Azure Rights Management usage logs

Karim Zaki

Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-document-tracking

Your subscription must support it

https://azure.microsoft.com/en-us/pricing/details/information-protection/

When the document tracking site is enabled, by default, it shows information such as the email addresses of the people who attempted to access the protected documents, when these people tried to access them, and their location

 

Azure Information Protection Premium P1

Azure Information Protection Premium P2

Document tracking and revocation

 

Check the PowerShell module version you must have at least version
2.3.0.0
of the AADRM module for PowerShell

Install the module

Install-Module -Name AADRM press yes

Get all the module commands

Get-Command
-Module
AADRM

 

 

Or update the module

Update-Module -Name AADRM

 

(Get-Module aadrm –ListAvailable).Version

 

First you need to connect to the azure

Connect-AadrmService

The check if the tracking is enabled

Get-AadrmDocumentTrackingFeature

You can enable it by

Enable-AadrmDocumentTrackingFeature

 

For event log monitoring

The client logs user activity to the local Windows event log Applications and Services Logs
> Azure Information Protection. The events include the following information:

 
 

Client version, policy ID

 
 

IP addresses of the signed in user

 
 

File name and location

 
 

Action:

 
 

Set Label: Information ID 101

 
 

Set Label (lower): Information ID 101

 
 

Set Label (higher): Information ID 101

 
 

Remove label: Information ID 104

 
 

Recommended tip: Information 105

 
 

Apply custom protection: Information ID 201

 
 

Remove custom protection: Information ID 202

 
 

Sign in (operational): Information ID 902

 
 

Download policy (operational): Information ID 901

 

The event id: 102

I think this is the most important event

 

Item Name: wordpressv1intro.docx

Item Directory: path

Process Name: WINWORD Action: Set Label Protection

Before Action: Protected

Protection After Action: Unprotected

Owner Before Action: anyname@domain.com

Label Before Action: Internal Label ID Before Action: labelidnaylabel

Label After Action: Public Label ID After Action: labelidnaylabel

User Justification: teta

Labeled Before Action: Automatically Action Source: Manual

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.