Rights Management for Exchange Online is now known as Azure Information Protection (AIP). For the customer, Exchange Online and AIP do not require any physical servers, just licensing is needed to activate scenarios. In this scenario we need to turn on a few items, configure some settings and then we’ll be able to start working with the Rights Management service and protect emails that pass through Exchange Online.
Rights Management – this is the general concept of protecting messages sent from Exchange (online or on-premises) to external or internal recipients and controlling what actions can be performed on the messages. These actions could include encrypting the messages, prevent the message from being forwarded or restrict permissions.
Azure Information Protection (AIP)– AIP is the Office 365 iteration of Rights Management and it can be applied to Exchange Online messaging. In addition, we can also configure AIP to apply templates and rules against other workloads in Office 365.
** Note ** There is a graphical interface. First, we need to go to Settings and Settings under that tab to see this:
We click on Microsoft Azure Information Protection which brings up a side bar:
Click on the blue manage link above which takes us to Rights Management in Office 365:
Then click on Advanced which takes us to the main AIP console:
PowerShell
To now apply the AIP Template to an email. This requires a new Transport Rule which will specify the criteria needed to trigger it, like any other Transport Rule, and then an AIP Template is set to apply to these messages.
Get-Help New-TransportRule -Full
From here we can see there is an option called ‘ApplyRightsProtectionTemplate’ which will be useful for applying an AIP template. We also have conditions like ‘SentToScope’, ‘SubjectMatchPatterns’ and From. In our sample, we can apply an ‘AIP Template’ called ‘Highly Confidential \ All Employees’. We will also pick a from address as well as a sent to an external email address and we get this:
New-TransportRule -From @([Microsoft.Exchange.Management.ControlPanel.PeopleIdentity]) -SentToScope 'NotInOrganization' -SubjectMatchesPatterns @('"Highly Confidential"') -ApplyRightsProtectionTemplate 'Highly Confidential \ All Employees' -Name 'Highly Confidential - AIP' -StopRuleProcessing:$False -Mode 'Enforce' -Comments ' ' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'
So in order to apply AIP to messages, create an AIP Template we need an AIP Template and a corresponding Transport Rule to protect messages.
When working with the new Office 365 Message Encryption, which is known as Azure Information Protection (AIP). Azure Information Protection relies on Templates in order to perform operations on objects in Office 365. By default we have two templates available in Exchange Online:
Encrypt
Do Not Forward
Since this is a PowerShell book, let’s see what we can find out about these templates and if we can perform any operations in PowerShell. If we first review the cmdlets in Exchange Online we find that:
Get-Command '*aip*' | Where {$_.Source -eq 'tmp_4syhnynk.azk'}
There are zero cmdlets. Wait. None? OK. We do know that these are Azure templates. Maybe we can find them in Azure or Azure Active Directory? First, make a connection to Azure:
Connect-AzAccount
Enter your Azure account’s UPN and enter the password for the account:
Once connected, let’s explore cmdlets from Azure:
Get-Command *aip* | Where {$_.Source -like 'Azure*'}
Well. OK. Not expected. So are there any cmdlets for Azure Information Protection? Yes. They just happen to have their own module:
Get-Command *aip*
Which provides us with 53 cmdlets for our use:
Add-AipServiceRoleBasedAdministrator Add-AipServiceSuperUser Add-AipServiceTemplate Clear-AipServiceDoNotTrackUserGroup Clear-AipServiceSuperUserGroup Connect-AipService Convert-AipServiceKeyToKeyVault Disable-AipService Disable-AipServiceDevicePlatform Disable-AipServiceDocumentTrackingFeature Disable-AipServiceIPCv3 Disable-AipServiceSuperUserFeature Disconnect-AipService Enable-AipService Enable-AipServiceDevicePlatform Enable-AipServiceDocumentTrackingFeature Enable-AipServiceIPCv3 Enable-AipServiceSuperUserFeature Export-AipServiceTemplate Get-AipService Get-AipServiceAdminLog Get-AipServiceConfiguration Get-AipServiceDevicePlatform Get-AipServiceDocumentLog Get-AipServiceDocumentTrackingFeature Get-AipServiceDoNotTrackUserGroup Get-AipServiceIPCv3 Get-AipServiceKeys Get-AipServiceMaxUseLicenseValidityTime Get-AipServiceMigrationUrl Get-AipServiceOnboardingControlPolicy Get-AipServiceRoleBasedAdministrator Get-AipServiceSuperUser Get-AipServiceSuperUserFeature Get-AipServiceSuperUserGroup Get-AipServiceTemplate Get-AipServiceTemplateProperty Get-AipServiceTrackingLog Get-AipServiceUserLog Import-AipServiceTemplate Import-AipServiceTpd New-AipServiceRightsDefinition Remove-AipServiceRoleBasedAdministrator Remove-AipServiceSuperUser Remove-AipServiceTemplate Set-AipServiceDoNotTrackUserGroup Set-AipServiceKeyProperties Set-AipServiceMaxUseLicenseValidityTime Set-AipServiceMigrationUrl Set-AipServiceOnboardingControlPolicy Set-AipServiceSuperUserGroup Set-AipServiceTemplateProperty Use-AipServiceKeyVaultKey
The module name is AIPService … We see that there are quite a few cmdlets, but can we actually DO anything with these cmdlets?
Nope! Why? Because we need to connect to the Azure Information Protection service. Oh?!? How do we do that?
We see that like a lot of other workloads in Office 365, we have a connect cmdlet for this:
Connect-AipService
Which asks us for a login and password just like Azure Active Directory did. Once logged in we see this:
Now if we type in Get-AipService, we see that it is indeed enabled:
Conclusion
As we can see there are quite a few Azure Information Protection (AIP) PowerShell cmdlets. Next week we will explore these more in-depth.
