Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
Your subscription must support it
https://azure.microsoft.com/en-us/pricing/details/information-protection/
When the document tracking site is enabled, by default, it shows information such as the email addresses of the people who attempted to access the protected documents, when these people tried to access them, and their location
Azure Information Protection Premium P1 |
Azure Information Protection Premium P2 |
|
Document tracking and revocation |
|
|
Check the PowerShell module version you must have at least version
2.3.0.0
of the AADRM module for PowerShell
Install the module
Install-Module -Name AADRM press yes
Get all the module commands
Get-Command
-Module
AADRM
Or update the module
Update-Module -Name AADRM
(Get-Module aadrm –ListAvailable).Version
First you need to connect to the azure
Connect-AadrmService
The check if the tracking is enabled
Get-AadrmDocumentTrackingFeature
You can enable it by
Enable-AadrmDocumentTrackingFeature
For event log monitoring
The client logs user activity to the local Windows event log Applications and Services Logs
> Azure Information Protection. The events include the following information:
Client version, policy ID
IP addresses of the signed in user
File name and location
Action:
Set Label: Information ID 101
Set Label (lower): Information ID 101
Set Label (higher): Information ID 101
Remove label: Information ID 104
Recommended tip: Information 105
Apply custom protection: Information ID 201
Remove custom protection: Information ID 202
Sign in (operational): Information ID 902
Download policy (operational): Information ID 901
The event id: 102
I think this is the most important event
Item Name: wordpressv1intro.docx
Item Directory: path
Process Name: WINWORD Action: Set Label Protection
Before Action: Protected
Protection After Action: Unprotected
Owner Before Action: anyname@domain.com
Label Before Action: Internal Label ID Before Action: labelidnaylabel
Label After Action: Public Label ID After Action: labelidnaylabel
User Justification: teta
Labeled Before Action: Automatically Action Source: Manual
Leave a Reply