The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Can Azure Rights Management Track Documents with unrestricted access? RRS feed

  • Question

  • Can someone, please help us to understand if the following scenario is supported by the Azure Rights Management offering?

    Suppose, we have Azure Rights Management. We also have a Word document that is stored in a SharePoint library or One Drive. The document is going to be shared with Clients via an Anonymous sharing link. Meaning no authentication will be required and if this link is shared to 100 people - we would not know about it. 

    Questions:

    - Is it possible to use Azure Right Management just to track where in the world the shared Word document is being access from? 

    - Is some kind of authentication required for ARM to work? Or "anonymoyus" access is still possible?

    I will be very grateful for any help!


    Denis


    Thursday, August 29, 2019 1:11 AM

Answers

  • Well for your scenario, I suggest you look up Azure Information Protection.
    The protection technology uses Azure Rights Management. This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.

    The Word Document you mentioned is one of the file types supported for protection with AIP. For complete list of supported file types, you can refer to this document.

    As for tracking the document, you would have to make use of Powershell commandlets using the AIPService PowerShell module.

    To enable tracking for a document, you have to use the PS cmdlet - Enable-AipServiceDocumentTrackingFeature

    If you have users who should not have this activity tracked by other users, add them to a group that is stored in Azure AD, and specify this group with the Set-AipServiceDoNotTrackUserGroup cmdlet. When you run this cmdlet, you must specify a single group. However, the group can contain nested groups.

    To be able to track and revoke a document, it must first be registered with the document tracking site. This action occurs when users select the Track and revoke option from File Explorer or their Office apps when they use the Azure Information Protection client.

    If you label and protect files for users by using the Set-AIPFileLabel cmdlet, you can use the EnableTracking parameter to register the file with the document tracking site. For example:

    Set-AIPFileLabel -Path C:\Projects\ -LabelId ade72bf1-4714-4714-4714-a325f824c55a -EnableTracking
    For detailed information, check the document on - Admin Guide: Configuring and using document tracking for Azure Information Protection

    -----------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, August 29, 2019 4:13 AM
    Moderator

All replies

  • Well for your scenario, I suggest you look up Azure Information Protection.
    The protection technology uses Azure Rights Management. This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.

    The Word Document you mentioned is one of the file types supported for protection with AIP. For complete list of supported file types, you can refer to this document.

    As for tracking the document, you would have to make use of Powershell commandlets using the AIPService PowerShell module.

    To enable tracking for a document, you have to use the PS cmdlet - Enable-AipServiceDocumentTrackingFeature

    If you have users who should not have this activity tracked by other users, add them to a group that is stored in Azure AD, and specify this group with the Set-AipServiceDoNotTrackUserGroup cmdlet. When you run this cmdlet, you must specify a single group. However, the group can contain nested groups.

    To be able to track and revoke a document, it must first be registered with the document tracking site. This action occurs when users select the Track and revoke option from File Explorer or their Office apps when they use the Azure Information Protection client.

    If you label and protect files for users by using the Set-AIPFileLabel cmdlet, you can use the EnableTracking parameter to register the file with the document tracking site. For example:

    Set-AIPFileLabel -Path C:\Projects\ -LabelId ade72bf1-4714-4714-4714-a325f824c55a -EnableTracking
    For detailed information, check the document on - Admin Guide: Configuring and using document tracking for Azure Information Protection

    -----------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, August 29, 2019 4:13 AM
    Moderator
  • Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.
    Friday, August 30, 2019 10:01 PM
    Moderator