Skip to content

Protecting your data with Microsoft 365


Protecting your information is business-critical.  Get the right data protection with boxxe's Microsoft 365 service

Better information protection

Information Protection allows organisations to discover, classify, label, and protect sensitive documents and emails whether stored in the data centre or cloud

Protecting your data is business-critical

Unfortunately, in this age the risks to your organisation's data are many.  Whether that is external from hackers, malware or specifically ransomware, or internal such as intentional or un-intentional data exfiltration from your own employees, protecting your data is critical to ensuring you stay in business and out of the spotlight for the wrong reasons.

The last thing any CIO needs is a data breach and the fines, damage to reputation and loss of intellectual property that comes with it.  The worst part of this is that it affects every organisation from the most highly regulated banks to the small retail business.  After all, we all have important information now, and we all have to adhere to data protection compliance regulations such as GDPR.
So, we all have data, but how do we approach the task of managing it?  
  • Firstly it is important to know your data.  What data you have, where it is stored and the type of data that it is
  • You need to classify it test
  • Apply protection including encryption, access restrictions and visual markings
  • Prevent accidental oversharing of sensitive information whether intentional or un-intentional
  • Automatically retain, delete, and store data and records in a compliant manner

This all sounds like a lot of work already; a rock you may wish you'd never looked under.  Luckily for us, Microsoft 365 gives us a wealth of technologies that can help to protect our data whether it is held on-premises in our data centre or in the cloud.  Let's explore the various data protection products that are available within Microsoft 365.

Microsoft information protection (MIP)

Information protection allows organisations to discover, classify, label, and protect sensitive documents and emails whether stored in the data centre or cloud.  Once you have configured your labels such as 'General', 'Confidential' and 'Highly Confidential' you can associate protection rules to those classifications.  For example, preventing a 'Highly Confidential' document from being sent external to your organisation or from being printed or forwarded beyond its intended recipient.

Microsoft Information Protection works seamlessly with Microsoft office applications such as Word, Excel and Outlook, but it also works with PDFs and other file types.  It will protect your data in:

  • SharePoint
  • OneDrive
  • Exchange
  • Teams
MIP can can be set up to scan and protect your on-premises or Azure server data.
Information protection has evolved over time and has had various names over the years however they pretty much refer to similar services.  So, if you see 'Microsoft Information Protection', 'Information Protection', 'Azure Information Protection',  'Azure Rights Management', 'MIP', 'AIP', or 'RMS', they pretty much equate to the same product but like rings in a tree stump they tell a story of its evolution over time.  
At times it may seem that Microsoft is changing product names relatively often, but there is more to it than simply name changes for the same products.  MIP is an improvement upon Azure Information Protection and therefore also the further evolution of Rights Management.  Think of Microsoft Information Protection as Azure Information Protection that also includes data stored on devices as well as email and SharePoint, OneDrive, and Teams.  Microsoft Information Protection is going the extra mile to cover end user devices and is therefore a more end-to-end data protection solution.
There are two tiers of Information Protection:
  1. Plan 1 (E3) which allows you to classify and protect documents as stated above, but there is also a higher tier
  2. Plan 2 (E5) which gives you auto-classification.  Auto-classification removes the possibility of a user intentionally or un-intentionally classifying data incorrectly.

Data loss prevention

Data loss prevention allows you to prevent certain types of data from leaving the organisation. These types of data may include national insurance numbers or credit card numbers. It can be setup to prevent data from leaving or setup to notify of data that has left. DLP can work standalone or arm-in-arm with Information Protection. There is also a higher tier plan with DLP called “Communication DLP for Teams” which blocks chats and channel messages that contain sensitive information.

Insider risk management

Insider risk management is a solution that helps minimise and prevent internal risks.  It enables you to detect, investigate and act upon risky activities happening within your organisation.  Analysts can quickly review detections and implement actions to ensure users are compliant against your standards and data is protected accordingly.

Microsoft cloud app security

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) solution that gives your organisation visibility into their use of cloud apps and services, and provides analytics to identify and protect against cyber threats. It also allows you to control how your data travels across cloud applications. MCAS is a powerful tool when connected into your existing estate. It can use the data from your firewalls or web proxies to understand exactly what your users are doing and especially what they are doing with your data, and what shadow applications or services they maybe using without your knowledge.

Microsoft information governance

The last of our favourites of the Microsoft 365 data protection products is Information Governance. Retention is hugely important in the GDPR age and Information Governance allows you to control data across your applications, looking beyond Microsoft and into third party applications such as Facebook, Twitter, LinkedIn, and WhatsApp. There are many third-party connectors which work to control your data in several ways: Retention, Litigation hold eDiscovery, Records management, Communications Compliance

What licensing options do I have?

There are a lot of different licensing plans and add-ons that you can choose from so it can be confusing.  We have created the following table to help explain the options available.

Product EMS E3 / A3 EMS E5 * / A5 Microsoft 365 E5* / A5 Microsoft 365 E3 / A3 Microsoft 365 E5** / A5 Compliance Microsoft 365 E5 * / A5 Info Protection and Governance Microsoft 365 E5 * / A5 Insider Risk Management *
Information Protection Plan 1 Y Y Y Y Y Y X
Information Protection Plan 2 (Auto classification) X Y Y X Y Y X
Communication DLP for Teams X X Y X Y Y X
Microsoft Cloud App Security X Y Y X Y Y X
Insider Risk Management X X Y X Y Y Y
Microsoft Information Governance X X Y X Y Y X

This article was written by Matt Fooks, boxxe's Workplace Pre-Sales Solutions Architect.  Contact us to book a free consultation with Matt.


Call the number below or complete this form to book your free consultation with Matt Fooks.

0330 236 9429

I would like to receive news and updates:

By completing this form you are agreeing to boxxe's terms & conditions and privacy policy.

*  Microsoft 365 Insider Risk Management also licenses several other compliance products not mentioned in this post such as Communication Compliance, Information Barriers, Customer Lockbox and Privileged Identity Management

**  Microsoft 365 E5 Compliance licenses everything in the table plus the Insider Risk Management and other great compliance features