├── AIPLAB ├── 0.MIP.md ├── 1.Discovery.md ├── 10.monitorHOL.md ├── 2.DiscoveryRepo.md ├── 3.classification.md ├── 4.Protect.md ├── 6.ProtectHOL.md ├── 7.ProtectHOL2.md ├── 8.ProtectHOL3.md ├── 9.monitor.md ├── AIPBYOL-Azure.ps1 ├── AIPBYOL-HyperV.ps1 ├── Intro.md ├── conclusion.md ├── media │ ├── 1547437013585.png │ ├── 599ljwfy.jpg │ ├── 8pllxint.jpg │ ├── AllEmployees.png │ ├── AzureRMSApppermissions.JPG │ ├── AzureRMSpermissions.JPG │ ├── CandP.png │ ├── CandP2.png │ ├── Complete.png │ ├── DNF.png │ ├── DNF2b.png │ ├── DiscoverHeader.png │ ├── EndpointDiscoveryOffice.png │ ├── Generate.png │ ├── Global.png │ ├── Install-AIPScannerUL.ps1 │ ├── MIP.png │ ├── MIPCapabilities.png │ ├── MIPall.png │ ├── MIPsimplify.png │ ├── Monitor.png │ ├── OME.png │ ├── OME1.png │ ├── OME1b.png │ ├── OME2.png │ ├── OME3.png │ ├── OME3b.png │ ├── OME4.png │ ├── OTP.png │ ├── Phases.png │ ├── Publish.png │ ├── RO.png │ ├── RO2.png │ ├── SSN.png │ ├── SSN2.png │ ├── SSN3.png │ ├── SentinelDashboard.png │ ├── SyncService.JPG │ ├── UI01_UL2.png │ ├── activitylogs.png │ ├── addallemployees.png │ ├── advsettings.png │ ├── aipanalytics.png │ ├── ala.png │ ├── allemployees_policysettings.png │ ├── alllabels.png │ ├── alllabels2.png │ ├── allsettings.png │ ├── auto.png │ ├── autocc.png │ ├── autolabel.JPG │ ├── autolabel2.png │ ├── autolabel_2.PNG │ ├── autolabel_3.PNG │ ├── blocked.png │ ├── c5foyeji.jpg │ ├── choose_sensitivity.png │ ├── chooselabels.png │ ├── classificationbar.png │ ├── classificationbar2.png │ ├── classificationbarold.png │ ├── classify.png │ ├── confanyone.png │ ├── confanyone2.png │ ├── confdefault.png │ ├── confdefault2.png │ ├── customerdata.png │ ├── dashboard.png │ ├── datadiscovery.png │ ├── datadiscoveryps.png │ ├── defaultlabel.png │ ├── defaults.png │ ├── diagnosticsettings.png │ ├── discovery.png │ ├── documents.png │ ├── encrypted.png │ ├── endpointdiscovery.png │ ├── enforce.png │ ├── filepolicy.png │ ├── general.png │ ├── globalsettings.png │ ├── globalsettingsadv.png │ ├── governance.png │ ├── governance2.png │ ├── header.png │ ├── infotypes.png │ ├── initialdiscovery.png │ ├── internalemail.png │ ├── internalemail2.png │ ├── justification.png │ ├── justify.png │ ├── kgjvy7ul.jpg │ ├── lypurcn5.jpg │ ├── matches.png │ ├── matches2.png │ ├── mcasdiscovery.png │ ├── ninjacat.png │ ├── nolabels.png │ ├── office365.png │ ├── openindesktop.png │ ├── pidqfaa1.jpg │ ├── policies.png │ ├── policy_settings.JPG │ ├── policysettings.png │ ├── policytemplate.png │ ├── protect.png │ ├── qu68gqfd.jpg │ ├── recommend.png │ ├── repo.png │ ├── scannerhc.png │ ├── scope.png │ ├── scoped_policy.png │ ├── scoped_policy2.png │ ├── scopedpolicy.png │ ├── sensitive_infotypes.png │ ├── sensitivity.png │ ├── sensitivity_reviewpage.png │ ├── suppelement.png │ ├── usage.png │ ├── users_groupsscoped.png │ ├── w2w5c7xc.jpg │ ├── wdatp.png │ ├── wordnolabels.png │ └── zgvmm4el.jpg └── test.md ├── Contoso_Samples ├── 7351.pptx ├── Constoso Classify and protect a file or email by using Azure Information Protection - Microsoft Docs.oft ├── Contoso Awareness Data classification labels are changing.oft ├── Contoso Data_Class_Campaign_DigitalSignage.pptx ├── Contoso Know your labels.pptx ├── Contoso Take action! Start using Azure Information Protection .oft ├── Contoso Taxonomy.docx ├── Gamification Quiz Posters.pptx └── Pre-determined Classifications.docx ├── README.md └── Scripts ├── AIPScanner ├── Install-AIPScanner.ps1 ├── New-AIPAuthToken.ps1 ├── New-AIPAuthTokenUL.ps1 └── New-CloudServiceAccount.ps1 ├── Scripts.zip ├── docs.zip └── tenantinfo.ps1 /AIPLAB/0.MIP.md: -------------------------------------------------------------------------------- 1 | # The Microsoft Information Protection Story 2 | 3 | ![](./media/MIPall.png) 4 | 5 | **Azure Information Protection** (as described in the introduction) is one part of the larger **Microsoft Information Protection** story. With Microsoft Information Protection, Microsoft is streamlining how all applications that require information protection capabilities interact. This provides a **unified interface** where both Microsoft and Partner applications can **classify and protect sensitive information**. 6 | 7 | Ultimately, this means better integration across our information protection solutions and a more consistent approach to protecting your sensitive data. 8 | 9 | ![](./media/MIPsimplify.png) 10 | 11 | The image below shows examples of technologies that can interface with Microsoft Information Protection. Although we will not delve deeply into all of these technologies in this lab, we will provide resources in the conclusion that may be used for further exposition. 12 | 13 | ![](./media/MIPCapabilities.png) 14 | 15 | ![](./media/MIP.png) 16 | 17 | ## Where to Begin 18 | 19 | With General Availability of Unified Labeling clients and Sensitivity Labels in the Security and Compliance Center, there has been some confusion on where customers should start their deployment and which clients they should use. This is a common question, and one that requires understanding of the capabilities available in the Azure Information Protection client (classic) versus what is currently available in the Azure Information Protection Unified Labeling client. 20 | 21 | ### Azure Information Protection unified labeling client 22 | 23 | The **Azure Information Protection unified labeling client** is an Office and Windows addin that pulls labels from the unified labeling store that multiple applications and services support. This client supports the latest advanced features and is recommended for all customers with some minor exceptions noted later. This client downloads sensitivity labels and policy settings from the Office/Microsoft 365 Security & Compliance center. 24 | 25 | ### Azure Information Protection client (classic) 26 | 27 | The **Azure Information Protection client (classic)** has been available since Azure Information Protection was first announced as a new service for classifying and protecting files and emails. This client downloads labels and policy settings from Azure, and you configure the Azure Information Protection policy from the Azure portal. 28 | 29 | ### Migrating Labels to Unified Labeling 30 | 31 | New tenants today have Unified Labeling enabled by default. For customers that have established tenants, you will be required to do a one time activation to migrate your labels from the Azure label store to the Unified Labeling store. Migrating these labels **DOES NOT** require that all Azure Information Protection classic clients be upgraded to the Unified Labeling client immediately. You can activate Unified Labeling today and migrate the clients in a phased manner after full testing has been done. This also allows you to begin testing and enabling your Mac, mobile, and other services that use the MIP SDK (PowerBI, SharePoint Online, Adobe PDF, DLP, Firewalls, etc...). 32 | 33 | In this lab, we will look primarily at the Azure Information Protection unified labeling client because it now has the advanced features necessary for most Enterprise deployments. 34 | 35 | --- 36 | In this section, we reviewed the Microsoft Information Protection vision and discussed the differences between the AIP unified labeling client and the AIP client (classic). 37 | 38 | In the next section, we will begin our discussion of Microsoft Information Protection with the Discover phase. 39 | 40 | [Next - Phase 1: Discover - Endpoints](1.Discovery.md) -------------------------------------------------------------------------------- /AIPLAB/1.Discovery.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 1: Discover - Endpoints 4 | 5 | ![Discover](./media/DiscoverHeader.png) 6 | 7 | Azure Information Protection can help you to discover sensitive data on local endpoints, CIFS file shares, and on-premises SharePoint sites and libraries. In this section, we will look at several methods available to begin collecting this useful and actionable data. 8 | 9 | ## AIP Client Windows Endpoint Auditing 10 | 11 | Using the current Azure Information Protection clients, you can now discover sensitive information in any new document that is saved in Office on a machine with the AIP client installed. This will allow you to do passive data discovery across all of your Windows endpoints. You can also do active endpoint auditing with the AIP Unified Labeling client using the PowerShell cmdlets that are installed with the client. 12 | 13 | ![](./media/endpointdiscovery.png) 14 | 15 | If you have **Microsoft Defender Advanced Threat Protection** (MDATP) deployed to your endpoints, you can also integrate with Information Protection to actively audit sensitive files being accessed on your endpoints. With the risk information provided by MDATP, you can target risky systems and use PowerShell to run a scan of the system to discover sensitive data that may be at risk on those compromised systems (and optionally encrypt that data). We will demonstrate this type of scan later in this section. 16 | 17 | --- 18 | ## AIP Client Windows Endpoint Auditing - Hands On 19 | 20 | In this hands-on section, we will configure the default labels and global policy needed for the AIP unified labeling client to download policy. Once this is done, we will add sensitive information to a Word document and label it to show passive auditing with the AIP unified labeling client. Finally we will use the PowerShell cmdlets provided with the AIP unified labeling client to scan an endpoint for sensitive data. 21 | 22 | ## Default Label Configuration 23 | 24 | In this task, we will **Generate default labels** and deploy them to the a **Global** policy in the Microsoft Security Center. 25 | 26 | 1. Open Edge and browse to **https://aka.ms/AIPConsole** 27 | 28 | 2. Log in using your Global Admin credentials 29 | 3. Under **Classifications** click on **Labels** 30 | 4. In the Labels blade, at the top, click the **+ Generate default labels** button. 31 | 32 | ![Generate.png](./media/Generate.png) 33 | 34 | > You will see an image like the one below once the generation is complete. 35 | > 36 | ![Complete.png](./media/Complete.png) 37 | 38 | --- 39 | ## Configuring Global Policy 40 | 41 | We now have default labels available for deployment. At this point, no users will see these labels until we assign them to a policy. Deciding what labels to deploy to users to minimize impact is a topic that can raise many concerns. Issues with application compatibility and concerns around when to deploy labels with protection are just a few of these. 42 | 43 | Many organizations can deploy protected labels during the initial rollout and train their users in appropriate labeling behaviors. This has the advantage of only requiring end user training once, but some organizations have found this approach to be too aggressive. 44 | 45 | An alternative approach that we have seen be successful is to deploy the top-level labels and only the **Recipients Only** and **Anyone (not protected)** sub-labels initially. This has the benefit of allowing users to get accustomed to classification of content before rolling out additional protected labels. In this workshop, we will deploy all labels at once for simplicity. 46 | 47 | We will discuss protection in more detail in the **Protect and control access** section. 48 | 49 | --- 50 | ## Publishing Labels for Unified Labeling Clients 51 | 52 | While generating default labels in the Azure Portal, we have also enabled them in the Unified Labeling store in the Security and compliance Center. However, to prevent these labels from impacting production, they are not published immediately. 53 | 54 | In this task, we will publish the labels to a label policy in the Security and Compliance Center. This is necessary for labels to display in Unified Labeling clients and Microsoft Cloud Application Security policies. 55 | 56 | 1. In a new tab, browse to **https://security.microsoft.com/** 57 | 2. On the left side, expand **Classification** and click on **Sensitivity Labels** 58 | 59 | >In the **Labels** section, you will see the default labels configured for the AIP demo tenants. 60 | > 61 | >These demo labels are modeled after the labels that Microsoft uses internally (with the exception of Personal where we use Non-Business) and are highly recommended as a baseline for customers that do not already have an established and effective classification taxonomy. More details on how Microsoft developed this taxonomy and how we deployed AIP internally are available in a video online at https://aka.ms/AIPShowcase. We will list this URL again in the additional resources at the end of the lab. 62 | 63 | >![UI01](./media/UI01_UL2.png) 64 | 65 | 3. At the top of the page, click on **Label policies** 66 | 67 | >Note that there are no predefined label policies. Label policies in the Security & Compliance Center are more versatile than policies in the Azure portal because the same labels can be applied in multiple policies. This allows for a higher level of customization based on group or role. 68 | 4. On the Label policies page, click on **Publish labels** 69 | 5. In the New sensitivity label policy, click **Choose sensitivity labels to publish** 70 | 71 | ![](./media/choose_sensitivity.png) 72 | 73 | 6. In the Sensitivity labels to publish blade, check the **Select All** box and click the **Add** button 74 | 7. On the Choose labels to publish page, click the **Next** button 75 | 8. On the Publish to users and groups page, click the **Next** button 76 | 9. On the Policy settings page, click the **Next** button 77 | 78 | >NOTE: We will revisit these settings later in the lab 79 | 2. On the Policy settings page, in the **Name** text box, type **Global** 80 | 3. Click **Next** 81 | 4. On the "Review your settings" page, click **Submit** 82 | 83 | >![](./media/sensitivity_reviewpage.png) 84 | 85 | --- 86 | ## Detecting Sensitive Information with the AIP Unified Labeling Client Addin 87 | 88 | 1. On the desktop, double click on **AdminPC** 89 | 1. Log in using the Credentials below 90 | 91 | > **Contoso\AIPScanner** 92 | > 93 | > **Somepass1** 94 | 1. Click on the start menu and launch **Word** 95 | 2. In the Microsoft Azure Information Protection prompt, type **AlexW@yourdomain.onmicrosoft.com** and click **Next** 96 | 3. When prompted, type the password and Sign in 97 | 4. In the Sign in to set up Office dialog, click **Sign in** 98 | 5. In the Activate Office dialog, type **AlexW@yourdomain.onmicrosoft.com** and click **Connect**. 99 | 6. When prompted, type the password and Sign in 100 | 7. Create a new **Blank document** 101 | 8. In the new document enter the text **My AMEX card number is 344047014854133. The expiration date is 09/28, and the CVV is 4368** 102 | 103 | > This card number is a fake number that was generated using the Credit Card Generator for Testing at ```https://developer.paypal.com/developer/creditCardGenerator/```. The Microsoft Classification Engine uses the Luhn Algorithm to prevent false positives so when testing, please make sure to use valid numbers. 104 | 1. Click on the Sensitivity button and manually label the document as **General** and **save the document**. 105 | >![](./media/general.png) 106 | 107 | >After labeling and saving the file, the AIP unified labeling client installed on this system will detect the credit card that has been entered in this new document and report it up to the AIP Log Analytics portal if it is configured. Note that despite the document being labeled as General, we still see the information type match in the activity details. 108 | > 109 | >![](./media/EndpointDiscoveryOffice.png) 110 | 111 | In the Classification section of this workshop, we will configure policy settings including the default label and mandatory labeling which will ensure that you are getting these insights from all of the documents and emails being created on your endpoints. You can use these insights along with the recommendations panel in log analytics to add conditions to your labels to help guide your users in appropriately classifying their documents and emails. 112 | 113 | ---- 114 | ## Active Endpoint Discovery with PowerShell 115 | 116 | In this task, we will scan a local directory on the endpoint using AIP PowerShell and the -WhatIf and -DiscoverInfoTypes switches to catalog the sensitive information in that location. While we will do this manually on the endpoint, this could easily be pushed to the endpoint as a package from SCCM, Intune, or any other client management utility that can send remote commands to the endpoints. 117 | 118 | If you combine this functionality with risk profiles from Microsoft Defender ATP, you can quickly target at risk systems and identify (and optionally protect) sensitive data on those endpoints. 119 | 120 | >WARNING: This PowerShell command is very resource intensive, so we do not recommend actively scanning all endpoints using this method on an ongoing basis. This should be seen as a point-in-time remedial and auditing tool when security of your data takes higher precedence than user experience. 121 | 122 | 1. Click on the Start menu and click **Windows PowerShell** 123 | 2. In the PowerShell window, type **Set-AIPFileClassification -Path C:\PII -WhatIf -DiscoveryInfoTypes All | Out-File ~\Desktop\Results.txt** 124 | 125 | >NOTE: To collect the discovered data described in this section of the lab, normally you would configure AIP Analytics in the Azure portal first. We will discuss Monitoring and show how that is configured in a later section. For now, we will export the results to a file so we can review them immediately. 126 | 127 | >NOTE: You will see one error when running this command on a file in the repository ending in Enrique.docx. This is expected as this file was encrypted with AIP from the Microsoft tenant and this test tenant does not have rights to inspect this document. 128 | 129 | 1. On the desktop, double-click on **Results.txt** 130 | 131 | >Review the data collected by the scan. You will see that although there are many information types discovered in these documents, none of them have been labeled. If you had automatic conditions applied to your labels or a default label, you would see the label that would be applied if you had not used the -WhatIf parameter. 132 | 133 | >If you have AIP Log Analytics configured, you would also see this information surfaced in your Data Discovery and Activity Logs in the Azure Portal as shown below. 134 | 135 | >**Data Discovery** 136 | >![](./media/datadiscoveryps.png) 137 | 138 | >**Activity Logs** 139 | >![](./media/activitylogs.png) 140 | 141 | 142 | --- 143 | In this section, we have discussed and demonstrated Windows Endpoint Discovery methods using the AIP unified labeling client addin and AIP PowerShell. 144 | 145 | In the next section, we will show how to install and configure the AIP unified labeling scanner for discovery of sensitive data in repositories. 146 | 147 | [Next - Phase 1: Discover - File Repositories](2.DiscoveryRepo.md) -------------------------------------------------------------------------------- /AIPLAB/10.monitorHOL.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 4: Monitor and Remediate (Hands On) 4 | 5 | In this section, we will discuss setup of AIP Analytics and the capabilities of Azure Sentinel and Azure Monitor for monitoring and alerting on discovered sensitive data and user activities. 6 | 7 | --- 8 | ## AIP Analytics 9 | 10 | Normally, before beginning with with Azure Information Protection discovery and protection, you will first configure AIP analytics. This is done by connecting an existing Azure Log Analytics workspace or creating a new one using the **+ Create new workspace** link. Azure log analytics workspaces require an Azure subscription so we will not be able to demonstrate this functionality in this lab, but we will provide instructions for configuring AIP Analytics so you may refer to them in your own tenant with an available subscription. 11 | 12 | 1. On the jumphost, browse to **https://aka.ms/AIPConsole** 13 | 14 | 1. In the Azure Information Protection blade, under **Manage**, click **Configure analytics**. 15 | 16 | 1. Next, click on **+ Create new workspace**. 17 | 18 | ![qu68gqfd.jpg](./media/qu68gqfd.jpg) 19 | 20 | > Warning: The reason we recommend creating a new workspace here is that, by default, only the creator and subscription administrators have access to an Azure Log Analytics workspace. 21 | > 22 | > The data contained in this workspace will contain details about the **location** and **contents** of files containing **sensitive information**. 23 | > 24 | > Restricting access to this workspace only to **trusted administrators** with a **need to know** is **highly recommended**. 25 | 26 | >NOTE: If you have already set up Azure Sentinel and want to integrate AIP logging, you should use the configured Azure Sentinel Log Analytics workspace. 27 | 28 | 1. On this blade, you would configure the Log analytics workspace using the values similar to the ones in the table below. **Note that this is not possible in the lab environment because we do not have an active subscription**. 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 |
SettingValue
Log Analytics WorkspaceType a globally unique Workspace Name
Resource GroupProvide a Resource Group Name (unique to tenant), or choose an existing Resource Group
LocationChoose a location near the tenant
Pricing tierPer GB
56 | 57 | 2. Next, back in the Configure analytics blade, you would **check the box** next to the **workspace** and next to **Enable deeper analytics into your sensitive data** and click **OK**. 58 | 59 | ![1547437013585](./media/aipanalytics.png) 60 | 61 | > Checking the box next to **Enable deeper analytics into your sensitive data** allows the **actual matched content** to be stored in the Azure Log Analytics workspace. This could include many types of sensitive information such as SSN, Credit Card Numbers, and Banking Information. This option is typically used during testing of automatic conditions and not widely used in production settings due to the sensitive nature of the collected data. If this is used in a production setting, extreme caution should be taken with securing access to this workspace. 62 | 63 | --- 64 | ## Azure Sentinel 65 | 66 | Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics. You can easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. You can also collect data from any source that can forward logs in Common Event Format (CEF) logs format. This allows you to bring together data points from across your environment for log aggregation, threat detection and visualization. 67 | 68 | For Azure Sentinel to integrate with Azure Information Protection, you must connect Azure Sentinel to the same workspace you have configured for AIP. Once the workspace is connected, you will have access to the **Usage Report** dashboard. 69 | 70 | >![](./media/SentinelDashboard.png) 71 | 72 | By clicking on this dashboard, you will be able to see data similar to what is available through the AIP Analytics dashboards from within Sentinel. This is useful if you are using Sentinel as your primary SIEM. More dashboards and functionality will be added to Senitnel in the future. 73 | 74 | --- 75 | In this section, we discussed setup of AIP Analytics and the capabilities of Azure Sentinel for monitoring discovered sensitive data and user activities. 76 | 77 | On the next page we will review the contents of the lab and provide some resources for additional learning. 78 | 79 | [Next - Conclusion](conclusion.md) -------------------------------------------------------------------------------- /AIPLAB/2.DiscoveryRepo.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 1: Discover - File Repositories 4 | 5 | In this section, we will run through the configuration of the AIP unified labeling scanner and show how it can be used to detect sensitive data on repositories. 6 | 7 | --- 8 | ## Azure Information Protection Scanner 9 | 10 | Most modern organizations have terabytes (or petabytes) of unstructured data sitting in their on-premises data repositories and SharePoint libraries. Managing this data the way you manage other corporate resources is a daunting but achievable task using tools like the AIP scanner. 11 | 12 | The **Azure Information Protection scanner** allows you to scan your on premises data repositories against the standard Office 365 sensitive information types and custom types you build with keywords or regular expressions. Once the data is discovered, the AIP scanner(s) can aggregate the findings and display them in Analytics reports so you can begin visualizing your data risk and see recommendations for setting up protection rules based on the content. As a quick clarification, this is the AIP Unified Labeling Scanner that is currently GA in the most up-to-date version we have. 13 | 14 | ![discovery](./media/discovery.png) 15 | 16 | We will quickly walk through the installation of the AIP unified labeling scanner in this lab, but we do the full end-to-end installation with multiple scanners attached to a single profile for load balancing in another lab in this series. 17 | 18 | --- 19 | ## AIP Scanner Configuration 20 | 21 | In this task, we will configure a cluster, content scan job, and repository in Azure and install an AIP scanner to run unattended in discovery mode. 22 | 23 | 1. Minimize **AdminPC** and return to Edge on the jumphost 24 | 1. Navigate to the Azure Portal and type in **Azure Information Protection** in the search bar to open up the respective tab. 25 | 2. On the side pane, under **Scanner**, click **Clusters** 26 | 3. In the Clusters tab, click the **+ Add** button. 27 | 28 | 4. In this **Add a new cluster pane**, enter **East US** for the **Cluster name** and click save. 29 | 5. In the side pane under the Scanner section, click on **Content scan jobs** and click the **+ Add** button. 30 | 6. Provide a name for the Content scan job and then configure using the following settings: 31 | 32 | > The default **Schedule** is set to **Manual**, and **Info types to be discovered** is set to **All**. 33 | 34 | 1. Under **Policy Enforcement**, set the **Enforce** switch to **Off** 35 | 1. Click **Save** to complete initial configuration 36 | 1. Once the save is complete, click on **Configure repositories** 37 | 1. In the Repositories blade, click the **+ Add** button 38 | 39 | 1. In the Repository blade, under **Path**, type **\\\AdminPC\Documents** 40 | 1. In the Repository blade, click **Save** 41 | 42 | >NOTE: Keep the Azure Portal window available for future hands on sections. 43 | 1. On the desktop, restore **AdminPC** 44 | 2. Open an **Administrative PowerShell Window** and type the PowerShell commands below. 45 | 46 | ```PowerShell 47 | Install-AIPScanner -SqlServerInstance -Profile 48 | ``` 49 | For name input the machine the SQL Server Instance is running on, which in this case is "**AdminPC**". 50 | For Profile type in the cluster name in quotations as well. 51 | 52 | 3. When prompted, log in using your scanner service account **Contoso\AIPScanner** () 53 | 54 | 4. Verify that the service is now installed by using ** <>Administrative Tools > Services**. The installed service is named Azure Information Protection Scanner and is configured to run by using the scanner service account that you created. 55 | 56 | Next we will be obtaining admin consent necessary to run the AIP client unattended. This will be done by obtaining an Azure AD Token. 57 | 58 | 1. Navigate back to the Azure Portal and proceed to the **Azure Active Directory** Blade. 59 | 60 | 2. In the Azure Active Directory side pane, click **App Registrations**. 61 | 62 | 3. At the top, go ahead and click **+ New registration**. 63 | 64 | 4. In the Name section type in **AIPScanner**. 65 | 66 | 5. Leave **Supported account types** as default. 67 | 68 | 6. For the Redirect URI, leave the type as Web but type in **http://localhost** for the entry portion and click **Register**. 69 | 70 | 7. On the Overview page of this application, note down in your text editor of choice the following IDs: **Application (client) ID** and **Directory (tenant) ID**. You will need this later when setting up the Set-AIPAuthentication command. 71 | 72 | 8. On the side pane, navigate to **Certificates and Secrets** 73 | 74 | 9. Click on **+ New client secret** 75 | 76 | 10. In the dialog box that shows up, enter a description for your secret and set it to Expire **In 1 year** and then Add the secret. 77 | 78 | 11. You should see now under the client secrets section that there is an entry with the **Secret Value**. Go ahead and copy this value and store it in the file where you saved the Client ID and Tenant ID. This is the only time you will be able to see the secret value, it will not be recoverable if you don't copy it at this time. 79 | 80 | 12. On the side pane, navigate to **API Permissions** 81 | 82 | 13. Go ahead and select **Add a permission**. 83 | 84 | 14. When the screen shows, select **Azure Rights Management Service**. Then select **Application Permissions**. 85 | 86 | ![Azure RMS Permissions](./media/AzureRMSpermissions.JPG) 87 | 88 | 15. Click the drop down for **Content** and put checkmarks down for **Content.DelegatedReader** and **Content.DelegatedWriter**. Then at the bottom of the screen, click **Add Permissions**. 89 | 90 | ![Azure RMS App Permissions](./media/AzureRMSApppermissions.JPG) 91 | 92 | 16. Navigate back the **API Permissions** section and add another permission. 93 | 94 | 17. This time, for the Select an API section, click on **APIs my organization uses**. In the search bar, type in **Microsoft Information Protection Sync Service** and select it. 95 | 96 | ![MIP Sync Service](./media/SyncService.JPG) 97 | 98 | 18. Select **Application Permissions** and then in the **Unified Policy** drop down, checkmark the permission **UnifiedPolicy.Tenant.Read**. Then at the bottom of the screen, click **Add Permissions**. 99 | 100 | 19. Back on the **API Permissions** screen, click **Grant Admin Consent** and look for the operation being successful (signified by a green checkmark). 101 | 102 | 20. Navigate back to the **Administrative PowerShell Window** in **AdminPC** 103 | 104 | 21. Type in the following command: 105 | ```PowerShell 106 | $pscreds = Get-Credential Contoso\AIPScanner 107 | Set-AIPAuthentication -AppId "" -AppSecret "" -DelegatedUser aipscanner@contoso.com -TenantId "" -OnBehalfOf $pscreds 108 | ``` 109 | For your $pscreds variable make sure to use your AD Domain name followed by the backslash with your local admin that is being used on your **AdminPC** machine. You will be prompted for the local account password so fill that in and hit enter. 110 | 111 | For your **-AppID** parameter input the **Application (Client) ID** you saved in a file earlier. Be sure to include the quotation marks. 112 | 113 | For your **-AppSecret** parameter input the **Secret Value** that you saved in a file earlier. Be sure to include the quotation marks. 114 | 115 | For your **-DelegatedUser** parameter input the AAD synced or cloud-based service account you are using to manage AIP. You do not need quotation marks here. 116 | 117 | For your **-TenantID** parameter input the **Directory (Tenant) ID** that you saved in a file earlier. Be sure to include the quotation marks. 118 | 119 | Make sure to use $pscreds as the parameter for **-OnBehalfOf**. 120 | 121 | Run the command and if successful, you will receive the following message "**Acquired application access token on behalf of Contoso\AIPScanner.**" 122 | 123 | You are now ready to run the scanner! 124 | 125 | 1. Finally, in the Admin PowerShell window, type **Start-AIPScan** 126 | 127 | 2. To check for the scanning status, type in the Admin PowerShell window **Get-AIPScannerStatus** 128 | 129 | 3. You can also check the scanner status in the AIP Blade in the Azure Portal by navigating to **Nodes** on the side pane. 130 | 131 | This is an intentionally quick and simple deployment of the AIP scanner due to limited time in the lab environment. After the script completes, a discovery scan is started and results will be reported to AIP Analytics if configured. The image below shows the result of a discovery scan in the AIP Analytics dashboard. 132 | 133 | >![](./media/initialdiscovery.png) 134 | 135 | --- 136 | 137 | In this section, we have learned how to do discovery on File repositories using the AIP scanner. 138 | 139 | In the next section, we will discuss classification and labeling and strategies for developing your classification taxonomy. 140 | 141 | [Next - Phase 2: Classify and Label](3.classification.md) 142 | -------------------------------------------------------------------------------- /AIPLAB/3.classification.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 2: Classify and Label 4 | 5 | ![classify](./media/classify.png) 6 | 7 | One of the most common stall points for an AIP rollout is determining what classifications (labels) you want to deploy to your organization. This can be a daunting task as it requires inputs from many distinct parts of the business (Senior Leadership, Legal, Security, Business Owners). Additionally, many organizations have a classification taxonomy that they have been using for many years (or even decades) so you must decide if you should continue using that or switch. 8 | 9 | When deciding on a classification taxonomy we recommend keeping the following in mind: 10 | 11 | - The classification taxonomy should identify the **confidentiality level** of the information. Based on the confidentiality level you can later decide what protection measures will be applied for each labeled document. 12 | 13 | - A recommended classification taxonomy is one that **every information worker** in your organization will be able to order from least restrictive to most restrictive without any doubt. 14 | 15 | If your organization does not currently have a classification taxonomy or you are not confident that it is effective, Microsoft highly recommends using the classifications provided by default within AIP. These are detailed below with standard descriptions. 16 | 17 | - **Non-Business\Personal** - Non-business data which does not belong to *Contoso*. Data is not encrypted and cannot be tracked or revoked. Do not use Non-Business to classify any personal data which is collected by or which belongs to *Contoso*. Such content should be classified as either Confidential or Highly Confidential 18 | 19 | - **Public** - To be used for business data specifically prepared and approved for public consumption. Data is not Encrypted, and owners cannot track or revoke content using AIP. 20 | 21 | - **General** - To be used for business data which is NOT meant for public consumption. However, this can be shared with internal employees, business guests and external partners as needed. Data is not Encrypted, and owners cannot track or revoke content using AIP. 22 | 23 | - **Confidential** - To be used on sensitive business data which could cause business harm if over-shared. Recipients are trusted and get full delegation rights (including the ability to remove the Encryption). Data is protected using AIP and owners can track and revoke access. 24 | 25 | - **Highly Confidential** - To be used on very sensitive business data which would certainly cause business harm if over-shared. Recipients do NOT get delegation rights (or rights to modify or remove the Encryption). Data is protected using AIP and owners can track and revoke access. 26 | 27 | These classifications represent the top level labels in AIP. **Microsoft recommends using sub-labels for defining the audience and protection properties**. We will discuss this in more detail in the **Protect and control access** section. 28 | 29 | --- 30 | ## Classify and label - Hands-On 31 | 32 | Much of the groundwork for classification and labeling was laid in the discovery section when we generated the default label set and published the policy. In this section, we will define policy settings for our global policy to make classification more effective and lower impact on your users. 33 | 34 | ### Defining Policy Settings 35 | 36 | In this task, we will configure the standard policy settings for Default label, Mandatory labeling, and Downgrade justification in the Global policy as recommended by Microsoft. 37 | 38 | 1. Minimize **AdminPC** 39 | 2. In Edge, click on the Sensitivity labels tab to bring up the Microsoft Security Center 40 | 3. Under Label policies, click on **Global** 41 | 4. Click on **Edit Policy** 42 | 5. Navigate to the **"Policy settings"** page by clicking on **Next** 43 | 6. On the "Policy settings" page, next to **Apply this label by default to documents and email**, select the drop-down menu and click **General** 44 | 7. Check the box next to **Users must provide justification to remove a label or lower classification label** 45 | 8. Check the box next to **Require users to apply a label to their email or documents** 46 | 47 | >The settings page should now look like the image below. 48 | > 49 | >![](./media/policy_settings.JPG) 50 | > 51 | >These settings apply a default label to all documents and emails, requires users to justify any downgrade or removal of labels, and requires that all documents and email are labeled in some way. These policies help to minimize the impact on users while still enabling classification of all documents and emails. 52 | > 53 | >Remember from discovery that you will still get analytics data on sensitive information found in documents even if they are labeled using the defualt General label. We will also add Recommendations to labels 54 | 9. Navigate to **"Review your settings"** page by selecting **Next** 55 | 10. **Submit** your new configurations to complete modification of the Global policy settings 56 | 57 | --- 58 | ## Testing Global Policy Settings 59 | 60 | In this task, we will review the results of the settings we just enabled. 61 | 62 | 1. Restore **AdminPC** and close out of any Office applications (Word) to allow Word to get the latest policy from AIP 63 | 2. Open the test credit card document you created in the last section 64 | 3. Click the **Sensitivity** button and downgrade the label to **Public** 65 | 4. In the **Justification Required** dialog, select **The previous label no longer applies** and click **Change** 66 | 67 | >![](./media/justification.png) 68 | 69 | 5. **Save** the document 70 | 6. Create a **New blank document** 71 | 7. Click on the **Sensitivity** button and notice that **General** is already selected as the default label 72 | 73 | >Note that although you can modify the label, there is no option to delete the label. This is because it has been marked as mandatory in the policy. 74 | 75 | --- 76 | In this section, we have discussed best practices and some of the reasons behind the classification taxonomy we recommend. We also tested the standard recommended policy settings. 77 | 78 | In the next section, we will discuss protection and show the available settings and options for securing information with Azure Information Protection. 79 | 80 | [Next - Phase 3: Protect and Control Access](4.Protect.md) -------------------------------------------------------------------------------- /AIPLAB/4.Protect.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 3: Protect and Control Access 4 | 5 | ![protect](./media/protect.png) 6 | 7 | One of the main reasons for the implementation of a classification tool is to apply protection to sensitive data. The dictionary defines **protect** as the ability “**to cover or shield from exposure, injury, [or] damage**”. 8 | 9 | In the auspices of data protection, AIP enables you to apply protection automatically as part of the configuration of each label. This can be in the form of **metadata and visual markings** that allow DLP and other systems to restrict the exposure of that data, or **metadata and markings plus actual encryption** provided by the protection service capabilities of AIP. This encryption can **prevent unauthorized access to data** that could cause injury or damage to the organization. 10 | 11 | When defining your classification taxonomy in the previous phase, you have created the portion of the taxonomy that specifies the confidentiality level. 12 | 13 | Based on our real-world deployments, most organizations encrypt the top one or two sensitivity levels. For example, if using our default classification levels: Non-Business, Public, General, Confidential, Highly Confidential, the most common scenario is: 14 | 15 | - **Non-Business** – not encrypted 16 | - **Public** – not encrypted 17 | - **General** – not encrypted 18 | - **Confidential** – Protected with AIP encryption; with Full Control usage rights 19 | - **Highly Confidential** – Protected with AIP encryption; with Viewer or Reviewer usage rights 20 | 21 | In the Protect phase, we must determine the type of protection that will be applied and who are the users that can access specific types of content. To address this need, we recommend using sub-labels to define the audience of the content and the usage rights available to that audience. 22 | 23 | The first threat scenario organizations usually like to address is the outside threat/accidental leakage scenario. For this purpose, they configure a sub-label that applies protection with permissions for all employees in the organization. This effectively prevents all external users from accessing the data. 24 | 25 | Another business scenario that we have seen at most of our customers is the ability to collaborate securely over email. Using the new capabilities of Office 365 Message Encryption we can now perform secure collaboration between business entities and social identities like Outlook, Yahoo, and Gmail. 26 | 27 | ![](./media/OME.png) 28 | 29 | The primary way of achieving this is by creating a Recipient only sub-label which applies protection (Do Not Forward) on emails and unprotected Word, PowerPoint, Excel, and PDF attachments for all the recipients in the recipients list. 30 | 31 | --- 32 | Knowing when **not to use encryption** is just as important as knowing when to use it. There will be times where users **must share** Confidential and even Highly Confidential information with outside collaborators with no encryption applied (NDA, Audit, Compliance, Regulatory Filings). If you only have protected sub-labels under Confidential and Highly Confidential, you have given the information worker **no choice but to improperly classify the data** or remove classification entirely so that it can be shared. 33 | 34 | This results in **improperly or unclassified data** that defeats the purpose of using a classification system. Because of this, we recommended creating another sub-label for sensitive data that is unencrypted (this is what we do at Microsoft). The main point that we stress is that **the confidentiality of data does not change** because it must be sent to a different audience. Thus, the parent label (which we use to identify the confidentiality) **should also not change**. 35 | 36 | After your content is classified (and optionally protected), you can track and control how it is used. You can analyze data flows to gain insight into your business, detect risky behaviors, and take corrective measures. You can also track access to documents to help prevent data leakage or misuse. 37 | 38 | --- 39 | 40 | In this section, we have introduced protection concepts, common business use cases, and explored reasoning behind the way we have defined our labels and Microsoft and why we recommend these methods. 41 | 42 | In the next section, we will delve deeper into protection and additional controls via scoped policies and advanced policy settings. 43 | 44 | [Next - Phase 3: Protect and Control Access (Hands On)](6.ProtectHOL.md) -------------------------------------------------------------------------------- /AIPLAB/6.ProtectHOL.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 3: Protect and Control Access (Hands On) 4 | 5 | In this section, we will add a scoped policy and discuss advanced AIP policy settings that can be used to provide convenience and additional control over your sensitive data. 6 | 7 | --- 8 | ## Scoped Policies 9 | 10 | Scoped policies can be used to add more restrictive settings to specific divisions that handle more sensitive information or may be used to perform production POC testing. In this task, we will set up a scoped policy to create more restrictive default settings. 11 | 12 | 1. Minimize AdminPC and return to the Microsoft Security Center in Edge 13 | 2. Under Sensitivity Labels, click on the **Publish labels** button 14 | 3. In the New sensitivity label policy, click **Choose sensitivity labels to publish** 15 | 16 | ![](./media/choose_sensitivity.png) 17 | 18 | 4. In the Choose sensitivity labels to publish blade, check the **Select All** box 19 | 20 | >NOTE: Adding all labels again here may seem redundant, but because of how AIP processes order of precedence for label policies, this is necessary. 21 | 5. Click the **Add** button 22 | 6. Click the **Next** button to select the scope of the policy (users or groups) 23 | 7. On the Publish to users and groups page, next to Users and groups, click the **Choose users or groups** link 24 | 8. On the Add users or groups page, click the **+ Add** button 25 | 9. On the next Add users or groups page, check the box next to **Megan Bowen** 26 | 27 | >![](./media/users_groupsscoped.png) 28 | 1. Click the **Add** button and then **Done** 29 | 1. On the "Publish to users and groups" page, click the **Next** button 30 | 2. On the "Policy settings" page, next to **Apply this label by default to documents and email**, in the drop-down menu select the **Confidential/All Employees** 31 | 32 | >![](./media/AllEmployees_policysettings.png) 33 | 3. Check the boxes next to **Users must provide justification to remove a label or lower classification label** and **Require users to apply a label to their email or documents** 34 | 35 | >The settings page should now look like the image below. 36 | > 37 | >![](./media/scoped_policy2.png) 38 | > 39 | >These settings require users to justify any downgrade or removal of labels, and requires that all documents and email are labeled in some way. Because we also assigned the **Confidential All Employees** label as the default label, this policy will have more impact on user behavior as they will have to consciously choose to downgrade any document that does not require encryption. 40 | > 41 | >While this is better for improving security, it could also impact user productivity. This is a setting you will need to work with your business decision makers on to find the right balance of security and usability. We will show advanced settings later that will help to mitigate this impact. 42 | 1. On the "Name & description" page, name the policy **Confidential Default** and click the **Next** button 43 | 1. On the "Review your settings" page, click the **Submit** button 44 | 45 | --- 46 | ## Advanced Settings 47 | 48 | Next we will add some Advanced settings using Security and Compliance Center PowerShell. The common settings we will be adding here are **OutlookDefaultLabel**,**DefaultLabelID**,**DefaultSubLabel**, **OutlookJustifyUntrustedCollaborationLabel**, and **HideBarByDefault**. These are just a few of the many advanced settings available online at `https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations`. 49 | 50 | 51 | To begin configuring AIP unified labeling client advanced settings, you must first connect to Security and Compliance Center PowerShell. Follow the steps below to connect: 52 | 53 | 1. Open an **Administrative PowerShell** prompt 54 | 2. Type the code below to allow scripts to run and capture credentials as a variable 55 | 56 | ```PowerShell 57 | Set-ExecutionPolicy RemoteSigned 58 | ``` 59 | 60 | >Type Y when prompted 61 | 62 | ```PowerShell 63 | $UserCredential = Get-Credential 64 | ``` 65 | 66 | >Log in using your Global Admin credentials 67 | 68 | 69 | 70 | 3. Run the command below to connect to SCC PowerShell 71 | 72 | ```PowerShell 73 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 74 | ``` 75 | 76 | ```PowerShell 77 | Import-PSSession $Session -DisableNameChecking 78 | ``` 79 | >WARNING: If you have **Multi-factor Authentication (MFA)** enabled in your tenant, you will need to connect to the Exchange/SCC PowerShell using the new Exchange cmdlet Connect-EXOPSSession. Full details on this method can be found at `https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps` 80 | 81 | Now that you have connected to SCC PowerShell, you can run some commands to get information about the unified labeling configuration and labels. 82 | 83 | 1. In the SCC PowerShell window, type the commands below to get the current settings applied to the Global policy and to see a list of labels 84 | 85 | ```PowerShell 86 | (Get-LabelPolicy -Identity "Global").settings 87 | ``` 88 | 89 | ```PowerShell 90 | (Get-LabelPolicy -Identity "Confidential Default").settings 91 | ``` 92 | 93 | ```PowerShell 94 | Get-Label | Format-Table -Property Name, Guid 95 | ``` 96 | 97 | >You should see output like the image below. Note that the settings in the global and scoped policies correspond to the ones set in the UI in the last task. The defaultlabelid also matches with the Guids of the General and Confidential All Employees labels. 98 | > 99 | >![](./media/globalsettingsadv.png) 100 | 101 | 2. Although encrypting all of the documents in a specific business unit may be justified or required, often encrypting all of those users' emails will have too high of an impact on business activities. To reduce the user impact, we will use this advanced setting to create a separate default label for just Outlook. In this case we are using the "Confidential \ Anyone (not protected)" label. Type the commands below to add this setting. 102 | 103 | >Create variables to store the label id GUID 104 | 105 | ```PowerShell 106 | $outlookdefaultlabel = (Get-Label -Identity "Confidential Anyone").Guid.Guid 107 | ``` 108 | 109 | >Set the Outlook Default Label to **Confidential Anyone** for the Confidential Default policy 110 | 111 | ```PowerShell 112 | Set-LabelPolicy -Identity "Confidential Default" -AdvancedSettings @{OutlookDefaultLabel=$outlookdefaultlabel} 113 | ``` 114 | 115 | >Verify the outlook default label in policy settings 116 | 117 | ```PowerShell 118 | (Get-LabelPolicy -Identity "Confidential Default").settings 119 | ``` 120 | 121 | >This setting is optional but is recommended because users typically create far more emails every day than documents. Thus, even for policies that do not set a default label (or set a protected default label), setting an unprotected default label for email is commonly used to improve usability. 122 | 123 | 3. When you add a sublabel to a label, users can no longer apply the parent label to a document or email. By default, users select the parent label to see the sublabels that they can apply, and then select one of those sublabels. The settings below helps to improve this experience by allowing users to apply a default sublabel by clicking on the Confidential and Highly Confidential parent labels. In this case we are using this to set the protected "All Employees" sublables as the default, but you could just as easily set the "Anyone" label if you have not yet rolled out protection. 124 | 125 | >Create variables to store the label id GUIDs 126 | 127 | ```Powershell 128 | $ConfidentialSub = (get-label -Identity "Confidential All Employees").guid.guid 129 | $HConfidentialSub = (get-label -Identity "Highly Confidential All Employees").guid.guid 130 | ``` 131 | 132 | >Set the default sublabels to the respective "All Employees" labels 133 | 134 | ```Powershell 135 | Set-Label -Identity "Confidential" -AdvancedSettings @{defaultsublabelid=$ConfidentialSub} 136 | Set-Label -Identity "Highly Confidential" -AdvancedSettings @{defaultsublabelid=$HConfidentialSub} 137 | ``` 138 | 139 | >Verify the default sublabel in label settings 140 | 141 | ```Powershell 142 | (Get-Label -Identity "Confidential").settings 143 | (Get-Label -Identity "Highly Confidential").settings 144 | ``` 145 | 146 | 4. You can use advanced settings to warn users against sending email to untrusted domains, justify that action, or block it entirely. Using the advanced settings below, we will create justification dialogs for the "Anyone" sublabels and block sending "All Employees" messages to untrusted domains. 147 | 148 | >Create variables to store the sublabel id GUIDs 149 | 150 | ```PowerShell 151 | $ConfidentialSubAny = (get-label -Identity "Confidential Anyone").guid.guid 152 | $ConfidentialSubAll = (get-label -Identity "Confidential All Employees").guid.guid 153 | $HConfidentialSubAny = (get-label -Identity "Highly Confidential Anyone").guid.guid 154 | $HConfidentialSubAll = (get-label -Identity "Highly Confidential All Employees").guid.guid 155 | ``` 156 | 157 | >Add settings to Global policy 158 | 159 | ```Powershell 160 | Set-LabelPolicy -Identity "Global" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="$ConfidentialSubAll,$HConfidentialSubAll"} 161 | 162 | Set-LabelPolicy -Identity "Global" -AdvancedSettings @{OutlookJustifyUntrustedCollaborationLabel="$ConfidentialSubAny,$HConfidentialSubAny"} 163 | 164 | Set-LabelPolicy -Identity "Global" -AdvancedSettings @{OutlookBlockTrustedDomains="yourdomain.onmicrosoft.com"} 165 | 166 | Set-LabelPolicy -Identity "Global" -AdvancedSettings @{OutlookJustifyTrustedDomains="yourdomain.onmicrosoft.com"} 167 | ``` 168 | 169 | >Add settings to Confidential Default policy 170 | 171 | ```Powershell 172 | Set-LabelPolicy -Identity "Confidential Default" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="$ConfidentialSubAll,$HConfidentialSubAll"} 173 | 174 | Set-LabelPolicy -Identity "Confidential Default" -AdvancedSettings @{OutlookJustifyUntrustedCollaborationLabel="$ConfidentialSubAny,$HConfidentialSubAny"} 175 | 176 | Set-LabelPolicy -Identity "Confidential Default" -AdvancedSettings @{OutlookBlockTrustedDomains="yourdomain.onmicrosoft.com"} 177 | 178 | Set-LabelPolicy -Identity "Confidential Default" -AdvancedSettings @{OutlookJustifyTrustedDomains="yourdomain.onmicrosoft.com"} 179 | ``` 180 | 181 | >These settings prevent users from sending encrypted messages or attachments to users that will not be able to open them, and requires justification for any Confidential or Highly Confidential emails or attachments being sent to untrusted domains using the unencrypted Anyone sublabels. 182 | > 183 | >The justification text is written to the email x-header, so that it can be read by other systems. For example, data loss prevention (DLP) services. 184 | 185 | 5. In the Azure Information Protection client (classic), the Information Protection bar in Office apps was displayed by defualt. In the AIP unified labeling client, users must select the **Show Bar** option from the Sensitivity button to display this bar. 186 | 187 | You can use the advanced setting below to automatically display this bar for users so that they can select labels from either the bar or the Sensitivity button. 188 | 189 | ```PowerShell 190 | Set-LabelPolicy -Identity "Global" -AdvancedSettings @{HideBarByDefault="False"} 191 | Set-LabelPolicy -Identity "Confidential Default" -AdvancedSettings @{HideBarByDefault="False"} 192 | ``` 193 | 194 | 1. Run the commands below to verify that all settings have been properly added 195 | 196 | ```PowerShell 197 | (Get-LabelPolicy -Identity "Global").settings 198 | ``` 199 | 200 | ```PowerShell 201 | (Get-LabelPolicy -Identity "Confidential Default").settings 202 | ``` 203 | 204 | >The output should look similar to the image below 205 | > 206 | >![](./media/allsettings.png) 207 | 2. Run the command below to disconnect the remote PowerShell session when you are done modifying advanced settings. 208 | 209 | ```PowerShell 210 | Remove-PSSession $Session 211 | ``` 212 | 213 | As mentioned earlier, there are many more advanced settings available at `https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations` but these are some of the most common ones. Later in this lab, we will test out these settings to see how they affect the clients. 214 | 215 | --- 216 | 217 | In this section, we have added labels to the Global policy and discussed policy settings that can be used to provide convenience and additional control over your sensitive data. 218 | 219 | In the next section, we will delve into custom sensitive information type creation, and automated protection via label conditions. 220 | 221 | [Next - Phase 3: Protect and Control Access (Hands On) - Automation](7.ProtectHOL2.md) 222 | -------------------------------------------------------------------------------- /AIPLAB/7.ProtectHOL2.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 3: Protect and Control Access (Hands On) - Automation 4 | 5 | In this section we will cover creating new sensitive information types via the Office 365 Security and Compliance Center, creating automatic conditions on labels, and show a simple way to use the AIP scanner to enforce protection on the previously defined repository. These capabilities help to create automation mechanisms to help better protect your sensitive data. 6 | 7 | --- 8 | ## Creating Custom Sensitive Information Types 9 | 10 | 1. Return to the **Sensitivity labels - Microsoft 365 security** tab in Edge 11 | 5. Under **Classification** on the left, click on **Sensitive Info Types** 12 | 13 | >This shows a list of the 100 sensitive info types that microsoft provides out of the box for use in our online services. These can be used to discover sensitive information using any services that use the Data Classification Service (some of these include the AIP unified labeling client, Office 365 DLP, and Microsoft Cloud App Security). 14 | 15 | >![](./media/sensitive_infotypes.png) 16 | 6. Select **Create info type** 17 | 18 | >NOTE: In the Office 365 Security & Compliance Center you can create new sensitive info types. We will step through the process of creating a new sensitive info type below. Because this is an introductory lab, we will only be defining a simple new sensitive info type to use in this lab. 19 | 20 | 7. In the **Name** and **Description** boxes, type **Password** and click **Next** 21 | 8. On the **Requirements for matching** page, under **Matching element**, click **+ Add an element** 22 | 9. Next, under **Detect content containing**, click **Any of these** and select the **Keywords** option from the drop-down list 23 | 24 | >Note that there are currently 3 options for content detection, **regular expression**, **keyword list**, and **dictionary**. If you click on any of these elements you can further define the criteria used for the new sensitive type. You also have the ability to set a **Confidence level** and **Character proximity** to fine tune matches for your custom type. 25 | 26 | 1. In the **Keywords** text box, enter **pass@word1** 27 | 28 | >![](./media/suppelement.png) 29 | 30 | 2. Click **Next** and **Finish** 31 | 3. In the Security & Compliance popup, click **No** to decline testing 32 | 33 | 34 | --- 35 | ## Defining Automatic Conditions 36 | 37 | One of the most powerful features of Azure Information Protection is the ability to guide your users in making sound decisions around safeguarding sensitive data. This can be achieved in many ways through user education or reactive events such as blocking emails containing sensitive data. 38 | 39 | However, helping your users to properly classify and protect sensitive data at the time of creation is a more organic user experience that will achieve better results long term. In this task, we will define some basic automatic conditions that will trigger based on certain types of sensitive data. 40 | 41 | 1. Under **Classification** on the left, click **Sensitivity Labels** 42 | 2. Under **Confidential**, click on **All Employees** 43 | 3. Select **Edit Label** 44 | 4. Navigate to **"Auto-labeling for Office apps"** page by selecting the **Next** button 45 | 5. On the "Auto-labeling for Office apps" page, toggle **Auto labeling** to **On** 46 | 6. In the Detect content that contains section, click **+ Add a condition** and click **content contains** 47 | 7. In the Content contains section, click the **Add** drop-down and click **Sensitive info types** 48 | 8. In the Sensitive info types panel, type **Credit** in the Search box 49 | 9. Under Sensitive info types, check the box next to **Credit Card Number** and click **Add** 50 | 10. In the Sensitive info types panel, click **Done** 51 | 11. On the "Auto-labeling for Office apps" page, in the **Message displayed to user** text box, type **This file was automatically labeled as Confidential \ All Employees** 52 | 12. Click **Next** 53 | 13. Select **Submit** on the "Review your settings" page 54 | 14. On the "All Employees" page, click **Done** 55 | 15. Next, under **Highly Confidential**, click on **All Employees** 56 | 16. Select **Edit Label** 57 | 17. Navigate to "Auto-labeling for Office apps" page by selecting the **Next** button 58 | 18. On the "Auto-labeling for Office apps" page, toggle **Auto labeling** to **On** 59 | 19. In the Detect content that contains section, click **+ Add a condition** and click **content contains** 60 | 20. In the Content contains section, click the **Add** drop-down and click **Sensitive info types** 61 | 21. In the Sensitive info types panel, type **Password** in the Search box 62 | 22. Under Sensitive info types, check the box next to **Password** and click **Add** 63 | 23. On the "Auto-labeling for Office apps" page, in the **Message displayed to user** text box, type **This file was automatically labeled as Highly Confidential \ All Employees** 64 | 65 | 66 | >![](./media/autolabel.JPG) 67 | 68 | 69 | 24. Click **Next** 70 | 25. Click **Submit** on the "Review your settings" page 71 | 26. Click **Done** 72 | 73 | --- 74 | ## Exchange Online Information Protection Capabilities 75 | 76 | Exchange Online can work in conjunction with Azure Information Protection to provide advanced capabilities for protecting sensitive data being sent over email. 77 | 78 | In this task, we will configure a mail flow rule to detect sensitive information traversing the network in the clear and encrypt it using the Encrypt Only RMS Template. 79 | 80 | 1. Switch to AdminPC and in the **Administrative PowerShell** window, type **C:\Scripts\EncryptSensitiveMFR.ps1** and press **Enter**. 81 | 2. Log in using your Global Admin credentials 82 | 83 | >This mail flow rule can be used to encrypt sensitive data leaving via email. This can be customized to add additional sensitive data types. A breakdown of the command is listed below. 84 | > 85 | >New-TransportRule 86 | > 87 | >-Name "Encrypt external mails with sensitive content" 88 | > 89 | >-SentToScope NotInOrganization 90 | > 91 | >-ApplyRightsProtectionTemplate "Encrypt" 92 | > 93 | >-MessageContainsDataClassifications @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="Drug Enforcement Agency (DEA) Number"; minCount="1"},@{Name="International Classification of Diseases (ICD-10-CM)"; minCount="1"},@{Name="International Classification of Diseases (ICD-9-CM)"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"}) 94 | 95 | Although this script only has the defined sensitive information types shown above, you can add additional types either via PowerShell or directly via the Exchange Online Admin Center. 96 | 97 | --- 98 | ## AIP Scanner Enforcement 99 | 100 | This section will cover enabling the AIP scanner to encrypt the contents of the previously configured repository. 101 | 102 | 1. In Edge, switch to the **Azure Information Protection** tab 103 | 2. Under Scanner on the left, click **Profiles** 104 | 3. Click on the **East US** profile 105 | 4. Click **Configure repositories** 106 | 5. Next, click on the **\\\AdminPC\\Documents** repository 107 | 6. Under Policy Enforcement, set **Enforce** to **On** 108 | 7. Toggle **Label files based on content** to **Off** 109 | 8. Toggle **Default label** to **Custom** 110 | 9. In the **Default label** drop-down, select **Highly Confidential \\ All Employees** 111 | 112 | ![](./media/repo.png) 113 | 10. Click **Save** 114 | 11. Close the **Repositories** blade and the **East US** profile blade 115 | 116 | >This has kicked off the encryption of all supported files in the configured repository. We will review the results in the next section. 117 | 118 | The AIP scanner is also capable of using content detection and automatic conditions for targeted encryption within repositories. If you are interested in more details around the AIP scanner, please see the full AIP scanner lab in this series. 119 | 120 | --- 121 | In this section we covered creating new sensitive information types via the Office 365 Security and Compliance Center, creating automatic conditions on labels, Exchange Online IRM capabilities, and showed a simple way to use the AIP scanner to enforce protection. 122 | 123 | In the next section we will demostrate the results of the policy and protection actions taken in all of the previous sections. 124 | 125 | [Next - Phase 3: Protect and Control Access (Hands On) - Testing](8.ProtectHOL3.md) -------------------------------------------------------------------------------- /AIPLAB/8.ProtectHOL3.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 3: Protect and Control Access (Hands On) - Testing 4 | 5 | In this section we will show the results of the settings configured in the previous hands on sections. 6 | 7 | 8 | ## Testing User Defined permissions 9 | 10 | One of the most common use cases for AIP is the ability to send emails using User Defined Permissions (Do Not Forward). In this task, we will send an email using the Do Not Forward label to test that functionality. 11 | 12 | 13 | 1. On the desktop, double-click on **VictimPC** and log in using the credentials below 14 | 15 | > **Contoso\JeffL** 16 | > 17 | > **Password$fun** 18 | 19 | 1. Right-click on the desktop and create a **New Text Document** 20 | 2. Right-click on the New Text Document and click **Classify and protect** 21 | 3. In the Microsoft Azure Information Protection prompt, type **MeganB@yourdomain.onmicrosoft.com** 22 | 4. When prompted, type the password and Sign in 23 | 5. Close the Classify and protect dialog 24 | 25 | >NOTE: This process is only necessary to expedite logging into AIP. In a production environment, the client will use SSO tokens to download policy so the multiple logins in this lab will be unnecessary. We will perform these steps for each of the test users in this lab. 26 | 7. Launch **Microsoft Outlook**, and in the username box, type **MeganB@yourdomain.onmicrosoft.com** and click **Connect** 27 | 8. When prompted, type the password and Sign in 28 | 9. Once configuration completes, **uncheck the Box** to **Set up Outlook Mobile** and click **Done**. 29 | 10. In the Sign in to set up Office dialog, click **Sign in** 30 | 11. In the Activate Office dialog, type **MeganB@yourdomain.onmicrosoft.com** and click **Connect**. 31 | 12. When prompted, type the password and Sign in 32 | 13. Click on the **New email** button. 33 | 34 | > Note that the **Sensitivity** is set to **Confidential \ Anyone (not protected)** by default. 35 | 36 | >![defaultlabel](./media/confanyone.png) 37 | 38 | 14. Send an email to **Allan Deyoung** and **Alex Wilber** (```Allan Deyoung;Alex Wilber```). Also **add an external email address** (preferably from a major social provider like youremail@gmail, yahoo, or outlook.com) to test the external recipient experience. 39 | 15. For the **Subject** and **Body** type **Test Recipients Only Email** 40 | 41 | 16. Click the drop-down arrow to the right of **Confidential**, select **Recipients Only**, and click **Send** 42 | 43 | >![](./media/RO.png) 44 | 45 | 17. Minimize VictimPC 46 | 18. Double-click on **Client01C** and log in using the credentials below 47 | 48 | > **Contoso\LisaV** 49 | > 50 | > **HighImpactUser1!** 51 | 52 | 19. Open **Outlook** 53 | 20. Run through setup, this time using **AllanD@yourdomain.onmicrosoft.com** 54 | 55 | >Review the email in Allan Deyoung’s Outlook. You will notice that the email is automatically shown in Outlook natively. 56 | 57 | >![](./media/RO2.png) 58 | 59 | --- 60 | ## Testing Office 365 Message Encryption 61 | 62 | Follow the steps below to review the Do Not Forward message in the Office 365 Message Encryption portal. 63 | 64 | 1. Minimize Client01C and log into your external mailbox 65 | 2. Click on the Test Recipients Only Email message 66 | 67 | >![OME1](./media/OME1b.png) 68 | 69 | 1. Click on the **Read the message** button to launch the Office 365 Message Encryption portal 70 | 71 | >This may take a minute the first time you open a protected message 72 | 73 | >![OME2](./media/OME2.png) 74 | 75 | 1. You now have the option to either log in using the social identity provider (**Sign in with Google, Yahoo, Microsoft Account**), or to **sign in with a one-time passcode**. 76 | 1. If you choose the social identity provider login, it should use the token previously cached by the browser and display the message directly. 77 | 78 | 1. If you choose one-time passcode, you will receive an email like the one below with the one-time passcode. 79 | 80 | >![OTP](./media/OTP.png) 81 | 82 | 1. You may then use this code to authenticate to the Office 365 Message Encryption portal. 83 | 84 | >![8pllxint.jpg](./media/8pllxint.jpg) 85 | 86 | 1. After using either of these authentication methods, you will see a portal experience like the one shown below. 87 | 88 | >![OME3](./media/OME3b.png) 89 | 90 | >NOTE: You may **Sign Out** of the OME portal to test the method you did not use previously. 91 | --- 92 | 93 | ## Testing Global Policy 94 | 95 | In this task, we will create a document and send an email to demonstrate the functionality defined in the Global Policy. 96 | 97 | 1. Restore Client01C from the taskbar 98 | 99 | 3. Send an email to Megan Bowen, Alex Wilber, and yourself (```Megan Bowen;Alex Wilber;Your Email```). 100 | 4. For the **Subject** and **Body** type **Test Contoso Internal Email**. 101 | 102 | 5. In the Sensitivity Toolbar, click on **Confidential** 103 | 104 | >Note that clicking on **Confidential** automatically selects the **All Employees** sublabel due to the **DefaultSubLabelId** advanced setting used with this label. 105 | 6. Click **Send** 106 | 107 | >Note that sending of the email is blocked due to the **OutlookBlockUntrustedCollaborationLabel** advanced setting used on this policy. If we had not used this setting, the recipient would be unable to open this message. This experience will vary depending on the client you use (the image below is from the Office 365 Message Encryption portal) but they should have similar messages after presenting credentials. This is not a good user experience, so we used the advanced client settings to prevent Internal labeled and protected messages from being sent to external users. 108 | 109 | >![OME4](./media/OME4.png) 110 | 1. Click **OK** and remove the external email address 111 | 2. Click **Send** 112 | 3. Minimize **Client01C** and restore **VictimPC** 113 | 114 | >Observe that you are able to open the email natively in the Outlook client.. 115 | 116 | >![Internalemail](./media/internalemail2.png) 117 | 118 | --- 119 | 120 | ## Testing Scoped Policy 121 | 122 | In this task, we will create a document and send an email from one of the users in the Confidential Default scoped policy to demonstrate the functionality defined in the previous sections. 123 | 124 | 1. Open **Microsoft Word** 125 | 2. Create a new **Blank document** and type **This is a test document** and **save the document**. 126 | 127 | >Note that the document was labeled as Confidential \ All Employees by default and is protected after initial save. 128 | 129 | >![](./media/confdefault2.png) 130 | 3. Open **Microsoft Outlook** 131 | 4. Create a new email and send it to Alex Wilber, Allan Deyoung, and yourself (```Alex Wilber;Allan Deyoung;Your Email```). 132 | 5. For the **Subject** and **Body** type **Test Justification Email** 133 | 134 | >Note that the Email default label is set to **Confidential \ Anyone (not protected)** because of the **OutlookDefaultLabel** advanced setting we set on this scoped policy. 135 | 6. Click **Send** 136 | 137 | >Note that you receive a **Justification Required** dialog because you added an external email address. 138 | > 139 | >![DNF](./media/justify.png) 140 | 7. In the justification dialog, type **Testing** 141 | 8. Click **Confirm and Send** 142 | 143 | > This setting still requires users of the scoped policy to justify sending Confidential information externally, but will not block them from sending the same way that the **Confidential \ All Employees** label that is default for documents would. This provides an opportunity for the user to reduce the classification level if appropriate or remove inappropriate users from the email. If you use General or Public as the OutlookDefaultLabel, then the user would not be prompted for email. 144 | 145 | --- 146 | 147 | ## Testing Automatic Classification 148 | 149 | In this task, we will test the configured automatic conditions we defined earlier. Automatic conditions should be used after thorough testing or with items you are certain need to be protected. Although the examples used here are fairly simple, in production these could be based on complex regex statements or only trigger when a specific quantity of sensitive data is present. 150 | 151 | 1. Minimize **VictimPC** and restore **Client01C** 152 | 2. Launch **Microsoft Word**. 153 | 3. In Microsoft Word, create a new **Blank document** and type **My AMEX card number is 344047014854133. The expiration date is 09/28, and the CVV is 4368** and **save** the document. 154 | 155 | > This card number is a fake number that was generated using the Credit Card Generator for Testing at ```https://developer.paypal.com/developer/creditCardGenerator/```. The Microsoft Classification Engine uses the Luhn Algorithm to prevent false positives so when testing, please make sure to use valid numbers. 156 | 157 | >Notice that the document is automatically classified and protected with the **Confidential \ All Employees** label. 158 | 159 | >![auto](./media/autocc.png) 160 | 1. In the same document, type **my password is pass@word1** and **save** the document. 161 | 162 | >Notice that the document is automatically classified and protected with the **Highly Confidential \ All Employees** label. Note that despite the Confidential \ All Employees banner still being present from the initial save, if you click on **View Permission...** it shows as Highly Confidential. After closing and reopening the document, only the Highly Confidential markings will remain. 163 | 164 | >![auto](./media/auto.png) 165 | 166 | --- 167 | ## Demonstrating Exchange Online Mail Flow Rules 168 | 169 | In this task, we will send emails to demonstrate the results of the Exchange Online mail flow rules we configured in the previous task. This will demonstrate some ways to protect your sensitive data and ensure a positive user experience with the product. 170 | 171 | 1. Next, send an email to Alex Wilbur, Megan Bowen, and yourself (**Alex Wilbur;Megan Bowen;youremail**) 172 | 2. For the **Subject**, type **Test SSN Email** 173 | 3. For the **Body**, type **My Social Security Number (SSN) is 623-05-9743. My date of birth is 5/25/90.**, then click **Send** 174 | 175 | 1. Minimize **Client01C** and restore **VictimPC** 176 | 6. Review the received email. 177 | 178 | >![pidqfaa1.jpg](./media/SSN.png) 179 | 180 | > Note that there is no encryption applied to the message. That is because we set up the rule to only apply to external recipients. If you were to leave that condition out of the mail flow rule, internal recipients would also receive an encrypted copy of the message. The image below shows the encrypted message that was received externally. 181 | 182 | >![c5foyeji.jpg](./media/SSN2.png) 183 | 184 | >![599ljwfy.jpg](./media/SSN3.png) 185 | 186 | 187 | --- 188 | ## Demonstrating AIP Scanner Enforcement 189 | 190 | In the previous section, we used the AIP scanner to encrypt a repository. We will now open one of those files to verify that it has been protected. 191 | 192 | 1. Next, navigate to **\\\AdminPC\documents** 193 | 194 | 2. Open one of the **Contoso Purchasing Permissions** documents 195 | 196 | >Note that the document has been classified and encrypted using the **Highly Confidential \ All Employees** label and All Employees are given Co-Author rights based on the settings in the label. 197 | 198 | >![](./media/scannerhc.png) 199 | 200 | --- 201 | In this section, we have shown the results of the settings configured in the previous hands on sections. These included policy and label settings, Exchange mail flow rules, and AIP scanner enforcement. 202 | 203 | In the next section, we will discuss the various options available for monitoring sensitive information. 204 | 205 | [Next - Phase 4: Monitor and Remediate](9.monitor.md) -------------------------------------------------------------------------------- /AIPLAB/9.monitor.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Phase 4: Monitor and Remediate 4 | 5 | ![Monitor](./media/Monitor.png) 6 | 7 | The information protection lifecycle would not be complete without the ability to monitor the state of your sensitive data so you can respond to anomalous behavior. In this section, we will learn about the monitoring capabilities provided with AIP Analytics, Microsoft Defender ATP integration, and Microsoft Cloud App Security. We will then discuss alerts and remediation options available based on these detections. 8 | 9 | ## Azure Information Protection Analytics 10 | 11 | AIP Analytics gives organizations insights into labeled and protected items across your organization. These insights consist of information protection audit events from Azure Information Protection clients, scanners, Microsoft Cloud App Security and devices running Microsoft Defender ATP (MDATP) on Windows 10. 12 | 13 | To generate these reports, endpoints send the following types of information to Microsoft: 14 | 15 | * The **label action**. For example, set a label, change a label, add or remove protection, automatic and recommended labels. 16 | 17 | * The **label name** **before** and **after** the label action. 18 | 19 | * Your organization's **tenant ID**. 20 | 21 | * The **user ID** (email address or UPN). 22 | 23 | * The **name** of the user's **device**. 24 | 25 | * For **documents**: The **file path** and **file name** of documents that are labeled. 26 | 27 | * For **emails**: The email **subject** and **email sender** for emails that are labeled. 28 | 29 | * The **sensitive information types** (predefined and custom) that were **detected** in content. 30 | 31 | * The Azure Information Protection **client version**. 32 | 33 | * The client **operating system** version. 34 | 35 | >NOTE: You can prevent Azure Information Protection clients from sending this data setting the policy setting **Send audit data to Azure Information Protection log analytics** to **Off** either the Global or a scoped policy. 36 | 37 | The Usage report dashboard (shown below) provides information on the volume of labeled and protected documents and emails over time, label distribution of files by label type, and the applications used when the label was applied. 38 | 39 | ![](./media/usage.png) 40 | 41 | The data discovery dashboard provides information on the location of sensitive data within your organization, such as: location of documents labeled as confidential, data containing GDPR, PCI and other highly regulated information. 42 | 43 | ![](./media/datadiscovery.png) 44 | 45 | You can drill into file repositories (scanned by the Azure Information Protection scanner) to inspect where sensitive data resides, as well as what sensitive content they contain (such as financial info, PII or other information based on content inspection). 46 | 47 | When the AIP client is installed on the endpoint, you can also see details about information protection actions being taken by users. This includes details on what files are protected on the endpoint, downgrade or removal of labels, and attempted access to content they do not have rights to view. Additionally, on Windows 10, Microsoft Defender ATP can provide integration between AIP labels and Windows Information Protection (WIP) enforcement actions . These actions can prevent users from accidentally copying sensitive content from documents to unapproved applications like personal email or social media and warn or apply protection upon the transfer of sensitive files to USB devices. 48 | 49 | If you wish to inspect audit raw data, export the result to Excel or PowerBI, or write your own custom queries, you can do so by clicking on the Log Analytics icon from the dashboard. AIP audit log data can be accessed easily via the **InformationProtectionEvents** function. Azure Sentinel can also be used to aggregate and alert on these events, and Azure Monitor can be used to export these logs to 3rd party SIEM systems. 50 | 51 | ![](./media/ala.png) 52 | 53 | The InformationProtectionEvents log schema provides actionable insights to allow companies to set up alerts and repond to anomolous behavior. The schema contains information on the elements as listed in the table below. 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 |
Column NameDescription
TimeEvent time: UTC in format YYYY-MM-DDTHH:MM:SS
UserUser: Format UPN or DOMAIN\USER
ItemPathFull item path or email subject
ItemNameFile name or email subject
MethodLabel assigned method: Manual, Automatic, Recommended, Default, or Mandatory
ActivityAudit activity: DowngradeLabel, UpgradeLabel, RemoveLabel, NewLabel, Discover, Access, RemoveCustomProtection, ChangeCustomProtection, or NewCustomProtection
LabelNameLabel name (not localized)
LabelNameBeforeLabel name before change (not localized)
ProtectionTypeProtection type [JSON] "Type": ["Template", "Custom", "DoNotForward"], "TemplateID": "GUID"
ProtectionBeforeProtection type before change [JSON]
InformationTypesMatchesJSON array of SensitiveInformation found in data where an empty array means no information types found, and null means no information available
MachineNameFQDN when available; otherwise host name
DeviceRiskDevice risk score from MDATP when available
PlatformDevice platform (Win, OSX, Android, iOS)
ApplicationNameApplication friendly name
AIPVersionVersion of the Azure Information Protection client that performed the audit action
TenantIdAzure AD tenant ID
AzureApplicationIdAzure AD registered application ID (GUID)
ProcessNameProcess that hosts MIP SDK
LabelIdLabel GUID or null
IsProtectedWhether protected: Yes/No
ProtectionOwnerRights Management owner in UPN format
LabelIdBeforeLabel GUID or null before change
InformationTypesAbove55JSON array of SensitiveInformation found in data with confidence level 55 or above
InformationTypesAbove65JSON array of SensitiveInformation found in data with confidence level 65 or above
InformationTypesAbove75JSON array of SensitiveInformation found in data with confidence level 75 or above
InformationTypesAbove85JSON array of SensitiveInformation found in data with confidence level 85 or above
InformationTypesAbove95JSON array of SensitiveInformation found in data with confidence level 95 or above
DiscoveredInformationTypesJSON array of SensitiveInformation found in data and their matched content (if enabled) where an empty array means no information types found, and null means no information available
ProtectedBeforeWhether the content was protected before change: Yes/No
ProtectionOwnerBeforeRights Management owner before change
UserJustificationJustification when downgrading or removing label
LastModifiedByUser in UPN format who last modified the file. Available for Office and SharePoint Online only
LastModifiedDateUTC in format YYYY-MM-DDTHH:MM:SS: Available for Office & SharePoint Online only
201 | 202 | As you can see, this is a wealth of data points that can be used to set up alerts in Azure Sentinel or Azure Monitor. We will show how to create an alert based on some of these values in the hands on part of this phase. 203 | 204 | --- 205 | ## Microsoft Defender Advanced Threat Protection Integration 206 | 207 | When **Microsoft Defender ATP** is deployed to endpoints with the AIP client, additional information is sent to the AIP Analytics service related to **Device Risk**. This can assist you with identifying at risk systems and the sensitive content they contain and can help you to prioritize remediation efforts. 208 | 209 | In the Activity logs report, you can filter by device risk to immediately identify systems that need remediation. In the details section of the Activity logs and Data discovery reports, you can click directly on the device risk to launch the Windows Security Center for the affected device. 210 | 211 | >![](./media/wdatp.png) 212 | 213 | Additionally, Microsoft Defender ATP uses sensitivity labels to identify sensitive files that need Windows Information Protection (WIP) policy applied on them. For example, a Microsoft Word document with a label of “Highly Confidential” that is on a Windows device can get protected with Windows Information Protection policy to prevent the inappropriate copying, sharing or transfer of that information to “non-work” locations on the device, such as personal email accounts or social media accounts. 214 | 215 | --- 216 | In this section, we have discussed the monitoring capabilities of Azure Information Protection Analytics and discussed some additional capabilities provided for systems that have Microsoft Defender ATP installed. 217 | 218 | [Next - Phase 4: Monitor and Remediate (Hands On)](10.monitorHOL.md) -------------------------------------------------------------------------------- /AIPLAB/AIPBYOL-Azure.ps1: -------------------------------------------------------------------------------- 1 | #If you have not yet installed AutomatedLab, download the MSI from https://github.com/AutomatedLab/AutomatedLab/releases or run the PowerShell commands below. 2 | 3 | Install-PackageProvider Nuget -Force 4 | Install-Module AutomatedLab -AllowClobber 5 | New-LabSourcesFolder -Drive C 6 | Install-Module Az 7 | 8 | #You will require ISO for Office 2019 placed in your C:\LabSources\ISOs\ folder. If the Office ISOs you use are not the same as the ones listed below, please update the script to match yours. 9 | 10 | $labSources = Get-LabSourcesLocation -Local 11 | 12 | #Download Software 13 | $AzInfoProtectionFileName = 'AzInfoProtection_UL.exe' 14 | $AzInfoProtectionFilePath = Join-Path -Path $labSources\SoftwarePackages -ChildPath $AzInfoProtectionFileName 15 | $AzInfoProtectionUri = 'https://download.microsoft.com/download/4/9/1/491251F7-46BA-46EC-B2B5-099155DD3C27/AzInfoProtection_UL.exe' 16 | if (-not (Test-Path -Path $AzInfoProtectionFilePath)) 17 | { 18 | Get-LabInternetFile -Uri $AzInfoProtectionUri -Path $AzInfoProtectionFilePath 19 | } 20 | $officeDeploymentToolFileName = 'OfficeDeploymentTool.exe' 21 | $officeDeploymentToolFilePath = Join-Path -Path $labSources\SoftwarePackages -ChildPath $officeDeploymentToolFileName 22 | $officeDeploymentToolUri = 'https://download.microsoft.com/download/2/7/A/27AF1BE6-DD20-4CB4-B154-EBAB8A7D4A7E/officedeploymenttool_12827-20268.exe' 23 | if (-not (Test-Path -Path $officeDeploymentToolFilePath)) 24 | { 25 | Get-LabInternetFile -Uri $officeDeploymentToolUri -Path $officeDeploymentToolFilePath 26 | } 27 | $PIIZIPFileName = 'docs.zip' 28 | $PIIZIPFilePath = Join-Path -Path $labSources\SoftwarePackages -ChildPath $PIIZIPFileName 29 | $PIIZIPUri = 'https://github.com/InfoProtectionTeam/Files/raw/master/Scripts/docs.zip' 30 | if (-not (Test-Path -Path $PIIZIPFilePath)) 31 | { 32 | Get-LabInternetFile -Uri $PIIZIPUri -Path $PIIZIPFilePath 33 | } 34 | 35 | $labName = 'AIPBYOL-KRM' #THIS NAME MUST BE GLOBALLY UNIQUE 36 | 37 | $azureDefaultLocation = 'Central US' #COMMENT OUT -DefaultLocationName BELOW TO USE THE FASTEST LOCATION 38 | 39 | #create an empty lab template and define where the lab XML files and the VMs will be stored 40 | New-LabDefinition -Name $labName -DefaultVirtualizationEngine Azure 41 | 42 | Add-LabAzureSubscription -DefaultLocationName $azureDefaultLocation 43 | 44 | #make the network definition 45 | Add-LabVirtualNetworkDefinition -Name $labname -AddressSpace 192.168.41.0/24 46 | 47 | #add the domain definition with the domain admin account 48 | Add-LabDomainDefinition -Name contoso.azure -AdminUser Install -AdminPassword 'MIP4life!' 49 | 50 | $ServerOS = 'Windows Server 2019 Datacenter (Desktop Experience)' 51 | $ClientOS = 'Windows 10 Enterprise' 52 | #-------------------------------------------------------------------------------------------------------------------- 53 | Set-LabInstallationCredential -Username Install -Password MIP4life! 54 | Sync-LabAzureLabSources -SkipIsos 55 | Sync-LabAzureLabSources -Filter *en_office_professional_plus_2019_x86_x64_dvd_7ea28c99* 56 | 57 | $postInstallActivity = Get-LabPostInstallationActivity -ScriptFileName PrepareRootDomain.ps1 -DependencyFolder $labSources\PostInstallationActivities\PrepareRootDomain 58 | Add-LabMachineDefinition -Name ContosoDC -Roles RootDC -Memory 2GB -Processors 2 -OperatingSystem $ServerOS -IpAddress 192.168.41.10 -Network $labName -Domain contoso.azure -PostInstallationActivity $postInstallActivity 59 | $postInstallActivity = Get-LabPostInstallationActivity -CustomRole Office2019 -Properties @{ IsoPath = "$labSources\ISOs\en_office_professional_plus_2019_x86_x64_dvd_7ea28c99.iso" } 60 | $role = Get-LabMachineRoleDefinition -Role SQLServer2017 61 | Add-LabMachineDefinition -Name AdminPC -Roles $role -Memory 2GB -Processors 4 -OperatingSystem $ServerOS -IpAddress 192.168.41.50 -Network $labName -PostInstallationActivity $postInstallActivity -Domain contoso.azure 62 | Add-LabMachineDefinition -Name ClientPC -OperatingSystem $ClientOS -IpAddress 192.168.41.51 -Network $labName -PostInstallationActivity $postInstallActivity -Domain contoso.azure 63 | 64 | Install-Lab 65 | 66 | #Install AIP UL Client on AdminPC (Optionally install on ClientPC by uncommenting. Left out so native functionality of Office Sensitivity Labeling will display) 67 | Install-LabSoftwarePackage -Path $labSources\SoftwarePackages\AzInfoProtection_UL.exe -CommandLine /S -ComputerName AdminPC 68 | #Install-LabSoftwarePackage -Path $labSources\SoftwarePackages\AzInfoProtection_UL.exe -CommandLine /S -ComputerName ClientPC 69 | 70 | #Copy and extract PII docs on AdminPC 71 | Invoke-LabCommand -ScriptBlock { md C:\PII } -ComputerName AdminPC 72 | Copy-LabFileItem -Path $labSources\SoftwarePackages\docs.zip -ComputerName (Get-LabVm -ComputerName AdminPC) -DestinationFolderPath C:\PII 73 | Invoke-LabCommand -ScriptBlock { Expand-Archive -LiteralPath C:\PII\docs.zip -DestinationPath C:\PII\ } -ComputerName AdminPC 74 | Invoke-LabCommand -ScriptBlock { Expand-Archive -LiteralPath C:\PII\docs.zip -DestinationPath C:\Users\Public\Documents;New-SmbShare -Name Documents -Path C:\Users\Public\Documents -FullAccess Everyone} -ComputerName AdminPC 75 | 76 | #Update Office 365 ProPlus 77 | Invoke-LabCommand -ScriptBlock { Set-Location "C:\Program Files\Common Files\microsoft shared\ClickToRun\"; .\OfficeC2RClient.exe /update user } -ComputerName AdminPC,ClientPC 78 | 79 | Show-LabDeploymentSummary -Detailed 80 | -------------------------------------------------------------------------------- /AIPLAB/AIPBYOL-HyperV.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | #If you have not yet installed AutomatedLab, download the MSI from https://github.com/AutomatedLab/AutomatedLab/releases or run the PowerShell commands below. 3 | 4 | Install-PackageProvider Nuget -Force 5 | Install-Module AutomatedLab -AllowClobber 6 | New-LabSourcesFolder -Drive C 7 | 8 | #You will require ISOs for Windows Server 2019, Windows 10, SQL Server 2017, and Office 2019 placed in your C:\LabSources\ISOs\ folder. If the SQL and Office ISOs you use are not the same as the ones listed below, please update the script to match yours. 9 | #> 10 | 11 | $LabName = 'AIPBYOL' 12 | $ServerOS = 'Windows Server 2019 Standard (Desktop Experience)' 13 | $ClientOS = 'Windows 10 Enterprise' 14 | 15 | 16 | #Install Lab 17 | New-LabDefinition -Name $LabName -DefaultVirtualizationEngine HyperV 18 | 19 | #Download Software 20 | $AzInfoProtectionFileName = 'AzInfoProtection_UL.exe' 21 | $AzInfoProtectionFilePath = Join-Path -Path $labSources\SoftwarePackages -ChildPath $AzInfoProtectionFileName 22 | $AzInfoProtectionUri = 'https://download.microsoft.com/download/4/9/1/491251F7-46BA-46EC-B2B5-099155DD3C27/AzInfoProtection_UL.exe' 23 | if (-not (Test-Path -Path $AzInfoProtectionFilePath)) 24 | { 25 | Get-LabInternetFile -Uri $AzInfoProtectionUri -Path $AzInfoProtectionFilePath 26 | } 27 | $officeDeploymentToolFileName = 'OfficeDeploymentTool.exe' 28 | $officeDeploymentToolFilePath = Join-Path -Path $labSources\SoftwarePackages -ChildPath $officeDeploymentToolFileName 29 | $officeDeploymentToolUri = 'https://download.microsoft.com/download/2/7/A/27AF1BE6-DD20-4CB4-B154-EBAB8A7D4A7E/officedeploymenttool_12827-20268.exe' 30 | if (-not (Test-Path -Path $officeDeploymentToolFilePath)) 31 | { 32 | Get-LabInternetFile -Uri $officeDeploymentToolUri -Path $officeDeploymentToolFilePath 33 | } 34 | $PIIZIPFileName = 'docs.zip' 35 | $PIIZIPFilePath = Join-Path -Path $labSources\SoftwarePackages -ChildPath $PIIZIPFileName 36 | $PIIZIPUri = 'https://github.com/InfoProtectionTeam/Files/raw/master/Scripts/docs.zip' 37 | if (-not (Test-Path -Path $PIIZIPFilePath)) 38 | { 39 | Get-LabInternetFile -Uri $PIIZIPUri -Path $PIIZIPFilePath 40 | } 41 | Add-LabVirtualNetworkDefinition -Name $LabName -AddressSpace 10.1.0.0/16 42 | Add-LabIsoImageDefinition -Name SQLServer2017 -Path $labSources\ISOs\en_sql_server_2017_developer_x64_dvd_11296168.iso 43 | Add-LabDomainDefinition -Name contoso.azure -AdminUser Install -AdminPassword Somepass1 44 | Set-LabInstallationCredential -Username Install -Password Somepass1 45 | 46 | $postInstallActivity = Get-LabPostInstallationActivity -ScriptFileName PrepareRootDomain.ps1 -DependencyFolder $labSources\PostInstallationActivities\PrepareRootDomain 47 | Add-LabMachineDefinition -Name ContosoDC -Roles RootDC -Memory 1GB -Processors 4 -OperatingSystem $ServerOS -Domain contoso.azure -PostInstallationActivity $postInstallActivity 48 | $postInstallActivity = Get-LabPostInstallationActivity -CustomRole Office2019 -Properties @{ IsoPath = "$labSources\ISOs\en_office_professional_plus_2019_x86_x64_dvd_7ea28c99.iso" } 49 | $role = Get-LabMachineRoleDefinition -Role SQLServer2017 -Properties @{Features = 'SQL,Tools'} 50 | Add-LabMachineDefinition -Name AdminPC -Roles $role -Memory 2GB -Processors 4 -OperatingSystem $ServerOS -PostInstallationActivity $postInstallActivity -Domain contoso.azure 51 | Add-LabMachineDefinition -Name ClientPC -Memory 2GB -Processors 4 -OperatingSystem $ClientOS -PostInstallationActivity $postInstallActivity -Domain contoso.azure 52 | 53 | Install-Lab 54 | 55 | #Install AIP UL Client on AdminPC (Optionally install on ClientPC by uncommenting. Left out so native functionality of Office Sensitivity Labeling will display) 56 | Install-LabSoftwarePackage -Path $labSources\SoftwarePackages\AzInfoProtection_UL.exe -CommandLine /S -ComputerName AdminPC 57 | #Install-LabSoftwarePackage -Path $labSources\SoftwarePackages\AzInfoProtection_UL.exe -CommandLine /S -ComputerName ClientPC 58 | 59 | #Add Internet Adapter for AdminPC and VictimPC. Modify SwitchName as needed. 60 | Add-VMNetworkAdapter -VMName AdminPC -SwitchName 'Default Switch' 61 | Add-VMNetworkAdapter -VMName ClientPC -SwitchName 'Default Switch' 62 | 63 | #Copy and extract PII docs on AdminPC 64 | Copy-LabFileItem -Path C:\LabSources\SoftwarePackages\docs.zip -ComputerName (Get-LabVm -ComputerName AdminPC) -DestinationFolderPath C:\PII 65 | Invoke-LabCommand -ScriptBlock { Expand-Archive -LiteralPath C:\PII\docs.zip -DestinationPath C:\PII\ } -ComputerName AdminPC 66 | Invoke-LabCommand -ScriptBlock { Expand-Archive -LiteralPath C:\PII\docs.zip -DestinationPath C:\Users\Public\Documents;New-SmbShare -Name Documents -Path C:\Users\Public\Documents -FullAccess Everyone} -ComputerName AdminPC 67 | 68 | #Update Office 365 ProPlus 69 | Invoke-LabCommand -ScriptBlock { Set-Location "C:\Program Files\Common Files\microsoft shared\ClickToRun\"; .\OfficeC2RClient.exe /update user } -ComputerName AdminPC 70 | Invoke-LabCommand -ScriptBlock { Set-Location "C:\Program Files\Common Files\microsoft shared\ClickToRun\"; .\OfficeC2RClient.exe /update user } -ComputerName ClientPC 71 | 72 | Show-LabDeploymentSummary 73 | -------------------------------------------------------------------------------- /AIPLAB/Intro.md: -------------------------------------------------------------------------------- 1 | # Deploying Microsoft Information Protection Technologies to Protect Sensitive Data 2 | 3 | Azure Information Protection (AIP) is a cloud-based solution that can help organizations to protect sensitive information by classifying and (optionally) encrypting documents and emails on Windows, Mac, and Mobile devices. This is done using an organization defined classification taxonomy made up of labels and sub-labels. These labels may be applied manually by users, or automatically by administrators via defined rules and conditions. 4 | 5 | The phases of Information Protection lifecycle are shown in the graphic below. 6 | 7 | ![Phases.png](./media/Phases.png) 8 | 9 | This lab will discuss an end-to-end Enterprise deployment scenario. We will discuss the **Discover**, **Classify and label**, **Protect and control access**, and **Monitor** phases of the Information Protection lifecycle. 10 | 11 | This lab is meant to be an interactive supplement to the AIP Deployment Acceleration Guide which can be downloaded at https://aka.ms/AIPDAG. Although we will not get into low level details around deployment of clients, network firewalls, and end user training, this lab is meant to provide hands on experience with deploying AIP quickly with minimal impact on business productivity. 12 | 13 | Objectives: 14 | 15 | - Learn about Microsoft Information Protection 16 | - Learn how to detect sensitive data across a variety of locations 17 | - Learn how to deploy the AIP unified labeling client and AIP scanner for Discovery 18 | - Learn how to develop a classification taxonomy that is simple to use and will accelerate deployment scenarios 19 | - Learn how to generate and deploy labels to clients 20 | - Learn how to configure advanced policy configurations using Security and Compliance Center (SCC) PowerShell 21 | - Learn how to configure Exchange Online mail flow rules to control access to sensitive data 22 | - Learn about the monitoring, alerting and remediation capabilities available via AIP Analytics, Microsoft Sentinel, and Microsoft Defender Advanced Threat Protection 23 | 24 | Expected Knowledge: 25 | 26 | - A basic understanding of AIP fundamentals including labels, policies, and scoped policy configuration 27 | - A basic understanding of Exchange Online administration 28 | - A basic understanding of PowerShell 29 | 30 | Lab Environment: 31 | 32 | These instructions are built for a lab environment containing 4 virtual machines. The properties of these are listed below. 33 | 34 | Servername | Software Installed 35 | -|- 36 | ContosoDC | Domain Controller for Contoso.Azure 37 | AdminPC | SQL Server Developer Edition, Office 365 ProPlus, AIP Unified Labeling Client 38 | Client01 | Office 365 ProPlus, AIP Unified Labeling Client 39 | VictimPC | Office 365 ProPlus, AIP Unified Labeling Client 40 | 41 | The user accounts used are listed below 42 | 43 | Username|Password|Properties 44 | -|-|- 45 | Contoso\AIPScanner|Somepass1|Local Admin rights on AdminPC, SQL Admin permissions on SQL instance, Used for deploying AIP Scanner 46 | Contoso\LisaV|HighImpactUser1!|Used to log into Client01 47 | Contoso\JeffL|Password$fun|Used to log into VictimPC 48 | 49 | The personas used in the lab are Megan Bowen, Allan DeYoung, and Alex Wilbur. These and the users above are arbitrary and may be replaced as you see fit with Azure AD synchronized users to facilitate SSO if you prefer. 50 | 51 | The scripts and sample docs used in this lab can be found as zip files at https://aka.ms/MIPFiles in the Scripts directory. The scripts are extracted to C:\Scripts on AdminPC. The AIP Scanner scripts assume the SQL server name is AdminPC so modify as necessary if you do not use this name. The docs are extracted to C:\PII and also staged in a shared folder called documents on AdminPC. 52 | 53 | The AIP Unified Labeling client can be downloaded from https://aka.ms/AIPClient 54 | 55 | Throughout the lab you will see refernce to **yourdomain.onmicrosoft.com**. This is a placeholder for your test tenant. Please replace these references with your own domain. 56 | 57 | [Next - The Microsoft Information Protection Story](0.MIP.md) -------------------------------------------------------------------------------- /AIPLAB/conclusion.md: -------------------------------------------------------------------------------- 1 | # Deploying Microsoft Information Protection Technologies to Protect Sensitive Data Lab Complete 2 | 3 | Thank you for completing this lab! Throughout this lab we discussed an end-to-end Enterprise deployment scenario covering each of the phases of the Information Protection lifecycle. 4 | 5 | In this lab, we: 6 | 7 | - Learned about Microsoft Information Protection 8 | - Learned how to detect sensitive data across a variety of locations 9 | - Learned how to deploy the AIP client and AIP scanner for Discovery 10 | - Learned how to develop a classification taxonomy that is simple to use and can accelerate deployment scenarios 11 | - Learned how to generate and deploy labels to clients 12 | - Learned how to configure advanced policy configurations in AIP policies 13 | - Learned how to configure Exchange Online mail flow rules to control access to sensitive data 14 | - Learned about the monitoring, alerting and remediation capabilities available via AIP Analytics, Microsoft Defender Advanced Threat Protection, and Azure Sentinel 15 | 16 | This lab was designed to be an interactive supplement to the **AIP Deployment Acceleration Guide** which can be downloaded at **https://aka.ms/AIPDAG**. 17 | 18 | The AIP Deployment Acceleration Guide contains much of the same content, but goes into additional detail in each of the phases and links to resources that we did not include in this format due to time constraints. 19 | 20 | If you have feedback about the AIP Deployment Acceleration Guide or the content of this lab experience, please fill out the form at **https://aka.ms/AIPDAGFeedback** 21 | ## Lab Complete 22 | >![](./media/ninjacat.png) 23 | -------------------------------------------------------------------------------- /AIPLAB/media/1547437013585.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/1547437013585.png -------------------------------------------------------------------------------- /AIPLAB/media/599ljwfy.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/599ljwfy.jpg -------------------------------------------------------------------------------- /AIPLAB/media/8pllxint.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/8pllxint.jpg -------------------------------------------------------------------------------- /AIPLAB/media/AllEmployees.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/AllEmployees.png -------------------------------------------------------------------------------- /AIPLAB/media/AzureRMSApppermissions.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/AzureRMSApppermissions.JPG -------------------------------------------------------------------------------- /AIPLAB/media/AzureRMSpermissions.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/AzureRMSpermissions.JPG -------------------------------------------------------------------------------- /AIPLAB/media/CandP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/CandP.png -------------------------------------------------------------------------------- /AIPLAB/media/CandP2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/CandP2.png -------------------------------------------------------------------------------- /AIPLAB/media/Complete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/Complete.png -------------------------------------------------------------------------------- /AIPLAB/media/DNF.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/DNF.png -------------------------------------------------------------------------------- /AIPLAB/media/DNF2b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/DNF2b.png -------------------------------------------------------------------------------- /AIPLAB/media/DiscoverHeader.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/DiscoverHeader.png -------------------------------------------------------------------------------- /AIPLAB/media/EndpointDiscoveryOffice.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/EndpointDiscoveryOffice.png -------------------------------------------------------------------------------- /AIPLAB/media/Generate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/Generate.png -------------------------------------------------------------------------------- /AIPLAB/media/Global.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/Global.png -------------------------------------------------------------------------------- /AIPLAB/media/Install-AIPScannerUL.ps1: -------------------------------------------------------------------------------- 1 | $daU = "contoso\AIPScanner" 2 | $daP = "Somepass1" | ConvertTo-SecureString -AsPlainText -Force 3 | $dacred = New-Object System.Management.Automation.PSCredential -ArgumentList $daU, $daP 4 | 5 | "Installing Azure AD Module" 6 | Install-Module -Name "AzureAD" -Force -AllowClobber -Confirm 7 | "Importing Azure AD Module" 8 | Import-Module -Name "AzureAD" -Force 9 | 10 | $gacred = get-credential -Message "Enter Azure Global Admin Credentials" 11 | 12 | "Connecting to Azure AD" 13 | Connect-AzureAD -Credential $gacred 14 | 15 | $SQL = "AdminPC" 16 | 17 | $ScProfile = "East US" 18 | 19 | "Installing AIP Scanner Service" 20 | Install-AIPScanner -ServiceUserCredentials $dacred -SqlServerInstance $SQL -Profile $ScProfile 21 | 22 | # Store date and create unique Display Name for AAD application (you may comment out these lines and set $DisplayName to a unique value if desired) 23 | 24 | $Date = Get-Date -UFormat %m%d%H%M 25 | $DisplayName = "AIPOBOv2-" + $Date 26 | 27 | # Creating Azure AD Application. This will create the application and assign permissions for Microsoft Rights Management Services, Microsoft Information Protection Sync Service, and Microsoft Graph. 28 | 29 | $SvcPrincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Rights Management Services" } 30 | $ReqAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" 31 | $ReqAccess.ResourceAppId = $SvcPrincipal.AppId 32 | $Role1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "d13f921c-7f21-4c08-bade-db9d048bd0da", "Role" 33 | $Role2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0", "Role" 34 | $Role3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "006e763d-a822-41fc-8df5-8d3d7fe20022", "Role" 35 | $ReqAccess.ResourceAccess = $Role1, $Role2, $Role3 36 | 37 | $SvcPrincipalUL = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Information Protection Sync Service" } 38 | $ReqAccessUL = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" 39 | $ReqAccessUL.ResourceAppId = $SvcPrincipalUL.AppId 40 | $Role4 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "8b2071cd-015a-4025-8052-1c0dba2d3f64", "Role" 41 | $ReqAccessUL.ResourceAccess = $Role4 42 | 43 | $SvcPrincipalGr = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Graph" } 44 | $ReqAccessGr = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" 45 | $ReqAccessGr.ResourceAppId = $SvcPrincipalGr.AppId 46 | 47 | $Scope1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope" 48 | $ReqAccessGr.ResourceAccess = $Scope1 49 | New-AzureADApplication -DisplayName $DisplayName -ReplyURLs http://localhost -RequiredResourceAccess @($ReqAccess, $ReqAccessUL, $ReqAccessGr) 50 | $WebApp = Get-AzureADApplication -Filter "DisplayName eq '$DisplayName'" 51 | 52 | New-AzureADServicePrincipal -AppId $WebApp.AppId 53 | $WebAppKey = New-Guid 54 | $Date = Get-Date 55 | 56 | New-AzureADApplicationPasswordCredential -ObjectId $WebApp.ObjectID -startDate $Date -endDate $Date.AddYears(1) -Value $WebAppKey.Guid -CustomKeyIdentifier "Password" 57 | $TenantID = (Get-AzureADCurrentSessionInfo).tenantid 58 | 59 | # Generate Authentication Token scripts 60 | 61 | '"A browser will launch to the created web application to provide Admin consent for the required API permissions. Please log in with tenant admin credentials to provide permissions for this application. If you are unable to provide this consent, please provide the URL below to your tenant administrator."' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 62 | 63 | '$weburl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/'+$WebApp.AppId+'/isMSAApp/"' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 64 | "" | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 65 | 66 | '$weburl' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 67 | '"Press Enter below to launch the browser"' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 68 | "" | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 69 | 70 | 'Pause' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 71 | 72 | 'Start-Process $weburl' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 73 | '$ServiceAccount = Get-Credential -Message "Enter the on-premises service account credentials"' | Out-File ~\Desktop\Set-AIPAuthenticationUL.ps1 74 | 75 | "Set-AIPAuthentication -AppID " + $WebApp.AppId + " -AppSecret " + $WebAppKey.Guid + " -TenantID " + $TenantID.Guid + ' -OnBehalfOf $ServiceAccount' | Out-File ~\Desktop\Set-AIPAuthenticationUL.ps1 -append 76 | 77 | "Restart-Service AIPScanner" | Out-File ~\Desktop\Set-AIPAuthenticationUL.ps1 -append 78 | -------------------------------------------------------------------------------- /AIPLAB/media/MIP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/MIP.png -------------------------------------------------------------------------------- /AIPLAB/media/MIPCapabilities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/MIPCapabilities.png -------------------------------------------------------------------------------- /AIPLAB/media/MIPall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/MIPall.png -------------------------------------------------------------------------------- /AIPLAB/media/MIPsimplify.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/MIPsimplify.png -------------------------------------------------------------------------------- /AIPLAB/media/Monitor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/Monitor.png -------------------------------------------------------------------------------- /AIPLAB/media/OME.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OME.png -------------------------------------------------------------------------------- /AIPLAB/media/OME1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OME1.png -------------------------------------------------------------------------------- /AIPLAB/media/OME1b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OME1b.png -------------------------------------------------------------------------------- /AIPLAB/media/OME2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OME2.png -------------------------------------------------------------------------------- /AIPLAB/media/OME3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OME3.png -------------------------------------------------------------------------------- /AIPLAB/media/OME3b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OME3b.png -------------------------------------------------------------------------------- /AIPLAB/media/OME4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OME4.png -------------------------------------------------------------------------------- /AIPLAB/media/OTP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/OTP.png -------------------------------------------------------------------------------- /AIPLAB/media/Phases.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/Phases.png -------------------------------------------------------------------------------- /AIPLAB/media/Publish.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/Publish.png -------------------------------------------------------------------------------- /AIPLAB/media/RO.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/RO.png -------------------------------------------------------------------------------- /AIPLAB/media/RO2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/RO2.png -------------------------------------------------------------------------------- /AIPLAB/media/SSN.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/SSN.png -------------------------------------------------------------------------------- /AIPLAB/media/SSN2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/SSN2.png -------------------------------------------------------------------------------- /AIPLAB/media/SSN3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/SSN3.png -------------------------------------------------------------------------------- /AIPLAB/media/SentinelDashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/SentinelDashboard.png -------------------------------------------------------------------------------- /AIPLAB/media/SyncService.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/SyncService.JPG -------------------------------------------------------------------------------- /AIPLAB/media/UI01_UL2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/UI01_UL2.png -------------------------------------------------------------------------------- /AIPLAB/media/activitylogs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/activitylogs.png -------------------------------------------------------------------------------- /AIPLAB/media/addallemployees.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/addallemployees.png -------------------------------------------------------------------------------- /AIPLAB/media/advsettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/advsettings.png -------------------------------------------------------------------------------- /AIPLAB/media/aipanalytics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/aipanalytics.png -------------------------------------------------------------------------------- /AIPLAB/media/ala.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/ala.png -------------------------------------------------------------------------------- /AIPLAB/media/allemployees_policysettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/allemployees_policysettings.png -------------------------------------------------------------------------------- /AIPLAB/media/alllabels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/alllabels.png -------------------------------------------------------------------------------- /AIPLAB/media/alllabels2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/alllabels2.png -------------------------------------------------------------------------------- /AIPLAB/media/allsettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/allsettings.png -------------------------------------------------------------------------------- /AIPLAB/media/auto.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/auto.png -------------------------------------------------------------------------------- /AIPLAB/media/autocc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/autocc.png -------------------------------------------------------------------------------- /AIPLAB/media/autolabel.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/autolabel.JPG -------------------------------------------------------------------------------- /AIPLAB/media/autolabel2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/autolabel2.png -------------------------------------------------------------------------------- /AIPLAB/media/autolabel_2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/autolabel_2.PNG -------------------------------------------------------------------------------- /AIPLAB/media/autolabel_3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/autolabel_3.PNG -------------------------------------------------------------------------------- /AIPLAB/media/blocked.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/blocked.png -------------------------------------------------------------------------------- /AIPLAB/media/c5foyeji.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/c5foyeji.jpg -------------------------------------------------------------------------------- /AIPLAB/media/choose_sensitivity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/choose_sensitivity.png -------------------------------------------------------------------------------- /AIPLAB/media/chooselabels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/chooselabels.png -------------------------------------------------------------------------------- /AIPLAB/media/classificationbar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/classificationbar.png -------------------------------------------------------------------------------- /AIPLAB/media/classificationbar2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/classificationbar2.png -------------------------------------------------------------------------------- /AIPLAB/media/classificationbarold.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/classificationbarold.png -------------------------------------------------------------------------------- /AIPLAB/media/classify.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/classify.png -------------------------------------------------------------------------------- /AIPLAB/media/confanyone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/confanyone.png -------------------------------------------------------------------------------- /AIPLAB/media/confanyone2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/confanyone2.png -------------------------------------------------------------------------------- /AIPLAB/media/confdefault.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/confdefault.png -------------------------------------------------------------------------------- /AIPLAB/media/confdefault2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/confdefault2.png -------------------------------------------------------------------------------- /AIPLAB/media/customerdata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/customerdata.png -------------------------------------------------------------------------------- /AIPLAB/media/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/dashboard.png -------------------------------------------------------------------------------- /AIPLAB/media/datadiscovery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/datadiscovery.png -------------------------------------------------------------------------------- /AIPLAB/media/datadiscoveryps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/datadiscoveryps.png -------------------------------------------------------------------------------- /AIPLAB/media/defaultlabel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/defaultlabel.png -------------------------------------------------------------------------------- /AIPLAB/media/defaults.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/defaults.png -------------------------------------------------------------------------------- /AIPLAB/media/diagnosticsettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/diagnosticsettings.png -------------------------------------------------------------------------------- /AIPLAB/media/discovery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/discovery.png -------------------------------------------------------------------------------- /AIPLAB/media/documents.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/documents.png -------------------------------------------------------------------------------- /AIPLAB/media/encrypted.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/encrypted.png -------------------------------------------------------------------------------- /AIPLAB/media/endpointdiscovery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/endpointdiscovery.png -------------------------------------------------------------------------------- /AIPLAB/media/enforce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/enforce.png -------------------------------------------------------------------------------- /AIPLAB/media/filepolicy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/filepolicy.png -------------------------------------------------------------------------------- /AIPLAB/media/general.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/general.png -------------------------------------------------------------------------------- /AIPLAB/media/globalsettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/globalsettings.png -------------------------------------------------------------------------------- /AIPLAB/media/globalsettingsadv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/globalsettingsadv.png -------------------------------------------------------------------------------- /AIPLAB/media/governance.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/governance.png -------------------------------------------------------------------------------- /AIPLAB/media/governance2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/governance2.png -------------------------------------------------------------------------------- /AIPLAB/media/header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/header.png -------------------------------------------------------------------------------- /AIPLAB/media/infotypes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/infotypes.png -------------------------------------------------------------------------------- /AIPLAB/media/initialdiscovery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/initialdiscovery.png -------------------------------------------------------------------------------- /AIPLAB/media/internalemail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/internalemail.png -------------------------------------------------------------------------------- /AIPLAB/media/internalemail2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/internalemail2.png -------------------------------------------------------------------------------- /AIPLAB/media/justification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/justification.png -------------------------------------------------------------------------------- /AIPLAB/media/justify.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/justify.png -------------------------------------------------------------------------------- /AIPLAB/media/kgjvy7ul.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/kgjvy7ul.jpg -------------------------------------------------------------------------------- /AIPLAB/media/lypurcn5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/lypurcn5.jpg -------------------------------------------------------------------------------- /AIPLAB/media/matches.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/matches.png -------------------------------------------------------------------------------- /AIPLAB/media/matches2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/matches2.png -------------------------------------------------------------------------------- /AIPLAB/media/mcasdiscovery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/mcasdiscovery.png -------------------------------------------------------------------------------- /AIPLAB/media/ninjacat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/ninjacat.png -------------------------------------------------------------------------------- /AIPLAB/media/nolabels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/nolabels.png -------------------------------------------------------------------------------- /AIPLAB/media/office365.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/office365.png -------------------------------------------------------------------------------- /AIPLAB/media/openindesktop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/openindesktop.png -------------------------------------------------------------------------------- /AIPLAB/media/pidqfaa1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/pidqfaa1.jpg -------------------------------------------------------------------------------- /AIPLAB/media/policies.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/policies.png -------------------------------------------------------------------------------- /AIPLAB/media/policy_settings.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/policy_settings.JPG -------------------------------------------------------------------------------- /AIPLAB/media/policysettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/policysettings.png -------------------------------------------------------------------------------- /AIPLAB/media/policytemplate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/policytemplate.png -------------------------------------------------------------------------------- /AIPLAB/media/protect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/protect.png -------------------------------------------------------------------------------- /AIPLAB/media/qu68gqfd.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/qu68gqfd.jpg -------------------------------------------------------------------------------- /AIPLAB/media/recommend.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/recommend.png -------------------------------------------------------------------------------- /AIPLAB/media/repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/repo.png -------------------------------------------------------------------------------- /AIPLAB/media/scannerhc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/scannerhc.png -------------------------------------------------------------------------------- /AIPLAB/media/scope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/scope.png -------------------------------------------------------------------------------- /AIPLAB/media/scoped_policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/scoped_policy.png -------------------------------------------------------------------------------- /AIPLAB/media/scoped_policy2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/scoped_policy2.png -------------------------------------------------------------------------------- /AIPLAB/media/scopedpolicy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/scopedpolicy.png -------------------------------------------------------------------------------- /AIPLAB/media/sensitive_infotypes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/sensitive_infotypes.png -------------------------------------------------------------------------------- /AIPLAB/media/sensitivity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/sensitivity.png -------------------------------------------------------------------------------- /AIPLAB/media/sensitivity_reviewpage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/sensitivity_reviewpage.png -------------------------------------------------------------------------------- /AIPLAB/media/suppelement.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/suppelement.png -------------------------------------------------------------------------------- /AIPLAB/media/usage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/usage.png -------------------------------------------------------------------------------- /AIPLAB/media/users_groupsscoped.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/users_groupsscoped.png -------------------------------------------------------------------------------- /AIPLAB/media/w2w5c7xc.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/w2w5c7xc.jpg -------------------------------------------------------------------------------- /AIPLAB/media/wdatp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/wdatp.png -------------------------------------------------------------------------------- /AIPLAB/media/wordnolabels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/wordnolabels.png -------------------------------------------------------------------------------- /AIPLAB/media/zgvmm4el.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/AIPLAB/media/zgvmm4el.jpg -------------------------------------------------------------------------------- /AIPLAB/test.md: -------------------------------------------------------------------------------- 1 | testing -------------------------------------------------------------------------------- /Contoso_Samples/7351.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/7351.pptx -------------------------------------------------------------------------------- /Contoso_Samples/Constoso Classify and protect a file or email by using Azure Information Protection - Microsoft Docs.oft: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Constoso Classify and protect a file or email by using Azure Information Protection - Microsoft Docs.oft -------------------------------------------------------------------------------- /Contoso_Samples/Contoso Awareness Data classification labels are changing.oft: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Contoso Awareness Data classification labels are changing.oft -------------------------------------------------------------------------------- /Contoso_Samples/Contoso Data_Class_Campaign_DigitalSignage.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Contoso Data_Class_Campaign_DigitalSignage.pptx -------------------------------------------------------------------------------- /Contoso_Samples/Contoso Know your labels.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Contoso Know your labels.pptx -------------------------------------------------------------------------------- /Contoso_Samples/Contoso Take action! Start using Azure Information Protection .oft: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Contoso Take action! Start using Azure Information Protection .oft -------------------------------------------------------------------------------- /Contoso_Samples/Contoso Taxonomy.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Contoso Taxonomy.docx -------------------------------------------------------------------------------- /Contoso_Samples/Gamification Quiz Posters.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Gamification Quiz Posters.pptx -------------------------------------------------------------------------------- /Contoso_Samples/Pre-determined Classifications.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Contoso_Samples/Pre-determined Classifications.docx -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Files 2 | This repository is for public files shared by the Microsoft Information Protection Team 3 | -------------------------------------------------------------------------------- /Scripts/AIPScanner/Install-AIPScanner.ps1: -------------------------------------------------------------------------------- 1 | "This Script will help you to install a basic instance of AIP scanner version 1.48 or higher in conjunction with the instructions at https://aka.ms/ScannerBlog" 2 | "" 3 | "This script will do the following items in order" 4 | "" 5 | " - Request the local AIP scanner service account credentials" 6 | " - Request the name of your SQL server instance (use ServerName\SQLExpress for SQL Express instances)" 7 | " - Request the name of your configured AIP scanner profile. These can be configured in the Profiles section of the Azure AIP console (https://aka.ms/AIPConsole)" 8 | " - Install the AIP scanner service with the provided profile" 9 | 10 | Pause 11 | 12 | Add-Type -AssemblyName Microsoft.VisualBasic 13 | 14 | $scred = get-credential -Message "Enter Local AIP Scanner Service Account Credentials" 15 | 16 | $SQL = [Microsoft.VisualBasic.Interaction]::InputBox('Enter the name of your SQL Server Instance', 'SQL Server Instance', "SQL01 or SQL01\SQLExpress") 17 | 18 | $ScProfile = [Microsoft.VisualBasic.Interaction]::InputBox('Enter the name of your configured AIP Scanner Profile', 'AIP Scanner Profile', "East US") 19 | 20 | "Installing AIP Scanner Service" 21 | Install-AIPScanner -ServiceUserCredentials $scred -SqlServerInstance $SQL -Profile $ScProfile 22 | 23 | Pause 24 | -------------------------------------------------------------------------------- /Scripts/AIPScanner/New-AIPAuthToken.ps1: -------------------------------------------------------------------------------- 1 | "This Script will help you to create the necessary Azure AD Applications to install a basic instance of AIP scanner" 2 | "This requires AIP Client version 1.48 or higher and should be used in conjunction with the instructions at https://aka.ms/ScannerBlog" 3 | "" 4 | "This script will request the following items in order" 5 | "" 6 | " - Import or Install then Import the Azure AD PowerShell Module" 7 | " - Log in using Azure Global Admin credentials" 8 | " - Create 1 Web Application and Associated Key" 9 | " - Create 1 Native Application" 10 | " - Generate an Authentication Token Script" 11 | 12 | Pause 13 | 14 | if (Get-InstalledModule -Name "AzureAD" -ErrorAction SilentlyContinue) { 15 | "Importing Azure AD Module" 16 | Import-Module -Name "AzureAD" 17 | } else { 18 | "Installing Azure AD Module" 19 | Install-Module -Name "AzureAD" 20 | "Importing Azure AD Module" 21 | Import-Module -Name "AzureAD" 22 | } 23 | 24 | $gacred = get-credential -Message "Enter Azure Global Admin Credentials" 25 | 26 | "Connecting to Azure AD" 27 | Connect-AzureAD -Credential $gacred 28 | 29 | $Date = Get-Date -UFormat %m%d%H%M 30 | $DisplayName = "AIPOBO-" + $Date 31 | $CKI = "AIPClient-" + $Date 32 | 33 | "Creating Azure AD Applications. This may take 1-2 minutes." 34 | "Creating Web Application $DisplayName and Secret key with one year expiration " 35 | New-AzureADApplication -DisplayName $DisplayName -ReplyUrls http://localhost 36 | $WebApp = Get-AzureADApplication -Filter "DisplayName eq '$DisplayName'" 37 | New-AzureADServicePrincipal -AppId $WebApp.AppId 38 | $WebAppKey = New-Guid 39 | $Date = Get-Date 40 | New-AzureADApplicationPasswordCredential -ObjectId $WebApp.ObjectID -startDate $Date -endDate $Date.AddYears(1) -Value $WebAppKey.Guid -CustomKeyIdentifier $CKI 41 | 42 | "Creating RequiredResourceAccess token for use with permissions assignment" 43 | $AIPServicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq $DisplayName } 44 | $AIPPermissions = $AIPServicePrincipal | Select-Object -expand Oauth2Permissions 45 | $Scope = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $AIPPermissions.Id, "Scope" 46 | $Access = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" 47 | $Access.ResourceAppId = $WebApp.AppId 48 | $Access.ResourceAccess = $Scope 49 | 50 | "Creating Native Application $CKI" 51 | New-AzureADApplication -DisplayName $CKI -ReplyURLs http://localhost -RequiredResourceAccess $Access -PublicClient $true 52 | $NativeApp = Get-AzureADApplication -Filter "DisplayName eq '$CKI'" 53 | New-AzureADServicePrincipal -AppId $NativeApp.AppId 54 | 55 | "Generating Authenitcation Token script for AIP Scanner Service" 56 | Start-Sleep -Seconds 5 57 | "Set-AIPAuthentication -WebAppID " + $WebApp.AppId + " -WebAppKey " + $WebAppKey.Guid + " -NativeAppID " + $NativeApp.AppId | Out-File ~\Desktop\Set-AIPAuthentication.txt 58 | "" 59 | "Authenitcation Token script stored on the desktop as Set-AIPAUthentication.txt" 60 | "" 61 | "Follow the instructions at https://aka.ms/ScannerBlog to install the service" 62 | "" 63 | "Run the commands below to complete your AIP scanner installation" 64 | "" 65 | "In the context of the AIP service account, run the Set-AIPAuthentication command stored in the text file" 66 | "When prompted, sign in using the cloud or synced AIP scanner service account" 67 | "" 68 | "In an Admin PowerShell prompt, run the command below" 69 | "Restart-Service AIPScanner" 70 | "Start-AIPScan" 71 | Pause 72 | -------------------------------------------------------------------------------- /Scripts/AIPScanner/New-AIPAuthTokenUL.ps1: -------------------------------------------------------------------------------- 1 | if (Get-InstalledModule -Name "AzureAD" -ErrorAction SilentlyContinue) { 2 | "Importing Azure AD Module" 3 | Import-Module -Name "AzureAD" 4 | } else { 5 | "Installing Azure AD Module" 6 | Install-Module -Name "AzureAD" 7 | "Importing Azure AD Module" 8 | Import-Module -Name "AzureAD" 9 | } 10 | 11 | # Capture Global Admin credential 12 | 13 | $gacred = get-credential -Message "Enter Azure Global Admin Credentials" 14 | 15 | # Connect to Azure AD 16 | 17 | "Connecting to Azure AD" 18 | Connect-AzureAD -Credential $gacred 19 | 20 | # Store date and create unique Display Name for AAD application (you may comment out these lines and set $DisplayName to a unique value if desired) 21 | 22 | $Date = Get-Date -UFormat %m%d%H%M 23 | $DisplayName = "AIPOBOv2-" + $Date 24 | 25 | # Creating Azure AD Application. This will create the application and assign permissions for Microsoft Rights Management Services, Microsoft Information Protection Sync Service, and Microsoft Graph. 26 | 27 | "Creating Azure AD Applications. This may take 1-2 minutes." 28 | "Creating Web Application $DisplayName and Secret key with one year expiration " 29 | 30 | $SvcPrincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Rights Management Services" } 31 | $ReqAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" 32 | $ReqAccess.ResourceAppId = $SvcPrincipal.AppId 33 | 34 | $Role1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "d13f921c-7f21-4c08-bade-db9d048bd0da", "Role" 35 | $Role2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0", "Role" 36 | $Role3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "006e763d-a822-41fc-8df5-8d3d7fe20022", "Role" 37 | $ReqAccess.ResourceAccess = $Role1, $Role2, $Role3 38 | 39 | $SvcPrincipalUL = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Information Protection Sync Service" } 40 | $ReqAccessUL = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" 41 | $ReqAccessUL.ResourceAppId = $SvcPrincipalUL.AppId 42 | 43 | $Role4 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "8b2071cd-015a-4025-8052-1c0dba2d3f64", "Role" 44 | $ReqAccessUL.ResourceAccess = $Role4 45 | 46 | $SvcPrincipalGr = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Graph" } 47 | $ReqAccessGr = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" 48 | $ReqAccessGr.ResourceAppId = $SvcPrincipalGr.AppId[1] 49 | 50 | $Scope1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope" 51 | $ReqAccessGr.ResourceAccess = $Scope1 52 | 53 | New-AzureADApplication -DisplayName $DisplayName -ReplyURLs http://localhost -RequiredResourceAccess @($ReqAccess, $ReqAccessUL, $ReqAccessGr) 54 | $WebApp = Get-AzureADApplication -Filter "DisplayName eq '$DisplayName'" 55 | New-AzureADServicePrincipal -AppId $WebApp.AppId 56 | 57 | $WebAppKey = New-Guid 58 | $Date = Get-Date 59 | 60 | New-AzureADApplicationPasswordCredential -ObjectId $WebApp.ObjectID -startDate $Date -endDate $Date.AddYears(1) -Value $WebAppKey.Guid -CustomKeyIdentifier "Password" 61 | $TenantID = (Get-AzureADCurrentSessionInfo).tenantid 62 | 63 | # Generate Authentication Token scripts 64 | 65 | "Generating Authenitcation Token scripts for AIP Scanner Service" 66 | Start-Sleep -Seconds 5 67 | 68 | '"A browser will launch to the created web application to provide Admin consent for the required API permissions. Please log in with tenant admin credentials to provide permissions for this application. If you are unable to provide this consent, please provide the URL below to your tenant administrator."' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 69 | '$weburl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/'+$WebApp.AppId+'/isMSAApp/"' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 70 | "" | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 71 | '$weburl' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 72 | '"Press Enter below to launch the browser"' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 73 | "" | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 74 | 'Pause' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 75 | 'Start-Process $weburl' | Out-File ~\Desktop\Grant-AdminConsentUL.ps1 -Append 76 | 77 | '$ServiceAccount = Get-Credential -Message "Enter the on-premises service account credentials"' | Out-File ~\Desktop\Set-AIPAuthenticationUL.ps1 78 | "Set-AIPAuthentication -AppID " + $WebApp.AppId + " -AppSecret " + $WebAppKey.Guid + " -TenantID " + $TenantID.Guid + ' -OnBehalfOf $ServiceAccount' | Out-File ~\Desktop\Set-AIPAuthenticationUL.ps1 -append 79 | "Restart-Service AIPScanner" | Out-File ~\Desktop\Set-AIPAuthenticationUL.ps1 -append 80 | "Start-AIPScan" | Out-File ~\Desktop\Set-AIPAuthenticationUL.ps1 -append 81 | "" 82 | "Authenitcation Token scripts stored on the desktop as Grant-AdminConsentUL.ps1 and Set-AIPAUthenticationUL.ps1" 83 | "" 84 | "Follow the instructions at https://aka.ms/ScannerBlog to install the service" 85 | "" 86 | "Run the Grant-AdminConsentUL.ps1 from any computer with internet access (one time) to authorize all AIP scanner servers" 87 | "" 88 | "Run the commands in the Set-AIPAUthenticationUL.ps1 script from an admin command prompt on each of the AIP scanner servers to complete your AIP scanner installation" 89 | "" 90 | Pause 91 | -------------------------------------------------------------------------------- /Scripts/AIPScanner/New-CloudServiceAccount.ps1: -------------------------------------------------------------------------------- 1 | "This Script will help you to create a cloud service account for use with the AIP scanner" 2 | "This script SHOULD NOT be used if you are using Azure AD Sync to sync your on premises account" 3 | "This should be used in conjunction with the instructions at https://aka.ms/ScannerBlog" 4 | "" 5 | "This script will do the following items in order" 6 | "" 7 | " - Import or Install then Import the Azure AD PowerShell Module" 8 | " - Log in using Azure Global Admin credentials" 9 | 10 | Pause 11 | 12 | if (Get-InstalledModule -Name "AzureAD" -ErrorAction SilentlyContinue) { 13 | "Importing Azure AD Module" 14 | Import-Module -Name "AzureAD" 15 | } else { 16 | "Installing Azure AD Module" 17 | Install-Module -Name "AzureAD" 18 | "Importing Azure AD Module" 19 | Import-Module -Name "AzureAD" 20 | } 21 | 22 | $gacred = get-credential -Message "Enter Azure Global Admin Credentials" 23 | 24 | "Connecting to Azure AD" 25 | Connect-AzureAD -Credential $gacred 26 | 27 | $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile 28 | $PasswordProfile.ForceChangePasswordNextLogin = $false 29 | $Password = Read-Host -assecurestring "Please enter password for cloud service account" 30 | $SecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)) 31 | $PasswordProfile.Password = $SecurePassword 32 | 33 | $Tenant = Read-Host "Please enter tenant name for UserPrincipalName (e.g. contoso.com)" 34 | New-AzureADUser -AccountEnabled $True -DisplayName "AIP Scanner Cloud Service" -PasswordProfile $PasswordProfile -MailNickName "AIPScannerCloud" -UserPrincipalName "AIPScannerCloud@$Tenant" 35 | -------------------------------------------------------------------------------- /Scripts/Scripts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Scripts/Scripts.zip -------------------------------------------------------------------------------- /Scripts/docs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfoProtectionTeam/Files/02d17c028920a00faeb23c3bac332a22719fe46f/Scripts/docs.zip -------------------------------------------------------------------------------- /Scripts/tenantinfo.ps1: -------------------------------------------------------------------------------- 1 | "Enter Domain Name (e.g. AIPDemo.com)" 2 | $domain = Read-Host 3 | $config = (Invoke-WebRequest –Uri "https://login.microsoftonline.com/$domain/.well-known/openid-configuration").content | ConvertFrom-Json 4 | 5 | "$domain configuration" 6 | "" 7 | "Tenant Id" 8 | ($config.token_endpoint -split('/'))[3] 9 | "" 10 | "Region" 11 | $config.tenant_region_scope --------------------------------------------------------------------------------