Administrator Guide: Track and revoke document access with Azure Information Protection (Public preview)

Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8

Relevant for: AIP unified labeling client only. For the classic client, see Admin Guide: Configuring and using document tracking for AIP using the classic client.

If you've upgraded to version 2.9.111.0 or later, any protected documents that are not yet registered for tracking are automatically registered the next time they're opened via the AIP unified labeling client. Protected documents are supported for track and revoke, even if they are not labeled.

Registering a document for tracking enables Microsoft 365 global admins to track access details, including successful access events and denied attempts, as well as revoke access if needed.

Track and revoke features for the unified labeling client are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Track document access

Global admins can track access for protected documents via PowerShell using the ContentID generated for the protected document during registration.

To view document access details:

Use the following cmdlets to find details for the document you want to track:

  1. Find the ContentID value for the document you want to track.

    Use the Get-AipServiceDocumentLog to search for a document using the filename and/or the email address of the user who applied protection.

    For example;

    Get-AipServiceDocumentLog -ContentName "test.docx" -Owner “alice@contoso.com” -FromTime "12/01/2020 00:00:00" -ToTime "12/31/2020 23:59:59"
    

    This command returns the ContentID for all matching, protected documents that are registered for tracking.

    Note

    Protected documents are registered for tracking when they are first opened on a machine with the unified labeling client installed. If this command does not return the ContentID for your protected file, open it on a machine with the unified labeling client installed to register the document for tracking.

  2. Use the Get-AipServiceTrackingLog cmdlet with your document's ContentID to return your tracking data.

    For example:

    Get-AipServiceTrackingLog -ContentId c03bf90c-6e40-4f3f-9ba0-2bcd77524b87
    

    Tracking data is returned, including emails of users who attempted access, whether access was granted or denied, the time and date of the attempt, and the domain and location where the access attempt originated.

Revoke document access from PowerShell

Global admins can revoke access for any protected document stored in their local content shares, using the Set-AIPServiceDocumentRevoked cmdlet.

  1. Find the ContentID value for the document you want to revoke access for.

    Use the Get-AipServiceDocumentLog to search for a document using the filename and/or the email address of the user who applied protection.

    For example:

    Get-AipServiceDocumentLog -ContentName "test.docx" -Owner “alice@contoso.com” -FromTime "12/01/2020 00:00:00" -ToTime "12/31/2020 23:59:59"
    

    The data returned includes the ContentID value for your document.

    Tip

    Only documents that have been protected and registered for tracking have a ContentID value.

    If your document has no ContentID, open it on a machine with the unified labeling client installed to register the file for tracking.

  2. Use the Set-AIPServiceDocumentRevoked with your document's ContentID to revoke access.

    For example:

    Set-AipServiceDocumentRevoked -ContentId 0e421e6d-ea17-4fdb-8f01-93a3e71333b8 -IssuerName testIssuer
    

Note

If offline access is allowed, users will continue to be able to access the documents that have been revoked until the offline policy period expires.

Tip

Users can also revoke access for any documents where they applied protection directly from the Sensitivity menu in their Office apps. For more information, see User Guide: Revoke document access with Azure Information Protection

Un-revoke access

If you have accidentally revoked access to a specific document, use the same ContentID value with the Clear-AipServiceDocumentRevoke cmdlet to un-revoke the access.

For example:

Clear-AipServiceDocumentRevoke -ContentId   0e421e6d-ea17-4fdb-8f01-93a3e71333b8 -IssuerName testIssuer

Document access is granted to the user you defined in the IssuerName parameter.

Turn off track and revoke features for your tenant

If you need to turn off track and revoke features for your tenant, such as for privacy requirements in your organization or region, perform both of the following steps:

  1. Run the Disable-AipServiceDocumentTrackingFeature cmdlet.

  2. Set the EnableTrackAndRevoke advanced client setting to false.

Document tracking and options to revoke access are turned off for your tenant:

  • Opening protected documents with the AIP unified labeling client no longer registers the documents for track and revoke.
  • Access logs are not stored when protected documents that are already registered are opened. Access logs that were stored before turning off these features are still available.
  • Admins will not be able to track or revoke access via PowerShell, and end-users will no longer see the Revoke menu option in their Office apps.

Note

To turn track and revoke back on, set the EnableTrackAndRevoke to true, and also run the Enable-AipServiceDocumentTrackingFeature cmdlet.

Next steps

For more information, see: