authorized server or using a Group Policy.
Azure RMS Connector (cont.)
• Configuration• Firewall Filters (allow incoming and outgoing traffic)
• To *.aip.informationprotection.zure.com on TCP port 443.• To *.cloudapp.net on TCP port 443.• To *.aadrm.com on TCP port 443.
• Configuring Servers to use RMS Connector (see next slide).• Enabling IRM on Server Workloads
• Exchange 2010• Client access servers and hub transport servers.
• Exchange 2013• Client access servers and mailbox servers.
• SharePoint 2013• SharePoint frontend servers.• SharePoint Central Administration server.
• File Classification Infrastructure (FCI)• Servers with the File Resource Manager (FSRM) role installed.
Azure RMS Connector (cont.)
• RMS Connector Administrator Tool• Click Add to authorize server
workload instance.
Azure RMS Connector (cont.)
• RMS Connector Administrator Tool• Enter either a group or service
account for each workload instance.
RMS Connector Troubleshooting
• Tools• Event Viewer, Log Analytics.• IIS Logs.• RMS Analyzer Tool.
• https://www.microsoft.com/en-us/download/details.aspx?id=46437.
• MSIPC Client Side Tracing• DebugView
• http://go.microsoft.com/fwlink/?LinkID=309277.
• Errors • Access/Policy errors.• Permission errors.• Configuration errors.
Diagnostics
Tools
• RMS Analyzer
Diagnostics
Access Errors
• Example # 1
• Resolution • Make sure the user account is synchronized to Azure.
• Make sure user has been assigned an RMS license.
Diagnostics
Configuration Errors
• Example # 1
• Resolution • Make sure firewall is configure to allow incoming and outgoing traffic to *.aadrm.com and
*.cloudapp.net.
Diagnostics
Permissions Errors
• Example # 1• Microsoft Word
• Resolution • Make sure user email has been granted the appropriate user right permission to
document.
Diagnostics
RMS Connector Troubleshooting (cont.)
• Logging• Connector logs written to Windows Application Event Log
• Filter: Source = Microsoft RMS Connector.
• Events Types: Informational|Warning|Errors• Event ID: 1004|The list of authorized accounts has been updated.• Event ID: 1002|Access to the Microsoft RMS connector has been allowed for an authorized
server.• Event ID: 2001|Access to the Microsoft RMS connector not authorized server.• Event ID: 3000|Microsoft RMS connector general error.
• Debug Tracing• Modify web.config file for the default IIS site so that it reads as follows:
• <trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true"/>
Diagnostics
Enable IRM on Servers
• Enable SharePoint IRM• Select Use this RMS server.
• Enter the RMS Connector Url.• i.e. https://rmsconnector.contoso.com/
• Click Ok.
Administration Tools
• Azure AD Classic Portal
• Office 365 Admin Center
• PowerShell module for Azure AD Rights Management (AADRM)
• PowerShell module for RMS Protection
End User Workflows
• Topics
Office Integration
Secure Collaboration
Inside & Outside
Office
• Information Protection Bar• Classification labels and RMS Templates enabled by default.
Office (cont.)
• Information Protection Bar (cont.)• Ability to Hide/Show Bar.
• Ability to Track usage.
RMS Sharing App: Windows 10 Mobile
RMS Sharing App: Windows 10 Mobile (cont.)
• RMS Templates• Choose a template.
RMS Sharing App: Windows 10 Mobile (cont.)
RMS Sharing App: Windows 10 Mobile (cont.)
RMS Sharing App: Windows 10 Mobile (cont.)
• Clicking on http://aka.ms/RMS taking you to the RMS portal
RMS Sharing App: Windows 10 Mobile (cont.)
• Sign Up page
RMS Sharing App: Windows 10 Mobile (cont.)
• Sign Up page
RMS Sharing App: Windows 10 Mobile (cont.)
• Sign In page
RMS Sharing App: Windows 10 Mobile (cont.)
• Sign In page (cont.)
RMS Sharing App: Windows 10 Mobile (cont.)
• You get to download and install Sharing App
RMS Sharing App: Windows 10
• Windows Explorer• Right-click file
• Click Protect with RMS. Choose to • Protect in-place
• Share Protected.
• Track Usage.
Other IPC (Information Protection and Control)
• Works well w/• Office 365 DLP for Exchange Online, Outlook and Outlook on the web.
• Office 365 DLP for SharePoint Online and OneDrive for Business.
• Microsoft Cloud App Security (CAS)• Enterprise-grade security for cloud apps.
• Part of Microsoft Cloud Security Stack.
• Azure Rights Management• Azure RMS templates.
• Active Directory RMS templates.
Other IPC (Information Protection and Control)
• In Testing• Office 365 B2C
• Allows sending protected emails and attachments to consumers.
• Uses social identity providers (i.e. Google, Yahoo, etc.) or one-time passwords.
• Azure Active Directory B2B• Has been successfully tested, but not yet GA.
• Not Supported• Azure Active Directory B2C.