Protect SharePoint Online files with Azure Information Protection
Summary: Apply Azure Information Protection to protect files in a highly confidential SharePoint Online team site.
Use the steps in this article to configure Azure Information Protection to provide encryption and permissions for files. These files can be added to a SharePoint library configured for highly confidential protection. Or, you can open a file directly from the site and use the Azure Information Protection client to add encryption. The encryption and permissions protection travels with a file even when it is downloaded from the site.
These steps are part of a larger solution for configuring highly confidential protection for SharePoint sites and the files within these sites. For more information, see Secure SharePoint Online sites and files.
Using Azure Information Protection for files in SharePoint Online is not recommended for all customers, but is an option for customers who need this level of protection for a subset of files.
Some important notes about this solution:
When Azure Information Protection encryption is applied to files stored in Office 365, the service cannot process the contents of these files. Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work. Data Loss Prevention (DLP) policies can only work with the metadata (including Office 365 labels) but not the contents of these files (such as credit card numbers within files).
This solution requires a user to select a label that applies the protection from Azure Information Protection. If you require automatic encryption and the ability for SharePoint to index and inspect the files, consider using Information Rights Management (IRM) in SharePoint Online. When you configure a SharePoint library for IRM, files are automatically encrypted when they are downloaded for editing. SharePoint IRM includes limitations that might influence your decision. For more information, see Set up Information Rights Management (IRM) in SharePoint admin center.
First, use the instructions in Activate Azure RMS with the Microsoft 365 admin center for your Office 365 subscription.
Next, configure Azure Information Protection with a new scoped policy and sub-label for protection and permissions of your highly confidential SharePoint Online team site.
Sign in to the admin center with an account that has the Security Administrator or Company Administrator role. For help, see Where to sign in to Office 365.
In a separate tab of your browser, go to the Azure portal (https://portal.azure.com).
If this is the first time you are configuring Azure Information Protection, see these instructions.
In the list pane, click All services, type information, and then click Azure Information Protection.
Right-click the Highly Confidential label, and then click Add a sub-label.
Type a name for the sub-label in Name and a description of the sub-label in Description.
In Set permissions for documents and emails containing this label, click Protect.
In the Protection section, click Azure (cloud key).
On the Protection blade, under Protection settings, click Add permissions.
On the Add permissions blade, under Specify users and groups, click Browse directory.
On the AAD Users and Groups pane, select the site members access group for your highly sensitive SharePoint Online team site, and then click Select.
Under Choose permissions from the preset or set custom, click Custom, and then click the View Rights, Edit Content, Save, Reply, and Reply all check boxes.
Click OK twice.
On the Sub-label blade, click Save, and then click OK.
On the Azure Information protection blade, click Policies > + Add a new policy.
Type a name for the new policy in Policy name and a description in Description.
Click Select which users or groups get this policy > User/Groups, and then select the site members access group for your highly sensitive SharePoint Online team site.
Click Select > OK.
Click Add or remove labels. In the Policy: Add or remove labels pane, click the name of your new sub-label, and then click OK.
Click Save, and then click OK.
You are now ready to begin creating documents and protecting them with Azure Information Protection and your new label.
You must install the Azure Information Protection client on your device or Windows-based computer. You can script and automate the installation, or users can install the client manually. See the following resources:
Once installed, your users run and then sign-in from an Office application (such as Microsoft Word) with their Office 365 account. A new Information Protection bar allows users to select the new label. Make sure that your users know the SharePoint Online team site and which label to use, to protect their highly confidential files.
If you have multiple highly sensitive SharePoint Online team sites, you should create multiple Azure Information Protection scoped policies with sub-labels with the above settings, with the permissions for each sub-label set to the site members access group of a specific SharePoint Online team site.
Adding permissions for external users
There are two ways you can grant external users access to files protected with Azure Information Protection. In both cases, external users must have an Azure AD account. If external users aren't members of an organization that uses Azure AD, they can obtain an Azure AD account as an individual by using this signup page: https://aka.ms/aip-signup.
- Add external users to an Azure AD group that is used to configure protection for a label. You'll need to first add the account as a B2B user in your directory. It can take a couple of hours for group membership caching by Azure Rights Management.
- Add external users directly to the label protection. You can add all users from an organization (e.g. Fabrikam.com), an Azure AD group (such as a finance group within an organization), or user. For example, you can add an external team of regulators to the protection for a label.