{"id":10852,"date":"2018-09-18T10:56:37","date_gmt":"2018-09-18T17:56:37","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10852"},"modified":"2023-06-15T15:02:13","modified_gmt":"2023-06-15T22:02:13","slug":"protecting-files-in-the-cloud-with-azure-information-protection","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/","title":{"rendered":"Protecting files in the cloud with Azure Information Protection"},"content":{"rendered":"<div class=\"m-alert f-error\" role=\"alert\">\n<div>\n<div class=\"c-glyph glyph-incident-triangle\" aria-label=\"Error message\"><\/div>\n<p class=\"c-paragraph\">This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n<p>Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.<\/p>\n<p>We\u2019re a cloud-first organization, so most applications at Microsoft are in the cloud, including SharePoint, email and productivity applications, and personal file storage. To better protect data where it resides, Microsoft Digital has migrated from Active Directory Rights Management Services (AD RMS) to Azure Information Protection (AIP)\u2014which includes the protection capabilities formerly known as Azure RMS.<\/p>\n<p>Azure Information Protection, part of the\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/www.microsoft.com\/en-us\/cloud-platform\/enterprise-mobility-security\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Enterprise Mobility + Security\">Enterprise Mobility + Security<\/a>\u00a0suite, is a cloud-based service that helps you discover, classify, label, and protect sensitive data both in the cloud and on-premises. Azure Information Protection uses encryption, identity, and authorization policies to help secure files and email across multiple devices, including phones, tablets, and PCs.<\/p>\n<p>Azure Information Protection enables protected sharing in Microsoft Office and on a variety of platforms including Windows, Mac\u00a0OS, iOS, Android. It supports mobility for employees who take advantage of our bring-your-own-device (BYOD) policy. Azure Information Protection helps protect data both inside and outside the organization because sensitivity labels and protection stay with the data\u2014even when it leaves the corporate network boundaries.<\/p>\n<p>Some of the benefits that we have realized include:<\/p>\n<ul class=\"c-list\">\n<li>Increased scalability. It runs as a cloud service, with the elasticity to scale up and out. We don\u2019t have to provision or deploy more on-premises servers.<\/li>\n<li>Improved manageability. It is easier to manage as a cloud service. It offers auditing and monitoring capabilities, allows us to create simple and flexible policy templates, and it supports on-premises and cloud services plus a broad range of applications.<\/li>\n<li>Cost effectiveness. We migrated with no hardware investment, and we don\u2019t have to worry about maintaining servers or updating software.<\/li>\n<li>End-user experience. We gained the ability to better guide information workers on how to handle and protect sensitive data through recommended labeling and protection.<\/li>\n<\/ul>\n<p>Migrating from AD RMS to Azure Information Protection paves the way for protecting sensitive data using additional capabilities.<\/p>\n<h2>Planning the move to the cloud<\/h2>\n<p>We have used AD RMS since its release in 2002. Many of our business apps depended on AD RMS encryption and information protection, and everyone with a Microsoft email address could use AD RMS templates for email protection. We used it to:<\/p>\n<ul class=\"c-list\">\n<li>Protect Microsoft Office documents from accidental disclosure and negligent sharing.<\/li>\n<li>Limit access to individuals or certain groups.<\/li>\n<li>Allow read-only or editing permissions.<\/li>\n<li>Allow only specific users to print or copy the content in sensitive documents.<\/li>\n<\/ul>\n<p>When we started planning the move to Azure Information Protection, we needed to make sure that we offered a smooth transition with no downtime. We developed a strategy that would migrate users, templates, and applications in phases. Upon completion, we could then begin to use other capabilities in Azure Information Protection, including labeling and classification.<\/p>\n<h2>How Azure Information Protection protects data<\/h2>\n<p>Azure Information Protection makes the data in a document unreadable to anyone other than authorized users and services. It uses unique keys and certificates to manage encryption and decryption, and to authorize and enforce restrictions. Data is encrypted at the application level, which includes a policy that defines authorized use for a document. When a protected document is used by a legitimate user or it is processed by an authorized service, the data in the document is decrypted and the rights that are defined in the policy are enforced.<\/p>\n<p>For more information about Azure Information Protection and how it works, go\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/what-is-information-protection\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about here\">here<\/a>.<\/p>\n<h2>Configuring Azure Information Protection<\/h2>\n<p>At Microsoft, we have an Active Directory infrastructure with multiple forests and domains, and most of our client devices run RMS-enabled versions of Office 2013, Office 2016, or Office 365 Pro Plus. Azure Information Protection receives authentication and authorization information from Active Directory Federation Services (AD FS), Active\u00a0Directory\u00a0Domain\u00a0Services, and Azure Active Directory (Azure AD).<\/p>\n<p>We were able migrate to Azure Information Protection with no domain-level restructuring, architecture changes, or changes to existing services. Having multiple versions of Office did not affect our plans to migrate to Azure Information Protection, because the versions we run are compatible with both AD RMS and Azure Information Protection.<\/p>\n<p>NOTE: If you need to send protected emails or documents to external users, learn more\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/ome\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about here\">here<\/a>.<\/p>\n<p>To configure the service at Microsoft, we had to migrate templates, install the Microsoft RMS Connector, migrate applications, and then migrate users and partners.<\/p>\n<h3>Migrating templates<\/h3>\n<p>We have several custom rights policy templates that we use to:<\/p>\n<ul class=\"c-list\">\n<li>Grant rights to a subset of users.<\/li>\n<li>Define a subset of users who can see and select a template (departmental template) from applications, rather than allow all users in the organization to see and select the template.<\/li>\n<li>Define custom rights for a template, such as View and Edit, but not Copy and Print.<\/li>\n<li>Configure more options in a template, including an expiration date and whether the content can be accessed without an Internet connection.<\/li>\n<\/ul>\n<p>All our current templates within our configuration were migrated from AD RMS. We exported the templates from AD RMS to an XML file, and then uploaded that file to Azure Information Protection using a PowerShell cmdlet.<\/p>\n<h4>Creating and managing templates<\/h4>\n<p>An Azure global administrator can create and manage templates in the Azure classic portal. To minimize risk, we have only one Azure global administrator for the service. In addition to creating and managing templates from the Azure portal, we have a small group of administrators who can also create and manage templates using PowerShell.<\/p>\n<p>For more information about managing and creating templates, read\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/en-us\/information-protection\/deploy-use\/configure-policy-templates\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Configuring and managing templates in the Azure Information Protection policy\">Configuring and managing templates in the Azure Information Protection policy<\/a>.<\/p>\n<h3>Installing the RMS connector<\/h3>\n<p>Microsoft RMS Connector is a small-footprint service that acts as a relay, allowing on-premises services to connect and consume Azure Information Protection. For fault tolerance and high availability, we\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/en-us\/information-protection\/deploy-use\/deploy-rms-connector\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about installed the RMS connector\">installed the RMS connector<\/a>\u00a0on six virtual machines\u2014the minimum requirement for the service is two.<\/p>\n<p>Even though most people connect to online services, we use the RMS connector to support Microsoft Exchange and Microsoft SharePoint deployments that stay on-premises. For example, some employee mailboxes use Exchange Online and some use Exchange Server.<\/p>\n<p>With the RMS connector installed, information protection now works seamlessly between our on-premises and cloud deployment configurations, as shown in Figure 1.<\/p>\n<figure id=\"attachment_10855\" aria-describedby=\"caption-attachment-10855\" style=\"width: 623px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10855 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/5656_image001.png\" alt=\"Illustration that shows how, when the RMS connector installed, information protection works seamlessly between our on-premises and cloud deployment configurations.\" width=\"623\" height=\"380\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/5656_image001.png 623w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/5656_image001-300x183.png 300w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><figcaption id=\"caption-attachment-10855\" class=\"wp-caption-text\">Figure 1. RMS connector service architecture<\/figcaption><\/figure>\n<p>The Azure Information Protection global administrator authorized servers to use the RMS connector. We configured load balancing and high availability using Network Load Balancing on the Azure RMS virtual machine cluster.<\/p>\n<h3>Migrating applications<\/h3>\n<p>One of the more challenging tasks that we faced during this migration was making sure all the existing apps that had dependency on AD RMS pointed to Azure Information Protection. Using Group Policy, we ran a\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=40839\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Microsoft Rights Management connector\">Microsoft Rights Management connector<\/a>\u00a0script, which we customized for our environment, on application servers. The script modified the registry to change the pointer to Azure Information Protection.<\/p>\n<p>To track progress during the migration, we ran a different PowerShell script twice a month to parse IIS logs and check service and user accounts that were still using the AD RMS cluster. Once we identified which service accounts were still connecting for certificates and were accessing the licensing server, we worked with those app owners to make the changes that were necessary before the AD RMS service was shut down.<\/p>\n<p>We created an internal website to communicate with app owners, which included a migration schedule, frequently asked questions about the service, and how to point their servers to Azure Information Protection. It helped reduce overall ambiguity about the migration and helped app owners understand what they needed to do.<\/p>\n<h3>Migrating users<\/h3>\n<p>We gradually added members from different domains until all client machines were moved. For domain-joined devices, we used Group Policy in the form of a user sign-in script. We added groups and people to the Azure Information Protection service and then pushed out a script to change configurations and update the pointers on client devices.<\/p>\n<p>User migration went smoothly because we worked in phases and started with smaller pilot groups. The overall client deployment was partially managed by asking clients to install (at minimum) Windows 10 Anniversary Update, which would also install the Group Policy client script. Because the templates and applications were already moved, the environment looked the same to users. For non-domain-joined devices managed by Microsoft Intune, running Windows\u00a010 Anniversary Update or later, we deployed a package that included a migration script through Intune.<\/p>\n<h4>Migrating partners<\/h4>\n<p>Microsoft shares protected information with partners, so we migrated partners to Azure Information Protection for protected sharing. Before migrating any partner companies, we needed all of them to create a Microsoft Online Services tenant and move their organization keys to the cloud.<\/p>\n<p>Each of the partner companies that we share protected information with introduced configuration settings in their environment to redirect client applications to the right content protection infrastructure (on-premises or cloud) depending on the stage of the migration they were in. Partner migration involved the same steps, so our work consisted primarily of coordinating timing for the steps with the partner.<\/p>\n<h2>Migrating to Azure Key Vault<\/h2>\n<p>Azure Information Protection uses cryptographic controls, also called keys, to make sure that the security protection it offers is industry-standard. For each document or email that is protected by Azure Information Protection, Azure\u00a0Information Protection creates a single Advanced Encryption Standard (AES) key, and that key is embedded in the document. The unique AES key, the organization\u2019s tenant key, and the file\u2019s policies are managed by Azure Information Protection.<\/p>\n<p>Azure Key Vault offers a centralized key management solution for many cloud-based and on-premises services that use encryption. Some of the\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/en-us\/information-protection\/plan-design\/byok-price-restrictions#benefits-of-using-azure-key-vault\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about benefits of using Azure Key Vault\">benefits of using Azure Key Vault<\/a>\u00a0for the Azure Information Protection tenant key include:<\/p>\n<ul class=\"c-list\">\n<li>Azure Key Vault supports several built-in interfaces for key management, including PowerShell, CLI, REST APIs, and the Azure portal.<\/li>\n<li>Azure Key Vault separates roles as a recognized security best practice.<\/li>\n<li>Azure Key Vault offers a high level of control for where the master key is stored because the service is available in many Azure regions.<\/li>\n<\/ul>\n<p>In the first phases of the migration, due to the limitations of integrating Exchange Online and Bring your own Key (BYOK), we chose to migrate our keys into the Key Management Service that was part of Azure Information Protection without using BYOK. Once the restrictions in Exchange Online for BYOK were lifted, as part of an upgrade to that platform, we migrated the keys to Azure Key Vault.<\/p>\n<h2>Auditing and reporting<\/h2>\n<p>Although the RMS connector logs information, warning, and error messages to the event log, there isn\u2019t a management pack that monitors for these events. We use System Center Configuration Manager to monitor those logs. To see a list of the events and their descriptions, along with more information, read\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/en-us\/information-protection\/deploy-use\/monitor-rms-connector\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Monitor the Azure RMS connector\">Monitor the Azure RMS connector<\/a>.<\/p>\n<p>We\u2019ve put a lot of effort into creating key performance indicators (KPIs) that measure template use. Those KPIs tell us what templates are used the most and which templates may be retired. This is particularly important to us as we are rolling out Azure Information Protection. With Azure Information Protection, we are changing the templates we want people to use and archiving older ones. It\u2019s a gradual process, but having usage metrics makes it easy to see if new templates are being used, or if we need to engage with users to better prepare them for a template change. For more information about using logs to analyze usage data, read\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/en-us\/information-protection\/deploy-use\/log-analyze-usage\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Logging and analyzing usage of the Azure Rights Management service\">Logging and analyzing usage of the Azure Rights Management service<\/a>.<\/p>\n<h2>Best practices<\/h2>\n<p>On our journey to Azure Information Protection, we learned some important lessons, including:<\/p>\n<ul class=\"c-list\">\n<li>Keep templates static during migration. To reduce complexity during the migration, we kept all our templates static until the migration was complete. If you change a template during migration, you will need to change it in multiple places, which increases the opportunity for errors. Now that we are done with the migration and we are moving on to other capabilities in Azure Information Protection, we are changing some template names to make them more relevant to users in different regions. We are also looking at template usage metrics to rationalize our published template portfolio, and we are replacing or archiving templates that aren\u2019t being used.<\/li>\n<li>Understand and document your environment. Most of the migration challenges that we faced were related to incomplete or out-of-date documentation. When we were migrating applications, we had to rely on tracking the declining connection counts to the AD RMS cluster, via the collected IIS logs. Because not all app dependencies were documented, it needed a lot of up-front effort and created challenges when the listed application owners weren\u2019t available. We had to continuously follow up with the owners to determine if they had migrated or not.<\/li>\n<li>Introduce Azure Information Protection to users as a transparent migration. We initially introduced the service to users as a transparent migration, with no obvious new features, to simplify the process. Then we started enabling and advertising the new Azure Information Protection features such as classification, tracking, and revocation.<\/li>\n<li>Protect accounts with elevated rights. Accounts with elevated rights, such as Azure global admin, can increase risk if a user\u2019s primary corporate credentials are persistently elevated. There are a couple of ways to minimize that risk\u2014you can either assign a secondary, privileged identity to use only when needed for admin tasks, or use a just-in-time elevated access tool such as Azure Privileged Identity Management. It elevates rights for a pre\u2011defined duration, after which the rights expire.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>We have completed our migration at scale. During each minute of the workday at Microsoft, 2,500 to 3,000 licensed users access the system to create new content, access existing encrypted content, or decrypt shared content. Azure Information Protection allowed for a seamless encryption\/decryption service transition, and there was no discernable difference in the way the service works for users. For service managers, this service offers better logging and usage tracking than we had with AD\u00a0RMS. Since the migration, we are saving costs because we don\u2019t have a physical infrastructure to deploy, manage, update, or maintain\u2014all those activities are part of the Azure subscription. Maintaining this service requires 66 percent less admin resources than we needed for AD RMS.<\/p>\n<p>Migrating to Azure Information Protection was the first step on our journey toward building a foundation for discovering, classifying, labeling, and protecting sensitive data at Microsoft using Azure Information Protection. For more information about starting your own migration, read\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/docs.microsoft.com\/information-protection\/plan-design\/migrate-from-ad-rms-to-azure-rms\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Migrating from AD RMS to Azure Information Protection\">Migrating from AD RMS to Azure Information Protection<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization [&hellip;]<\/p>\n","protected":false},"author":146,"featured_media":10882,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":false,"footnotes":""},"categories":[1],"tags":[],"coauthors":[674],"class_list":["post-10852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protecting files in the cloud with Azure Information Protection - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protecting files in the cloud with Azure Information Protection - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-09-18T17:56:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-15T22:02:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track \u2013 retired stories\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track \u2013 retired stories\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/\",\"name\":\"Protecting files in the cloud with Azure Information Protection - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg\",\"datePublished\":\"2018-09-18T17:56:37+00:00\",\"dateModified\":\"2023-06-15T22:02:13+00:00\",\"author\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575\"},\"description\":\"Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg\",\"width\":1040,\"height\":585,\"caption\":\"Small business male standing outside the office (mobile) using a phone.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protecting files in the cloud with Azure Information Protection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575\",\"name\":\"Inside Track \u2013 retired stories\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/ee0de87c339052d5d84852473bd7f213\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g\",\"caption\":\"Inside Track \u2013 retired stories\"},\"description\":\"The content on this page was crafted to highlight a specific moment in time or the solutions that have led us to where we are today. It offers valuable insights into our journey and the progress made over the years. Check out the Inside Track blog page for our up-to-date stories around Microsoft.\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrackarchive\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting files in the cloud with Azure Information Protection - Inside Track Blog","description":"Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/","og_locale":"en_US","og_type":"article","og_title":"Protecting files in the cloud with Azure Information Protection - Inside Track Blog","og_description":"Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/","og_site_name":"Inside Track Blog","article_published_time":"2018-09-18T17:56:37+00:00","article_modified_time":"2023-06-15T22:02:13+00:00","og_image":[{"width":1040,"height":585,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg","type":"image\/jpeg"}],"author":"Inside Track \u2013 retired stories","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track \u2013 retired stories","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/","name":"Protecting files in the cloud with Azure Information Protection - Inside Track Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg","datePublished":"2018-09-18T17:56:37+00:00","dateModified":"2023-06-15T22:02:13+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575"},"description":"Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg","width":1040,"height":585,"caption":"Small business male standing outside the office (mobile) using a phone."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-files-in-the-cloud-with-azure-information-protection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Protecting files in the cloud with Azure Information Protection"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575","name":"Inside Track \u2013 retired stories","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/ee0de87c339052d5d84852473bd7f213","url":"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g","caption":"Inside Track \u2013 retired stories"},"description":"The content on this page was crafted to highlight a specific moment in time or the solutions that have led us to where we are today. It offers valuable insights into our journey and the progress made over the years. Check out the Inside Track blog page for our up-to-date stories around Microsoft.","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrackarchive\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2018\/09\/5656_herov2.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2P2","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/146"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=10852"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10852\/revisions"}],"predecessor-version":[{"id":10856,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10852\/revisions\/10856"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/10882"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=10852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=10852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=10852"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=10852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}