Azure Information Protection - Broken "by design" according to Microsoft

As of this writing, it's been 3 years since Microsoft announced their Azure Information Protection (AIP) product. As recently as March of this year, they were touting ominously "When you use Azure Information Protection with Exchange Online, you get an additional benefit: The ability to send protected emails to any user, with the assurance that they can read it on any device." What they don't mention is that Outlook Web App (a.k.a. OWA) completely bypasses AIP security. Can this be possible?

Long story short - yes... according to Microsoft... "Azure Information Protection does not work in OWA and it is by design". (click below to enlarge). And when they say "does not work" they don't mean that you can't read the protected information - "does not work" according to Microsoft means that all protection is removed.


In fact, I am told that if I'm not happy with this protection feature, I can join other unhappy Microsoft customers and vote for this broken functionality to be fixed. The link they gave me, humorously, is one that I originally created. https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/37295347-owa-should-respect-aip-message-expiry-rules. If you are reading this and reckon that AIP should actually protect your cloud information, feel free to "vote" for my suggestion. Sadly, the odds of this being a successful approach are nil when the top features that Microsoft is working on are really important things like animated 3D hearts in Excel.

For those technically minded of you, I have a bit more detail below. For everyone else, don't waste your time on Azure Information Protection (or your money on the expensive Enterprise licenses that are required for it), after 3 years, it's still not ready.


The way that AIP works is by setting up what are called Labels. Here is an example label that causes  items to expire after 3 days. I have confirmed with Microsoft that this is the correct way to configure the feature.

This label called "Secure Inbox" is listed along with other labels available in our tenancy.
To invoke this label, you can create a rule in Exchange to apply the label under certain conditions. In this example, mail coming into Test AU will get the "Secure Inbox" treatment as defined above.
Microsoft have confirmed that this is the correct way to implement a policy to make messages no longer visible after 3 days. Indeed, if you send an e-mail to a mailbox and wait 3 days, you get the following in both Mac and Windows versions of Outlook:


This is perfect... exactly as advertised.

But... what if you log in to OWA and read your mail there? The exact same message, which was meant to expire after 3 days is displayed freely without any restriction. Indeed, even the attachment can be downloaded. In the older OWA interface, you get a message saying "This message will expire on: Friday, 15 March 2019 8:04:00 PM" which is when it expired on the desktop version... but despite it being already mid-April, a month old message is still plainly visible.

What about the New OWA interface (click "Try the new Outlook" on the top right)... well, that's even worse!
In the new interface, not only is the message and the attachment fully accessible, but they don't even bother to tell you that you are past the expiration date.

What about on the phone? You guessed it... plainly visible well past the "expiration" date.


After over a month of back and forth with Microsoft support (who have been able to reproduce this problem - and initially agreed that it doesn't feel like a secure way to secure things), they have given up with a flippant "this is by design"...

Thanks for nothing...



No comments:

Post a Comment