Student Lab Manual

MS500.3x: Set up Information Protection

Lab Scenario
You are the security administrator for Adatum Corporation, and you have Office 365 deployed in a
virtualized lab environment. In this lab, you will set up Azure and Windows Information Protection.

There are three exercises in this lab, each of which contains one of more tasks. For a successful outcome
to the lab, the exercises and their corresponding tasks must be completed in order. The three exercises
include:

Note: You may have already configured these users and groups in a previous lab therefore Exercise 1
may be redundant.

- Exercise 1: Create and license users in your organization

▪ Task 1 – Obtain your Office 365 credentials
▪ Task 2 - Create the tenant account
▪ Task 3 – Create users and groups for the trial tenant

- Exercise 2: Configure MDM auto-enrollment

▪ Task 1 – Configure MDM auto-enrollment

- Exercise 3: Configure AIP and WIP

▪ Task 1 – Configure Azure Information Protection
▪ Task 2 - Configure Windows Information Protection

WARNING – Be prepared for UI changes

Given the dynamic nature of Microsoft cloud tools, you may experience user interface (UI) changes that
were made following the development of this training content that do not match up with lab
instructions presented in this lab manual.

The Microsoft Learning team will update this training course as soon as any such changes are brought to
our attention. However, given the dynamic nature of cloud updates, you may run into UI changes before
this training content is updated. If this occurs, you will have to adapt to the changes and work through
them in the labs as needed.

Page 1
Exercise 1: Create and license users in your organization
Task 1 - Obtain Your Office 365 Credentials
Once you launch the lab, a free trial tenant will be automatically created for you to access Azure in the
Microsoft Virtual Lab environment. This tenant will be automatically assigned a unique user name and
password. You must retrieve this user name and password so that you can sign into Azure within the
Microsoft Virtual Lab environment.

1. On the XtremeLabs Online menu bar at the top of the screen, click on the Files drop-down arrow.
2. Click on O365 Credentials. A window will open with your credentials.
3. This is the user name and password you will need to sign in to Azure. Keep this page open as you will
need the information later.
4. When the lab directs you to sign in to the Azure portal at https://portal.azure.com, you will sign in
using the credentials you obtained in this task.

Task 2 - Create the tenant account for Ramiro Armenta

Perform the following steps to create a Microsoft 365 Enterprise E5 tenant account for Ramiro Armenta:

1. On LON-CL1 open a browser and go to portal.office.com.

2. Login using the O365 credentials you acquired in task 1 earlier. This should take you to the
Office 365 console. Click Admin.
3. In the Microsoft 365 admin center under Active users click + Add a user.
4. In the New user screen create the following user:
a. First name: Ramiro
b. Last name: Armenta
c. Username: Ramir
d. Domain: Leave the .onmcirosoft.com domain as the default domain
e. Role: Global administrator
f. Product licenses: Office 365 Enterprise E5 and Enterprise Mobility + Security E5
enabled
g. Password: select Let me create the password. Use this password: Pa55w.rd. Uncheck
the box that says Make user change password when they first sign in.
5. Click Add.
6. Unmark Send password in email if necessary. Click Close.
7.

Task 3 - Create the tenant account for Marguerite Ortiz

Perform the following steps to create a Microsoft 365 Enterprise E5 tenant account for Marguerite Ortiz:

1. On LON-CL1 open a browser and go to portal.office.com.

Page 2
 2. Login using the O365 credentials you acquired in task 1 earlier. This should take you to the
Office 365 console. Click Admin.
3. In the Microsoft 365 admin center under Active users click + Add a user.
4. In the New user screen create the following user:
a. First name: Marguerite
b. Last name: Ortiz
c. Username: Marguerite
d. Domain: Leave the .onmcirosoft.com domain as the default domain
e. Role: Global administrator
f. Product licenses: Office 365 Enterprise E5 and Enterprise Mobility + Security E5
enabled
g. Password: select Let me create the password. Use this password: Pa55w.rd. Uncheck
the box that says Make user change password when they first sign in.
5. Click Add.
6. Unmark Send password in email if necessary. Click Close.

Task 4 - Create a Group

In this exercise you will create two users, required for exercises that will be covered later in this lab
environment.

You should still be logged in as admin and see the Admin Center page. Perform the following steps to
create users for the lab exercises:

1. Click on Groups on the left tab and select Groups from the menu below.
2. Click on (+) Add a group to open the right New group pane.
3. Fill all the fields to create the WIP Users group:
a. Type Mail-enabled security
b. Name WIP Users
4. Create the group by clicking on Add.
5. Click Close.

You have now created two users with Microsoft 365 E5 and EMS E5 licenses assigned. Leave your web
browser on admin’s Admin center page, in the Users section, and proceed to the next exercise.

Page 3
Exercise 2: Configure MDM auto-enrollment
In this exercise you will activate the MDM auto-enrollment for new devices in your tenant. This feature
will be required for the Windows Information Protection exercise later.

Task 1 – Configure MDM auto-enrollment

Perform the following steps:

1. Open the browser on LON-CL1 and go to https://portal.azure.com.

2. You should still be signed into Microsoft 365 as admin. However, if you have been signed out of
Microsoft 365, then on the Microsoft 365 sign-in page, sign in to admin’s admin@<your tenant
here>.onmicrosoft.com account (replace the <> with the corresponding attribute from your
O365 Credentials) using a password of Pa55w.rd.
3. On the Welcome to Microsoft Azure page, click Maybe later.
4. Click on All Services, type Azure Active Directory and click on Azure Active Directory.
5. Click on Mobility (MDM and MAM) from Manage on the left-side pane.
6. Click on Microsoft Intune.
7. In the MDM User scope section, click Some and click on Select groups below.
8. Select WIP Users from the right-side pane and click Select.
9. Click on Restore default MDM URLs to ensure the correct URLs are set.
10. Click Save on the top menu.
11. Click on All Services, type Intune and click Intune.
12. Click on Device enrollment from the left pane.
13. You are requested to Choose MDM Authority. Select Intune MDM Authority and click Choose.

You have now activated the auto-enrollment feature for all devices of users, that are a member in the
Azure AD group WIP Users. Proceed with the next exercise.

Page 4
Exercise 3 – Configure AIP and WIP
Task 1 – Configure Azure Information Protection
In this exercise you will create an AIP label and add it to the default policy.

Perform the following steps:

1. Open a new browser window or select the address bar in your browser and go to
https://portal.azure.com/.
2. You should still be signed into Microsoft 365 as admin. However, if you have been signed out of
Microsoft 365, then on the Microsoft 365 sign-in page, sign in to Admin’s admin@<insert your
tenant here>.onmicrosoft.com account using a password of Pa55w.rd.
3. If you visit the Azure Portal for the first time, you need to cancel the tour by clicking on Maybe
later.
4. Click on All Services, type Azure Information Protection and click it.
5. Click on Labels under Classification.
6. Click + Add a new label on the bottom
7. On the new page, configure the following:
a. Enabled On
b. Label display name PII
c. Description Documents, Files and emails with PIIs
d. Color Black
e. Set permissions for documents and emails containing this label Protect
i. On the Protection page on the right side, select Set user-defined permissions
(Preview) and click Ok.
f. Documents with this label have a header Off
g. Documents with this label have a footer Off
h. Documents with this label have a watermark On
i. Watermark text: Personal Identifiable Information
ii. Watermark font size: Auto
iii. Watermark font name: Default
iv. Watermark color: Black
v. Watermark layout: Diagonal
i. Click Save in the upper left corner.
8. You are asked if you are sure to save the changes. Click Ok to answer the prompt.
9. Click on Policies from Classification.
10. Click on the Global policy to edit it.
a. Below the list of labels, click on Add or remove labels.
b. From the right-side menu, select PII and click Ok.
c. Also go down to Users must provide justification to set a lower classification label,
remove a label, or remove protection and switch it to On.
d. Click Save in the upper left corner.
11. You are asked if you are sure to save the changes. Click Ok to answer the prompt.

Page 5
 12. Close the Policies windows by clicking the X in the upper right corner.

You have now created a new label and added it to the default policy, valid for all users of your tenant.
Leave your web browser on admin’s Azure Portal page and proceed to the next exercise.

Task 2 – Configure Windows Information Protection

In this lesson you will create a WIP policy and assign it to your WIP Users Azure AD group.

You are still signed in as admin and on the Azure Portal page. Perform the following steps:

1. Click on All Services, type Intune and click on Microsoft Intune.

2. Click Client apps.
3. Click on App protection policies from Manage on the left side.
4. Click (+) Add a policy from the top menu.
5. On the Add a policy screen, type or select the following:
a. Name: WIP Client Protection
b. Description: <empty>
c. Platform: Windows 10
d. Enrollment state: With enrollment
e. Protected apps: Click Add apps, select Office-365-ProPlus-1810-Allowed.xml and click
Ok. On the Protected apps screen, click Ok again.
f. Exempt apps: <none>
g. Required settings: Block, click OK.
h. Advanced settings: Don’t change the default values
6. Click Create on the bottom of the screen.
7. On the Client apps - App protection policies click on the newly created policy.
8. Click on Assignments from Manage.
9. On the next screen, click on Select groups to include from the Include tab.
10. Select the WIP Users group from the list and click Select on the bottom of the screen.
11. In the Intune App Protection – Assignments area click Save.

You have now created a WIP policy (App protection policy for Windows) that is applied to any User with
an MDM enrolled device in Intune. Leave your web browser on admin’s Azure Portal page and proceed
to the next exercise.

End of lab

Page 6