Baseline for AIP policies

When I am delivering workshops for AIP to my customers, I regularly get the question that if I have a baseline for Sensitivity labels. I always answer with the same, it depends on your needs and requirements, but with this post, I want to show you, how you can start your content classification.

First of all, you have to think about naming and description, at first glance could be quite obvius, but when your end users start working on those labels, and they have to read names and description, this information will help them a lot, so, choose wisely and think twice.

My recommendation here is to ensure the real purpose of the label and a reflection of the terminology that uses the company. Once you have this, half of your work is done, then what you need to do is to create a description, explaining the contents that reflect the classification.

So.. what levels of AIP I am creating? the 4 following:

  • Public
  • Internal
  • Confidential
  • Secret

Public classification

The public classification label applies to information that is available to the general public and intended for distribution outside an organization. This information may be freely distributed without risk of harm. Any information that is produced for public consumption — such as news releases, job announcements, and sales brochures — are good examples.

Internal classification

The internal classification label applies to information that is used in business processes, and the unauthorized disclosure, modification or destruction of which is not expected to seriously affect the organization, customers, employees or business partners. Any information that is used in routine business matters — such as internal policy manuals and company phone lists — are good examples.

Confidential classification

The confidential classification label applies to information that is used in sensitive business processes, the unauthorized disclosure, modification or destruction of which will adversely affect an organization, its customers, employees or business partners. Examples of sensitive information include intellectual property, contract negotiations, most personnel matters, personally identifiable information, protected health data, bank account numbers and payment card information of customers and employees.

Secret classification

The confidential classification label applies to information that is used in extremely sensitive information business processes, which the unauthorized disclosure, modification or destruction of would seriously harm the organization, its customers, employees or business partners. Examples for health organizations include medical records relating to mental health, sexually transmitted diseases… Examples for other organizations include documents used in mergers, strategic plans and litigation.

Retention Label VS Retention Policy

Retention is a great way to drive information governance and user behaviour, it is a good practice to have implemented a retention policy in organization content in order to enable long term retention in some of the workload such as SPO, Teams, ODFB, EXO…

But when it comes to the question what feature do I need to use in each case, it is when the doubts comes, so, with the following post I expect to clarify some of those points:

Use Retention Labels when:

  • Information within the same location requires different classifications to drive lifecycle
  • Information is required to be managed as a record or a regulatory record
  • Information requires manual classification by users or auto-classification using Keywords, metadata or machine learning

Use Retention Policies when:

  • A single baseline retention period is applicable to all information with a location (ODFB, EXO etc.)
  • Joiner / Leaver scenarios are required to be automatically managed
  • No user intervention is expected or required with the baseline policy

How to disable Hybrid Azure AD Join

A device is said to be hybrid joined if it has both an AD object and an Azure AD (AAD) object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the AAD user.

A hybrid joined computer is joined to both AD and AAD, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined. The benefits of having Hybrid Azure AD Join devices are

  • The computer has a device object in Azure AD, which enables a variety of capabilities including:
    • Microsoft 365 Apps device licensing is possible
    • Azure AD Conditional Access features based on device conditions are possible
  • There is a reduction in user sign ins because user sign in gets both an NETID AD token and AAD token

But what If you want to disable that Hybrid Join?

You can disable hybrid join by preventing one of the requirement elements from triggering hybrid join registration:

  1. Modify the Hybrid Azure ADJoin from the AADConnect (Recommended)
  2. Use the following registry in the computers to block: HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001
  3. Modify the Scheduled Task which triggers AAD device registration. See Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join. See the following 3 items for details:
    1. Deleting the Scheduled Task seems to work reliably.
    2. Disabling the Scheduled Task does not work reliably; the disabled task will still run after a user signs in.
    3. Modify both triggers from an Enabled status to a Disabled status; this works reliably.
  4. Add a firewall block for, to prevent the computer from connecting to the Azure AD Device Registration Service (AAD DRS). See the following item for possible side-effects:
    1. This should only affect the ability to AAD join. If you have Office installed on the Windows device, this might have an undesirable impact on AAD device registration (different from AAD device join) which is required per user for Microsoft 365 Apps (was Office 365 ProPlus) sign-in.
  5. Add a firewall block for the UW ADFS server,, to prevent the computer from getting an ADFS token to authenticate to the AAD DRS. See the following item for possible side-effects:
    1. Note: this option will only work for as long as you continue to have federated authentication for AAD, which is planned to be removed. This option may be undesirable if there is any interaction with Azure AD applications like Office 365 from the device–those interactions would be blocked.

Ok, that’s great but what if I want to unjoin a Hybrid AzureADDevice? For hybrid Azure AD joined devices, make sure to turn off automatic registration. Then the scheduled task doesn’t register the device again.

Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave. Or run this command as a script across several devices to unjoin in bulk.

AIP AutoApply Label not working as expected

I have been testing auto apply label in some scenarios, but what I have discovered is that AutoApply Label is not working when I activate the autosave toogle in Word (for example):

I’ve been testing the same policy under different circumstances (Windows 10 + Office 2101 C2R)

Turned ON AutoSave for synced libraries (Default On):

Tested to create a new Word.docx where AutoSave in ON and then added keyword in doc to trigger AutoApply label.

After hit Safe nothing happens, no label applied (or suggested)

Turned OFF AutoSave for synced libraries (Default On):

Tested to create a new Word.docx where AutoSave in OFF and then added keyword in doc to trigger AutoApply label.

After hit Safe the Auto Apply label suggests me to change label.

But after digging some more, I was aware that If I used the built-in labeling client in Word it works with or without autosave. Strange isn’t it? I do not know if it’s a limitation or what…

I will keep tracking that problem…

Extending your subnet in Azure with VXLan

Continuing with networking in Azure, today I want to talk about how extend the subnets in Azure with VXLAN. To those who do not know VXLAN, it proposes to generate a virtual network to overlap a LAN which will work as base. VXLAN technology uses a layer 3 technology, in order to extend the network, as it shows the following diagram, where the same subnet exists on both sides (Azure and OnPrem):

Ejemplo de extensión de subred

So here the key is that you need a tunel between Azure and OnPrem in order to exchange traffic, but also take into account the following:

  • IP addresses of on-premises hosts are configured as additional IP addresses on the Network Interface Card (NIC) of the Azure VM (using Azure orchestration system);
  • IP addresses of Azure hosts are configured as additional IP addresses of the NIC of on-premises VM.

Whenever an on-premises host tries to reach an Azure VM it sends out an ARP request, and the on-premises Extended Network VM replies to it.

Whenever an Azure VM tries to reach an on-premises host, the Azure Virtual Router sends the traffic to the local IP address which is owned by the Azure VM running Extended Network code.

Take care and happy networking!

What do you need to know about protecting documents in M365

Most of the time, when we are talking about security in M365, we talk about how to encrypt files and give permission to those files. But… did you know you can Protect a document in SharePoint and OneDrive from being accidentally altered or overwritten? What I can say that It is a very useful feature when autosave is enabled in Excel or Word files.

But… What key points do you need to know?

  1. You can only protect individual documents, not a complete document library.
  2. You can not protect OneNote documents, in desktop nor online nor that half-baked OneNote for Windows 10.
  3. In the desktop apps you can protect Word, Excel and PowerPoint documents against overwriting.
    (You can also use other ways of protection, but that is out-of-scope for now)
  4. In the online apps you can only protect Word and Excel, but not PowerPoint.
  5. You can protect Word and Excel files in SharePoint and OneDrive.
  6. You can only send with “review-only” in Word, not in Excel, PowerPoint or OneNote (I hope that in the future this will change).
  7. You can only send with “review-only” when you share with “people you specify” or “people in your tenant with the link”.
  8. You can use “review-only” in Word in SharePoint and OneDrive.
  9. When you share the document from SharePoint with an external person who has no access to the site, they receive a code via mail as soon as they try to open the document.
  10. How does a Word-document open, and which options do you have when you share the document with or without protection, with our without “review-only” and with people with various roles in your SharePoint site? See the table below. The first word is the option that the document opens with.

Enabling Microsoft Whiteboard

Have you ever used Whiteboad? If not it is a useful application where users can create a canvas, to shared ideas and content, also Whiteboard can be used to collaborate with yout team wether you’re in the same place or multiple locations.

But, the main problem is to be able to store & retrieve canvas or share them with other people, you’ll need to sign in with Office 365 credentials.

In my case, I was receiving the following message “Your admin has disabled sign in for Whiteboard”

But the fix is pretty simple… Simply go to the Office 365 admin portal, navigate to Settings and then to “Services & add-ins”, where you will see the new Whiteboard option and you will see that it is set to Off, so slide it over to On and press save:

The effect is immediate, and you’ll then be able to log in straight away and start working on whiteboards together!

This is an all or nothing approach, and at this point there are no administrative controls to enable or disable this on a per-user level – so you will need to be wary of content being stored in yet another location

What is the app@sharepoint account?

if you’re digging into Cloud App logs, Sentinel or even log analytics logs, probably you’ll realize that there are some activities done by an account named “app@sharepoint”.

Coming from the worlds of SharePoint OnPrem, my first reaction was… what is this? but then, I feel curious about that account and I started to dig in for some more detail. So you can follow the same steps as I did:

First, in your log analytics query, type the following:

So… what we can extract from this information? that app@sharepoint is an account used a service principal for SharePoint operations (and yes for teams, OneDrive as well).

Now, we have solved a little mistery and you can go on and whitelist the acoount if you think it’s necessary to not to make more noise in your logs

till next time!

Start and Stop Azure VM’s in Parallel

During a project I had to start and stop about 100 VMs, if I put the runbook in serial mode, it took about 2 hours to be execute, so… the only way to do it in a fast way, was to program the runbook to be executed in parallel mode. How can it be done? Easy!
#list and start vm with tag "OpeningHours" and value "7 to 19"
$vms = get-azvm | where {$_.Tags["OpeningHours"] -contains "7 to 16"}
$jobs = @()
foreach ($vm in $vms)
$job = Start-Job -ScriptBlock {
start-Azvm -Name $
$jobs = $jobs + $job
# Wait for it all to complete
Wait-Job -Job $jobs

That’s all, you can change the start-azvm with a stop-azvm -force and you will be done