none
Azure Information Protection and OWA RRS feed

  • Question

  • Hello all,

    Currently I'm testing out AIP in our email system. However Sensitivity labels don't consistently appear for every applications. We're have a mix of licensees E1 & E3 in our organization. And during the testing phase, Azure Information Protection labels don't appear in OWA if I select the following Permission config:

    Not Configured - Not shows up in OWA's Protection button

    Configured - Protect - Same issue

    Remove Protection - Same issue

    Example: Here are the 2 labels I created 24 hours ago:

    AIP labels only shows up in OWA if I choose Protect - Set permissions  and grant permissions to certain domains/emails. However, we're currently working with 50-100 different vendors or maybe more than I'm aware of. It is virtually not possible for us to know every single vendor's domains and emails addresses to add to the permission list.

    However, the missing labels on OWA still show up and work properly in Outlook 2016 (desktop app). Our users also use both OWA and Outlook 2016 according to their preference. However OWA's |Encrypt| and |Do Not Forward| options are not present in Outook 2016.


    Is there a way to make this consistent to all users among the network regardless of how they access their email. NOTE: All examples above are tested on the same account with these licenses: E3, ATP, AIP and is a global admin account.


    Benedict Wolf



    • Edited by Benedict Wolf Tuesday, April 24, 2018 4:37 PM Update Screenshots
    Tuesday, April 24, 2018 1:36 PM

Answers

  • The discrepancies you're running into are a result of different Office editions, client-side protection vs service-side, and the initial limitations of the new Encrypt-Only action:

    Azure Information Protection labels display in Office desktop apps and when you use right-click from File Explorer. If you have an edition of Office that doesn't support protection, you will not see labels that apply protection.  That can explain one of the discrepancies that you're seeing because the edition of Office that comes with E1 does not support protection. For these users, you could either upgrade the subscription to E3 or purchase Office Professional Plus as a standalone desktop app.  More information: https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements#applications

    Outlook on the web (OWA) is not an Office desktop and so doesn't display labels.  It's actually Exchange rather than the client that's handling the encryption/decryption. Despite the "Protect" name, it displays protection templates rather than labels from Azure Information Protection, and the two email options of Do Not Forward and Encrypt. When you create an Azure Information Protection label that applies protection, under the covers, this creates a protection template with the same name. That explains another of your discrepancies - why OWA doesn't display all your "labels".  There is a plan to integrate Azure Information Protection labels with Exchange Online (the same limitation applies to mail flow rules, for example), but it's not there today.

    As you noted, you cannot currently configure a label for the Exchange Online Encrypt-Only option.  One of the challenges with this is that the desktop version of Outlook does not yet support this action (it's supported only with Outlook on the web and mail flow rules). If specifying domains for vendors in a label configuration is not practical for you, you could apply the Encrypt action with a mail flow rule for emails, which will also protect any Office documents. 

    However, Do Not Forward should be available in every edition of the Outlook app that supports protection, and with Outlook on the web. Users can select this directly from Outlook (both the desktop app or Outlook on the web ) or by using a label that applies this action in the Outlook app. Given your requirements, using Do Not Forward could be the best option, but does not support collaboration for Office attachments.

    A little complicated, I know.  But hopefully this explains what you're seeing and confirms that it's not a misconfiguration or bug.

    Sunday, April 29, 2018 8:01 PM

All replies

  • The discrepancies you're running into are a result of different Office editions, client-side protection vs service-side, and the initial limitations of the new Encrypt-Only action:

    Azure Information Protection labels display in Office desktop apps and when you use right-click from File Explorer. If you have an edition of Office that doesn't support protection, you will not see labels that apply protection.  That can explain one of the discrepancies that you're seeing because the edition of Office that comes with E1 does not support protection. For these users, you could either upgrade the subscription to E3 or purchase Office Professional Plus as a standalone desktop app.  More information: https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements#applications

    Outlook on the web (OWA) is not an Office desktop and so doesn't display labels.  It's actually Exchange rather than the client that's handling the encryption/decryption. Despite the "Protect" name, it displays protection templates rather than labels from Azure Information Protection, and the two email options of Do Not Forward and Encrypt. When you create an Azure Information Protection label that applies protection, under the covers, this creates a protection template with the same name. That explains another of your discrepancies - why OWA doesn't display all your "labels".  There is a plan to integrate Azure Information Protection labels with Exchange Online (the same limitation applies to mail flow rules, for example), but it's not there today.

    As you noted, you cannot currently configure a label for the Exchange Online Encrypt-Only option.  One of the challenges with this is that the desktop version of Outlook does not yet support this action (it's supported only with Outlook on the web and mail flow rules). If specifying domains for vendors in a label configuration is not practical for you, you could apply the Encrypt action with a mail flow rule for emails, which will also protect any Office documents. 

    However, Do Not Forward should be available in every edition of the Outlook app that supports protection, and with Outlook on the web. Users can select this directly from Outlook (both the desktop app or Outlook on the web ) or by using a label that applies this action in the Outlook app. Given your requirements, using Do Not Forward could be the best option, but does not support collaboration for Office attachments.

    A little complicated, I know.  But hopefully this explains what you're seeing and confirms that it's not a misconfiguration or bug.

    Sunday, April 29, 2018 8:01 PM
  • Hi Carol,

    because AIP has made further progress since then, I wanted to ask if it is currently possible to configure the protect setting in OOTW / OWA?
    Is it possible to set a default label in OOTW/OWA instead of "do not forward"?
    Another question I have is, if I want to change the permission only one (of 3) AIP label is shown in OOTW, while in Outlook all labels of the policy are shown up. What do I have to change to make them available in OOTW, too?

    Thank you and best regards,
    Sven

    Thursday, October 4, 2018 8:16 AM
  • Hi Sven,

    Still not possible upto date.

    • No labeling ability in the Office web apps (Office Online).

    • No classification and labeling integration with Exchange Online or SharePoint Online.

    See reference: https://docs.microsoft.com/en-us/azure/information-protection/faqs-infoprotect

    Thanks!


    Ken

    Wednesday, February 6, 2019 5:58 AM
  • Any idea if this is going to be implemented?

    We released AIP on our office and our users are depending more and more on OWA and Outlook mobile app to create content, so the option to use AIP in those tools is necessary.

    Tuesday, November 26, 2019 11:43 PM