Initial Azure Purview Information Protection Overview Page - Ready to qa #52
Conversation
✅ Deploy Preview for confident-wilson-c4de9b ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
Removing Azure Functions from this PR as its being tracked and handled in a different PR
|
|
||
| Due to the nature of large organisations, various bits of sensitive data can end up scattered across on-premise servers, employee devices, cloud-native applications, third-party applications and many other resources. An illustrative diagram from Microsoft's [documentation](https://learn.microsoft.com/en-us/microsoft-365/compliance/information-protection?view=o365-worldwide) shows the high-level capabilities offered by Microsoft Purview Information Protection. | ||
|
|
||
|  |
There was a problem hiding this comment.
a general comment on the images is that they seem fairly small low-res versus the ones that are in the official documentation. Can we make sure that we get a better image if we're using and to ensure we also reference the page from which it comes from. I've tried to do that for the existing images but double check them.
|
|
||
| ### Sensitivity Labels | ||
|
|
||
| New and existing sensitivity labels can be found under the "Information Protection" tab on the compliance portal. |
There was a problem hiding this comment.
Can we provide a link to that portal?
|  | ||
|
|
||
| The following actions can be achieved by labelling the data: | ||
| - Encrypt emails, meeting invites, and documents to prevent unauthorized people from accessing this data |
There was a problem hiding this comment.
Do meeting invites also get marked by RMS? From what I'm aware they aren't and I can see a closed Issue discussing this also in 2021 but maybe it has changed MicrosoftDocs/Azure-RMSDocs#1363
| The following actions can be achieved by labelling the data: | ||
| - Encrypt emails, meeting invites, and documents to prevent unauthorized people from accessing this data | ||
| - Mark created content when you use Office apps. This is done by adding watermarks, headers or footers to emails, meeting invites and documents that have a sensitivity label applied. | ||
| - Protect content stored in containers such as sites and groups when you enable the feature to use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites. |
There was a problem hiding this comment.
What do we mean by containers? We should avoid ambiguity even if it might be referred equally as ambiguously in specific parts of the documentation. I think its best we clarify exactly what features in Teams, SharePoint are affected than using containers as a synonym since it might introduce more confusion on what exactly we're talking about
| - Mark created content when you use Office apps. This is done by adding watermarks, headers or footers to emails, meeting invites and documents that have a sensitivity label applied. | ||
| - Protect content stored in containers such as sites and groups when you enable the feature to use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites. | ||
| - Apply the label automatically to all files and emails, or recommend a label. | ||
| - Set the default sharing link type for SharePoint sites and individual documents. |
There was a problem hiding this comment.
From memory this is a native control in SharePoint as a whole so not sure how Purview fits into this one specifically. Maybe worth referencing how it expands on that?
| Defines what data type labels will be applied to. As of now, there are three options available for selection: | ||
| - Items (includes emails and files) | ||
| - Groups & Sites (includes Teams, O365 groups as well as SharePoint sites) | ||
| - Schematised data assets (includes files and schematised data access in Data Map) |
There was a problem hiding this comment.
can we clarify what types of files this refers to? Since this might be more related to Azure SQL and the like that are integrated with the broader env
|
|
||
| If the user opted for "Groups & Sites" under the scope configuration menu, this configuration will allow the user to define the protection setting for groups and data. This includes the level of access that internal and external users will have for O365 and Microsoft Teams groups, as well as sharing policies of SharePoint sites with external users. | ||
|
|
||
| Once a label is configured with the above policies, it must be published. Labels can be published to all or selected users and groups. Furthermore, the following settings are available prior to publication: |
There was a problem hiding this comment.
Can we clarify that these are default settings that could be configured prior to publishing a label? Thus enforcing some extra security controls.
|
|
||
| ## Encryption | ||
|
|
||
| Purview Information Protection uses Azure Rights Management (RMS) to encrypt sensitive files and emails. RMS uses Azure AD credentials to validate whether the user has right access permissions to view the document. This applies to both internal and external users. |
There was a problem hiding this comment.
We should probably clarify that we mean it uses Azure AD authentication as part of the process to validate who has permissions to view the document. So effectively you can use a combined approach of Conditional Access policies and labels within Azure RMS to control who can do what.
|
|
||
|  | ||
|
|
||
| Azure RMS uses the following cryptographic controls to encrypt the data which can be seen in the [document provided here](https://learn.microsoft.com/en-us/azure/information-protection/how-does-it-work#cryptographic-controls-used-by-azure-rms-algorithms-and-key-lengths): |
There was a problem hiding this comment.
Is it possible for us to give a simplified overview or maybe a step diagram of the more in-depth process involved in using Azure RMS as described here (https://learn.microsoft.com/en-us/azure/information-protection/how-does-it-work#walkthrough-of-how-azure-rms-works-first-use-content-protection-content-consumption). If we can make a diagram it would make it a lot easier to understand and will give people a better understanding of how it handles encrypting their data.
|
|
||
|  | ||
|
|
||
| Additionally, Azure RMS supports the following security, compliance, and regulatory requirements: |
There was a problem hiding this comment.
Although the regulatory requirements are useful for some contexts can we also expand the section a bit to discuss the available security controls such as double key encryption and the whole difference between Customer and Managed keys for encryption in the service.
No description provided.