Protect documents with Azure Information Protection (Documents labels)

When handling documents with confidential or sensitive data, encryption is often used to protect documents from unauthorized access.  When documents are encrypted, no matter where they are stored and sent to, only authorized users can open your encrypted documents to view or edit the contents.

In HKUST, Microsoft’s Azure Information Protection (AIP) technology is used to protect documents.  This webpage summarizes the essential steps for you to get started to make use of the protection technology.

AIP Exercise 

To ensure colleagues can master fundamental AIP skills, ITSC has prepared an exercise built on our Canvas Learning Management System. The exercise has a quiz which will be graded. 

Before taking the exercise, you should have either attended our previous trainings "Data protection with AIP" (video recording available here) or read through contents in this webpage.
 

Start AIP Exercise

Available To
Staff
Service Fee

Free

Service Hours

7x24

How-to Guides

  1. Getting Started - Supported Systems and Required Software
  2. Viewing Encrypted Documents
  3. Protecting Documents with Sensitivity Labels
  4. Encrypting Office Documents or PDF Files Using the AIP Client (Windows only)
  5. Change the Protection on a File
  6. Removing encryption from a protected file
  7. Reading Restricted Email Message and documents
  8. Sending Confidential Emails Using Microsoft Outlook

1. Getting Started - Supported Systems and Required Software

Follow the links below to view the installation instructions of the required software.

  Windows 10 macOS iOS Android
Microsoft Office &
Microsoft Outlook
Office 365 or
Office 2016
Office 365 Microsoft Office & 
Microsoft Outlook
Microsoft Office & 
Microsoft Outlook
Azure Information Protection (AIP)
Client or Viewer
AIP Client [1]

Adobe Reader and Plug-in for Acrobat Reader DC Continuous 
(view PDF only ​[2]

AIP Viewer [3] AIP Viewer [3]


(Important: Remember to sign in to your Microsoft Office with your ITSC username and password after the installation.)

Notes:

[1] For Windows users, follow the steps below to install the AIP Client to read and protect documents (including PDFs). 

  1. Visit the webpage (https://www.microsoft.com/en-us/download/details.aspx?id=53018)
  2. Press the “Download” button
  3. Select “AzInfoProtection_UL.exe” option by checking the checkbox next to it. (make sure you have selected the correct option)

  1. Press the “Next” button
  2. Install that software when the download is finished. 
  3. Restart Outlook or Word if the Sensitivity icon is dimmed.
[2] For Mac OS user, please use Adobe Reader with Adobe plug-in to view protected PDF. Please select Plug-in for Acrobat Reader DC Continuous if you are using the Acrobat Reader. To view protected txt or image files, please install RMS Sharing app.
 
[3] For iOS and Android, the AIP Viewer allow you to view protected files, including protected PDF and protected email message (.rpmsg).
 
 

2. Viewing Encrypted Documents

Before you begin… 
Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office.


a. Viewing encrypted office documents (e.g. Word, Excel, PowerPoint)

To view the protected document, you must sign in with your Office app with your email account.  Depending on the permission settings from the document owner, you will have read or write permission to the document. In some devices e.g. Android, you will need to invoke the application first and then open the protected document in order to view it. 
 
If you are not authorized to open the encrypted document, you will see an error screen instead.  You may need to check with the document owner to see if you have the necessary permission to open the document.
 

b. Viewing encrypted files other than Microsoft Office documents

Besides Microsoft Office documents, other file types (e.g. PDF files, images, text files, and etc.) can also be encrypted.  You may use the Azure Information Protection Viewer to open the encrypted files.
  1. For PC user users, start the Azure Information Protection Viewer app
  2. Press the “Open” button
  3. Browse the file to open it
  4. For mobile users, you can send the protected PDF to the AIP Viewer or choose to open it with the AIP Viewer.
    e.g. use the following icon (navigation action) to send it to the AIP Viewer in iOS:  
  5. For MacOS users, please use Adobe Reader with Adobe plug-in
Please also refers to the other page Viewing Protected PDF Files for more detail information.
 
If you are authorized to open the encrypted file, you will be able to open it in the AIP client application.  If not, you will see an error message instead.  You may need to check with the document owner to see if you have the necessary permission to open the file.
 

3. Protecting Documents with Sensitivity Labels

Before you begin… 
Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office.


a. What are Sensitivity Labels?

A Sensitivity Label is used to quickly apply encryption and permission settings to a document.  Some content markings (e.g. footer or watermark) may also be added to a document to reflect its importance.  

For example, you may apply the label, “Confidential/ HKUST Restricted” to a confidential document to enforce encryption and protect it such that only HKUST staff members can edit it.  For less sensitive documents which encryption may not be required, you may just apply the label “Public” to remind yourself and others that the document could be used externally.
 
In HKUST, a set of labels is prepared to facilitate the encryption and protection process.  Each of the labels is having different permission and marking settings to suit your needs.  Their settings are summarized in the table below.
 
Label Encryption Sharing Options Content Markings
Highly Confidential  Applied User-defined permission   “Highly Confidential” in watermark and footer
Confidential/ HKUST Restricted  Applied All HKUST staff with read and write permission   “Confidential – HKUST Restricted” in footer
Public  None Not Applicable  None 

Notes:  The labels shown here may be slightly different in different departments.

Tips: Documents with sensitive and confidential information should always be encrypted. 


b. Apply a sensitive label to your documents for encryption

In Microsoft Office, the labels you can use are shown under the Sensitivity button in the Ribbon.

Different labels provide different encryption and permission settings, and may apply visual markings (e.g. footer or watermark) to your documents. Please refer to the previous step to see a summary of sensitivity labels.

Labels with encryption settings should be used to encrypt and protect sensitive or confidential documents.  You may use one of the following two labels to encrypt your documents with different permission settings.

  1. Confidential / HKUST Restricted
    It is used to encrypt your documents and allows only HKUST staff members to have the read and write permission.  It will also turn on the footer with “HKUST Restricted” in your document.
  2. Labels with User-defined Permissions
    The following label is used to encrypt your documents with user-specific permissions.
  • Highly Confidential 
    When you apply either one label to your document, a screen will then pop up for you to specify the permission for your intended users.


    Only the assigned users (whose user accounts you have entered) can open the encrypted document with the assigned permission.

4. Encrypting Office Documents or PDF Files Using the AIP Client (Windows only)

Before you begin… 
Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office.

Apart from using Microsoft Office to protect your document, user may also Azure Information Protection client with custom protections. When you protect a file in-place, it replaces the original unprotected file. You can then leave the protected file where it is (either on PC or on-cloud) and copy it to another folder or device. You can also attach the protected file to an email message.

To protect a file on a device:

  1. In File Explorer, select a file to protect. Right-click, and then select Classify and protect.

    Note: You can also protect multiple files and a folder. When you select a folder, all the files in that folder are automatically selected for protection. You will need to perform file protection for any newly added files as new files will not be automatically protected.
  1. Apply a Highly Confidential label (for example)
  2. Select Protect with custom permissions with one of the following options:
    • Viewer – View Only
      Users can view the attachments, but cannot print, edit, or copy content.
    • Reviewer – View and Edit
      User can view and edit the attachments but cannot print or copy content.
    • Co-Author – View, Edit, Copy and Print
      Users can view, edit, copy, and print the attachments, but cannot unprotect the content.
    • Co-owner – All permission
      Users have full control for the attachments; they can view, edit, print, and unprotect the content.
    • Only for me
  3. Select the users, groups or organizations or type the users email address(es). For example, a Viewer permission for usera@ust.hk and userb@ust.hk
  4. Click Apply and you may see a dialog box telling you that the files are protected.

Note: Only the Windows version can add protection to PDF files.

5. Change the Protection on a File

Before you begin… 
Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office.

Follow the steps in Encrypting Office documents or PDF files using AIP Client to assign new label or permission settings for the file. 

For files with custom permission together with specified users, you may just update the user list and modify the permission settings.  For example, adding userc@ust.hk@ust.hk to Select users, groups or organizations section to enable userc@ust.hk (in additional to usera@ust.hk and userb@ust.hk) to have view only access rights to the document.

6. Removing encryption from a protected file

Before you begin… 
Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office.

If you want to remove the protection from a file,

  1. Right-click the file
  2. Click Classify and protect
  3. Click Delete Label and then un-check the protect with custom permissions option (Note: You must be an owner of the file to remove the protection).

7. Reading Restricted Email Message and documents

8. Sending Confidential Emails Using Microsoft Outlook