What are the New Information Protection capabilities across devices, apps, on-premises and the cloud

Hello Everyone,

Recent past, Microsoft announced a set of pretty much new Information Protection features specially focusing on GDPR compliance. This will be on preview form.

Here are the various blogs that went out yesterday:

·Some of the coolest features they announced were as below:

  • General availability of Azure Information Protection scanner
  • Private Preview of native labeling of Word, PowerPoint, and Excel files on Mac
  • Private Preview of unified labeling and protection schema in Office 365 and Azure Information Protection
  • Private Preview of Information Protection SDK for labeling and protection
  • Preview on native labeling of files in SaaS apps with integration of Azure Information Protection and Microsoft Cloud App Security
  • Office 365 Message Encryption Encrypt Only functionality
  • Preview of Information Protection administrator role

Further additional information you can refer using he below link.



How to Enable Super User Role and Assign Users in Azure Rights Management

Basically why we need to enable Azure RMS Super User Role ? Very Highlevel answer is as follows; For instance, if you want to access protected document which some one has already protected and that employee is no more in the office but still management needs to access all the documents which that user protected with certain permissions. In such cases, the best option for this is use the Super User Role. Therefore, lets see how we Active this User Role and assign users under Super User Role.

Step 1– First You must Install the Azure Rights Management PowerShell Module in to your PC. Installing the Azure PowerShell Module steps are already published in my previous post. Click HERE to access that post.

Step 2– Next you need to connect to Azure Rights Management Services as follows;



Step 3– Once the Azure RMS service is opened, the PowerShell will indicate the results as follows;


Step 4– Next we must Enable the Super User Feature. Use the below command for that.



Step 5– In this step, we will assign a user to Super User Role.

Add-AadrmSuperUser -EmailAddress hasitha@wili.work


How to Customize certain option for Azure Information Protection

Based on the new options added in to the Azure RMS portal, Under the settings menu in Scoped and Global Policies, You can do certain customization. For example Showing  the  Information Protection Bar In office app.

Below screen show you the settings for the above mentioned one.


If you OFF the Do Not Forward button, it will remove the below option from the Outlook ribbon; So this is kind of Shortcut rather than going through Options tab in the New Email menu tab.


Below Screen will indicates you what happens when you put the option to OFF Mode.


The results will be as follows;


On the Final one is about the Custom Permission. As you know in AIP Tool, we have a option where we can allow users to select Custom Permissions when sharing documents. In case if you don’t want your users to have this option in AIP Tool, you can basically remove it from the AIP Tool menu.


Results of the OFF Mode will remove the following Highlighted option;


Set Up Self Service Password Reset in Office 365 (Cloud Identities)

Microsoft’s Enterprise Mobility + Security (EMS) is a combination of products under Microsoft’s portfolio. At first glance, it is basically can relate to modern work space. Right now, when we talk about Modern work space, the first thing which come to our mind is all about how secure we are and is this work space is really comfortable for our users. Considering all these, Microsoft has bundle below five components to Microsoft EMS+S.

  • Azure Active Directory Premium
  • Microsoft Intune
  • Azure Rights Management
  • Microsoft Advanced Threat Analytics (ATA)
  • Cloud App Security (CAS)

All in all, you can think of Microsoft EMS+S as a device-management and virtual-identity-management suite. However, in a cloud-based world where employees want to work from all of their devices, Microsoft EMS+S allows your IT team to gain the maximum security and control.

Azure Active Directory Premium edition is a paid offering of Azure Active Directory and it includes the following features:

  • Self-service password reset
  • Company branding
  • Group-based application access
  • Self-service group management
  • Advanced security reports and alerts
  • Multi-Factor Authentication
  • Forefront Identity Manager (FIM)

As a Part one of the EMS+S, today, I am going to enable one feature which is falling under Azure Active Directory Premium (AAD) which is Password Reset.

So lets see how we enable the Password reset for you users.

    Set Up Self Service Password Reset in Office 365 (Cloud Identities)

    Set up SSPR

    1. Sign in to Azure Portal https://portal.azure.com/
    2. Choose More Services -> Azure Active Directory


        3. Select Password reset


       4. From Properties, select All for Self service password reset enabled.


     5. [OPTIONAL] Selecting Selected for Self service password reset enable helps you control the set of users who can reset their passwords. Users’ group membership controls this restriction. (If you chose to restrict access to    password reset, Please move to step 6. Otherwise, skip to step 7.)


        6.[OPTIONAL] From the Select groups, pick the security or distribution groups that contain users who will have access to SSPR

        7.Next, from Authentication Methods, select the alternate identity verification methods available to users.


    8.Number of methods required to reset, will configures the minimum number of alternative identity verification methods a user must have in order to reset the password.

    9.Next in the Registration, Select Yes or No for Require users to register when signing in? (Selecting the option Yes will force users to register alternative identity verification methods when they sign in. Otherwise the administrator will have to set identity verification options for users manually or will have to direct users to https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx to set this information. If you choose Yes for this, then move to step 10 or otherwise skip to step 11.)


    10. Enter a value for Number of days before users are asked to re-confirm their authentication information. (This value controls the number of days before the service prompts users to verify/update their alternative identity verification information. You can specify a number between 1-730. Setting 0 here will not ask users to verify/update their alternate identity verification methods.)

   11. From the Notification, you can enable notifications to be sent to users when they reset their own passwords through SSPR.


     12. Selecting Yes to Customize helpdesk link will allow you to set a custom email address or a URL for Contact your administrator link in password reset wizard.


     13. Enter the desired URL or the email address for the help desk if you select Yes to above option.

    Users Registering for SSPR

   14. If you enabled registration while sign in, users will be asked to setup the alternate identity verification methods. (This will be the same screen users see when they access the self service password reset registration URL manually as well.)


   15. To setup the authentication phone, click on Set it up now. Select the country and enter the phone number and select either text me or call me.


16. If you choose to have Microsoft called you, you will need to answer the call and press # key to verify the number. If you choose to receive a text message, as seen below, you will have to enter the verification code that it sends.


17. To set up the authentication email address, click on set it up now. Enter the email address and click email me. Once you receive the email with the verification code in the mail, enter it and verify.

18. Once you have set up the minimum number of authentication methods required by the administrator or more, you can click Finish.


Azure Information Protection client files and usage logging details for inquiries!!


When we are talking about data classification and  data protection, one of the major concern which customer are asking is, can we have a audit if they want to identify who has done the classification changes to the documents. The reason for this is in case of a audit requirement, they might need to check who has done the changes to the documents. However, so far the log files are storing in respective individual machines and not in a central data base or in a cloud. Therefore, we have to grab the details in the individual machines for this matter. Therefore, there are few log files which you need to go through. All these log can be seen in Event viewer.


There are few log files which you will need in case of a Administration or Auditing.

The events include the following information:

· Date, client version, policy ID

· Signed in user name, computer name

· File name and location

· Action:

o Set Label: Information ID 101​

o Set Label (lower): Information ID 102​

o Set Label (higher): Information ID 103​

o Remove label: Information ID 104​

o Recommended tip: Information 105​

o Apply custom protection: Information ID 201​

o Remove custom protection: Information ID 202​

o Sign in (operational): Information ID 902​

o Download policy (operational): Information ID 901

Further the Azure Information Protection Client Files are located in 3 locations as below;
For 64-bit operating systems: \ProgramFiles (x86)\Microsoft Azure Information Protection

  • For 32-bit operating systems: \Program Files\Microsoft Azure Information Protection

Client logs files and currently installed policy file:

  • For 64-bit and 32-bit operating systems: %localappdata%\Microsoft\MSIP

On my Next Blog I will show you how you can collect all these logs in to one location and do the auditing rather than finding through individual machines. For the moment the configurations are still going on and in this manner, I am trying to use OMS and SysLog server for this process. Let’s hope for the best and let’s wait for the outcome.

How to refresh Azure Rights Management (ARM) templates for users and services

Good Day!! If you are using Azure Rights Management service, Azure RMS templates and Classification Labels are automatically downloaded to client computers so that users can select them from their respective applications. However, you might need to take additional steps in case if you make changes specially to the Azure RMS templates.  To Refresh the Templates, I have created a Batch file. Further if the Azure RMS templates are not downloading, there is a additional Power Shell script which you can use (This might happen in case if you are in a transition from On-Prem RMS to Azure RMS). This is basically deleting certain registry file related to Azure RMS. Before use the batch file or the Power Shell script, make sure to take a backup or otherwise run this on your own risk.


Batch File Command (Refresh Templates)

This is basically will remove all the users templates. Once you Connect the client back with Azure RMS, the templates will start to download for users machines.

@echo off

cd /d “c:\users”

for /d %%a in (*) do rd /s /q “C:\Users\%%a\AppData\local\microsoft\MSIPC


PowerShell Script (If the newly crated templates are not downloading)

This is mainly you can use in case if you are migrating from AD RMS to Azure RMS. If the client is connected to existing AD RMS and if you want it to connect to Azure RMS, there is a probability that some machines will not download the new templates. For such cases, you can use the below PowerShell script.


REG delete “HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\MSIPC” /f




For additional information regarding the Azure template refresh, click the below link


How to Enable Azure Rights Management PowerShell Module in to your PC

You can use Azure Rights Management using command line together with PC which has an internet connection. Mainly you can use this PowerShell commands for deep down or I would say advanced configuration scenarios as well as for automation purposes. For instance, in case if you want to enable the Super User role for a specific user who needs to have Full Usage Rights for documents and emails. It might be a requirement of changing certain rights which already applied to certain documents by any other user and if he is no more with your organization.

Fist verify whether your PC is comply with the following prerequisites.


  • Windows version which supports the Rights Management administration module
  • Minimum of Windows PowerShell: 2.0
  • Minimum of the Microsoft .NET Framework: 4.5


Once all the prerequisites are met, Download the Azure Rights Management Tool using below link


Once you download the tool just install the simple setup of it.

Use the below command to verify the installed module version.

(Get-Module AADRM –ListAvailable).Version


If you want to verify the command list available, just run the below command

Get-Command -Module AADRM


In case if you need further information regarding the Azure Information Protection service commands, please refer to the below link,