Category Archives: Enterprise Mobility + Security

Protecting Norwegian National ID Number with Azure Information Protection and RMS

2 Replies

In Norway we have a National Identification Number which is an 11-digit personal identifier, which also is referred to a Birth Number as this is given to every Norwegian borned at birth.

The number consists of:

  • 6 first digits are birth date in the form of: ddmmyy
  • 3 next digits are personal, with the last of those 3 indicating whether you are male (odd number) or female (even number)
  • The last 2 digits are control digits, based on modulus functions on the first digits

(Source: http://www.skatteetaten.no/en/person/National-Registry/Birth-and-name-selection/Children-born-in-Norway/National-ID-number/)

The special thing about Norwegian National ID Numbers are that they are not only used for personal identification, but also in some official scenarios is used for source of authentication. This makes this ID number highly sensitive, and should not be shared around in for example documents and emails.

In this blog post I will look at how Azure Information Protection can automatically detect and classifiy documents that contains the Norwegian National ID Number, and more over how we can use Azure Rights Management Services (RMS) to automatically apply a RMS template which encrypts and sets permissions for these classified documents.

I will show this step by step, so read on for details.

Activate Azure Rights Management Services and Azure Information Protection for your Azure AD

The requirement for setting this up is that you have a Tenant with an Azure AD Directory, and licensed with EMS Suite (E3 or E5), Secure Productive Enterprise (SCE) or Azure Information Protection P1 or P2 licenses. You will need the EMS E5/AIP P2 if you want to be able to automatically classify and label documents, as E3/P1 only enables users for manual classification and labeling. You can get EMS E5 trial licenses if needed.

To active Azure RMS, if you havent already done this, go to: https://account.activedirectory.windowsazure.com/RmsOnline/Manage.aspx

If you get this message you are OK to proceed to next step:

image

Next, in a new browser window, sign in to the Azure portal as a global admin for your tenant.

On the hub menu, click New, and then select Security + Identity. In the Security + Identify blade, select Azure Information Protection. In the Azure Information Protection blade, click Create. This will enable Azure Information Protection and make it accessible for your configured services later. If you selected to pin the blade, you will have easy access for configuring Azure Information Protection later:

image

Configure Classification and Labeling

In this step we will configure the classification and labeling for the Norwegian National ID Number.

First, when I start the default configuration of Azure Information Protection, I will se these built-in classification labels:

image

These classification labels should be sufficient for a lot of protection scenarios, but in this case I will add a new label for protecting restricted content like the Norwegian National ID Number. I select to add a new label, as shown below:

image

I give the new label the name Restricted, and provide a custom tooltip for the users to see. I can select another color if I want, and for now I don’t want to add an Azure RMS template for protection.

Further down, I add visual markings, by providing a Header text:

image

And a watermark:

image

Next I can specify conditions for automatically applying a label. This is where I will check for any Norwegian National ID Numbers. First I add the Condition:

image

Then I select Custom type of condition, because the built-in ones does not contain the Norwegian ID number. Under Custom I specify a name for the condition, and select to match based on a regular expression. See explanation below. I can also match on case sensitivity (if letters) and number of occurances if I want.

image

So, the main part here is the Regular Expression (RegEx) that will discover if there could be a possible match on a Birth Number/Norwegian National ID Number.

I will not dive into details on Regular Expressions here on my blog, but in short the following expression will match if the first 6 digits are a valid date. For example 31 days in the months Jan, Mar, May, July; Aug, Oct and Dec, and 30 days in the rest. In addition, this will not check for leap years, so will accept 29 days for each Feb to simplify. The last 5 digits are accepted if they are 0-9.

(0[1-9]|[1-2][0-9]|31(?!(?:0[2469]|11))|30(?!02))(0[1-9]|1[0-2])\d{7}

This expression could be even better, and I might look into that later:

  • If the 3 digits after the date were checked to be in the right group based on birth year
  • If the last 2 digits were in fact modulus calculating on the previous

But for now this should be sufficient.

After adding that condition, I specify a tooltip for the end users:

image

All that is left now is to save and publish my new classification label:

image

Download and Install the Azure Information Protection Client

Next step is to Install the Azure Information Protection client on a PC that has Office installed. Download the client from from the Microsoft download center, https://www.microsoft.com/en-us/download/details.aspx?id=53018.

Run AzInfoProtection.exe and follow the prompts to install the client. As we have configured the tenant with the default and customized label, it doesnt matter if you install the demo labels as the tenant settings will override.

After installing the client and starting any Office program we will se the toolbar as shown below:

image

Testing Automatic Classification of National ID Number

If I open a new document in Word and type in as below for an example valid National ID Number:

image

I then have to save the document, because the validation of conditions for classification labels happens at save time.

And as expected, the document has now been automatically classified as Restricted, with the explanation that a Norwegian National ID Number has been detected:

image

I also see the watermark and the header text for the document:

image

At this point we are able to automatically classify the document as restricted and sensitive, but the document can still be shared unencrypted if the user wants to do that.

In the next step we will see how we can configure automatic data protection for this classification label.

Configure Data Protection

If we want to configure automatic data protection for classified documents I will need to either use an existing or create a new Azure RMS Template. In this case I will create a new template. This must, for now, be done in the old Azure Portal at manage.windowsazure.com, and under your Azure Active Directory and Rights Management settings.

image

When you enable Azure Rights Management for your tenant you will have two default RMS templates specified:

  • <organization name> – Confidential
  • <organization name> – Confidential View Only

I will now create a new RMS template for my organization, which I will use for protecting documents that are classified as Restricted. First I specify language, name and description for the new template:

image

After creating the RMS template I can now configure rights, scope and optional configurations.

image

Under Rights I have added a couple of groups from my Organization where I configure a Rights role of Viewer:

image

The Viewer Role has the following custom rights, which suits my scenario where I want to restrict sharing for Restricted Sensitive Information.

image

I can define the scope of the RMS template, which defines who in my organization can apply this template. I want everybody to be able to use this template, so I will not change any scoping settings now:

image

At the configuration section I can choose to Publish the template, and change settings for additional languages, content expiration and offline access. I have left the default settings on and publish the RMS template as ready to use:

image

With the new RMS template ready, I can now go back to Azure Information Protection and Configure the Protection settings for my “Restricted” classification label. I select my new RMS template from the dropdown menu:

image

After that I hit Save, and then Publish the policy:

image

I can now see that my Restricted classification label both have Marking, Protection and Conditions defined:

image

Testing Automatic Protection

We will now test this in a new Word document. Once again I type a National ID Number and Save the document. And now I see that the document both is automatically classified and protected:

image

As I am the owner of the document, I can share it internally to any user in my organization, but they will be prohibited to do any operations besides viewing the document.

And if I share the document to an external user outside my organization, they will be prohibited to view the document and contents as well, as they are not able to open and view the document without an Azure AD user from my organization:

image

If I wanted to restrict my users from even sharing it internally, I would need to configure an Office 365 Data Loss Prevention (DLP) Policy, which can apply to Exchange Online, SharePoint Online and/or OneDrive for Business, and look for Norwegian National ID Number there. But that would be a topic for another blog post!

Classifying and Protecting Outlook E-mail

Does this only apply to Office documents? No, when you install the Azure Information Protection client you get the opportunity to classify and protect e-mails sent with the Outlook client as well.

When I send an e-mail message that contains a Norwegian National ID Number and after I hit the Send button, the automatic classification and protection will be applied to the e-mail:

image

The external receipient of the e-mail will se this message, and will not be able to see the e-mail content:

image

Conclusion

In this blog post I have shown how you can use Azure Information Protection (AIP) to classify Office documents and Outlook e-mails and how you can use conditions to automatic apply that classification based on for example a Norwegian National ID Number detection with the use of a regular expression.

In addition I have shown how you can use Azure RMS and a template to automatically encrypt that document and set the permissions for the users in my organization that only allows viewing.

Speaking at NIC 2017

Leave a reply

I’m very happy that I have been selected as a speaker again for next years NIC 2017!

I will have at least one session to present, and hoping for a second session but the organizers have a lot of interesting session proposals to choose from so we’ll see.

My session will be about Enterprise Applications and Publishing in the new Azure AD Management Experience:

image

In this session we will look into the new management experience of Azure AD Applications in the new Azure Portal. The session will cover publishing and management of Application Proxy applications, Web App/API Applications and Enterprise Applications including SaaS Applications, and how and in which scenarios we can use the new Azure Portal, PowerShell or the Classic Portal for administration. Another important topic that will be covered is how you can configure Conditional Access for those applications for Users and Devices with the Enterprise Mobility & Security offering.

NIC 2017 is 2nd and 3rd of February, with a Pre-Conf day at the 1th. Read more at www.nicconf.com.

Hope to see you there!

Speaking at #ExpertsLive 2016 Netherlands

Leave a reply

Next week at Tuesday 22nd of November I will be back speaking at ExpertsLive 2016, at CineMed Ede, Netherlands. After my first visit and speaking there last year, I always wanted to go back to this great community event, and I’m very happy and honored to be invited to speak again.

ExpertsLive NL 2016 will feature over 50 sessions, plus Keynote and Closing note, in as much as 9 different tracks ranging from Azure and Azure Stack, to Managebility, Automation, Windows Server 2016, Office 365, Security and Windows 10! In addition there will be great sponsors and networking. What more can you ask of a conference. There will be over 1000 attendees mostly from Netherlands, but also from visiting nearby countries.

My session will be on Azure Active Directory and how you can perform Premium Management and Protection of Identity and Access with Azure AD, covering solutions like Privileged Identity Management, Identity Protection, Multi-Factor Authentication and Azure AD Connect Health. It is very important to protect your identity now, let me show you how, and I will show some nice demos as well, hope to see you there!

Read more about ExpertsLive here: http://www.expertslive.nl

EXPERTSLIVE.5011_email-signature_spreker_ENG_630x180

Sleepless in Seattle – Impressions from MVP Summit 2016

Leave a reply

As I’m just back from attending my first ever MVP Summit, I wanted to take to opportunity to recap some of the impressions and experiences I had. One note though, the first rule about the MVP Summit, is not to talk about the MVP Summit! The reason for this is that generally all that is shared with us MVPs from Microsoft is under NDA. All the while, there are some general information that can be shared, which shows the importance this Summit not only has for the MVPs, but also for Microsoft and the Product Groups, the Community and in the end, the customers themselves.

As the title of this blog post refers to, sleep can be hard to come by. Both because of many MVPs are travelling from far and beyond, myself fighting a jetlag and time difference of 9 hours to Norway, but also that the fellowship of MVPs in official and unofficial social gatherings on the evenings quickly see hours fly away.

WP_20161106_13_19_46_Rich

What is the MVP Summit?

The MVP Summit is held once a year at Microsoft Campus in Redmond, just outside of Seattle, Washington. All active MVPs from around the world are invited, and many will attend. At the Summit MVPs will have sessions with the Product Groups, where discussions and feedback are central, as well as looking forward to what might or will come in the future. This is where the NDA is vital. In addition to the sessions there are a lot of networking with fellow MVPs and the members and managers of the Product Groups.

Most MVPs stays at selected hotels in Bellevue outside Seattle, not far from Redmond, with the Hyatt Regency as the social hub, and we get transported to and from Redmond.

WP_20161106_12_00_23_Rich

My impressions of the MVP Summit

As this was my first MVP Summit, I had 3 things I looked forward to:

  1. Meet fellow peers and MVPs
  2. Meet the Product Groups
  3. The NDA stuff!

And I can safely say that it delivered on all 3 points! Over the years I have met and been introduced to many MVPs in the community, but know I had the chance to first hand see and meet many of the community leaders I have read blog posts from or followed on Twitter.Always nice to see and meet the rock stars 🙂

It was also very nice to meet of with the Product Groups and engage with them in sessions, it’s always helpful with a name and a face, and they are genuinely interested in any feedback we can give from our own opinions and from our customer experiences.

A lot of information, roadmaps, features, private previews and more were shared as well, which of course are under strict NDA. So you will have to wait for that, no need to ask, but wait patiently for exciting things to come.A general feeling is that Microsoft is more open and engaging than ever, and the best of times are yet to come!

So with that I will conclude this short blog post, and although I cannot share any more details I can assure that Microsoft and MVPs together are working together for the benefit of customers and end users. It has been great attending my first MVP Summit, and hopefully I will be back next year!