Hold your own key (HYOK) details for Azure Information Protection

Applies to: Azure Information Protection

Relevant for: Azure Information Protection classic client for Windows. For the unified labeling client, see Double Key Encryption.

Note

To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.

Hold Your Own Key (HYOK) configurations enable AIP customers with the classic client to protect highly sensitive content while maintaining full control of their key. HYOK uses an additional, customer-held key that's stored on premises for highly sensitive content, together with the default cloud-based protection used for other content.

For more information about the default, cloud-based tenant root keys, see Planning and implementing your Azure Information Protection tenant key.

Cloud-based protection vs. HYOK

Typically, protecting sensitive documents and emails using Azure Information Protection uses a cloud-based key that is either generated by Microsoft or by the customer, using a BYOK configuration.

Cloud-based keys are managed in Azure Key Vault, which provides customers with the following benefits:

  • No server infrastructure requirements. Cloud solutions are quicker and more cost-effective to deploy and maintain than on-premises solutions.

  • Cloud-based authentication enables easier sharing with partners and users from other organizations.

  • Tight integration with other Azure and Microsoft 365 services, such as search, web viewers, pivoted views, anti-malware, eDiscovery, and Delve.

  • Document tracking, revocation, and email notifications for sensitive documents that you have shared.

However, some organizations may have regulatory requirements that require specific content to be encrypted using a key that is isolated from the cloud. This isolation means that encrypted content can be read only by on-premises applications and on-premises services.

With HYOK configurations, customer tenants have both a cloud-based key to use with content that can be stored on the cloud, and an on-premises key for content that must be protected on-premises only.

HYOK guidance and best practices

When configuring HYOK, consider the following recommendations:

Important

An HYOK configuration for Azure Information Protection is not a replacement for a fully AD RMS and Azure Information Protection deployment, or an alternative to migrating AD RMS to Azure Information Protection.

HYOK is supported only by applying labels, does not offer feature parity with AD RMS, and does not support all AD RMS deployment configurations.

Content suitable for HYOK

HYOK protection doesn't provide the benefits of cloud-based protection, and often comes at the cost of "data opacity", since the content can be accessed only by on-premises applications and services. Even for organizations that use HYOK protection, it's typically suitable only for a small number of documents.

We recommend that you use HYOK only for content that matches the following criteria:

  • Content with the highest classification in your organization ("Top Secret"), where access is restricted to just a few people
  • Content that isn't shared outside the organization
  • Content that is consumed only on the internal network.

Define the users who can see HYOK-configured labels

To ensure that only users who need to apply HYOK protection see the HYOK-configured labels, configure your policy for those users with scoped policies.

HYOK and email support

Microsoft 365 services and other online services can't decrypt HYOK-protected content.

For emails, this loss of functionality includes malware scanners, encrypt-only protection, data loss prevention (DLP) solutions, mail routing rules, journaling, eDiscovery, archiving solutions, and Exchange ActiveSync.

Users may not understand why some devices aren't able to open HYOK-protected emails, leading to additional calls to your help desk. Be aware of these severe limitations when configuring HYOK protection with emails.

Supported applications for HYOK

Use Azure Information Protection labels to apply HYOK to specific documents and emails. HYOK is supported for Office versions 2013 and higher.

HYOK is an administrator configuration option for labels, and workflows remain the same, regardless of whether the content uses as cloud-based key or HYOK.

The following tables list the supported scenarios for protecting and consuming content using HYOK-configured labels:

Note

Office Web and Universal applications are not supported for HYOK.

Windows application support for HYOK

Application Protection Consumption
Azure Information Protection client with Microsoft 365 apps, Office 2019, Office 2016, and Office 2013:
Word, Excel, PowerPoint, Outlook
yes yes
Azure Information Protection client with File Explorer yes yes
Azure Information Protection Viewer Not applicable yes
Azure Information Protection client with PowerShell labeling cmdlets yes yes
Azure Information Protection scanner yes yes

macOS application support for HYOK

Application Protection Consumption
Office for Mac:
Word, Excel, PowerPoint, Outlook
no yes

iOS application support for HYOK

Application Protection Consumption
Office Mobile:
Word, Excel, PowerPoint
no yes
Office Mobile:
Outlook only
no no
Azure Information Protection Viewer Not applicable yes

Android application support for HYOK

Application Protection Consumption
Office Mobile:
Word, Excel, PowerPoint
no yes
Office Mobile:
Outlook only
no no
Azure Information Protection Viewer Not applicable yes

Implementing HYOK

Azure Information Protection supports HYOK when you have an Active Directory Rights Management Services (AD RMS) that complies with all of the requirements listed below.

Usage rights policies and the organization's private key that protects these policies are managed and kept on-premises, while the Azure Information Protection policy for labeling and classification remains managed and stored in Azure.

To implement HYOK protection:

  1. Make sure your system complies with the AD RMS requirements
  2. Locate the information you want to protect

When you're ready, continue with How to configure a label for Rights Management protection.

Requirements for AD RMS to support HYOK

An AD RMS deployment must meet the following requirements to provide HYOK protection for Azure Information Protection labels:

Requirement Description
AD RMS configuration Your AD RMS system must be configured in specific ways to support HYOK. For more information, see below.
Directory synchronization Directory synchronization must be configured between your on-premises Active Directory and the Azure Active Directory.

Users who will use HYOK protection labels must be configured for single-sign-on.
Configuration for explicitly defined trusts If you share HYOK-protected content with others outside your organization, AD RMS must be configured for explicitly defined trusts in a direct point-to-point relationship with the other organizations.

Do this using trusted user domains (TUDs) or federated trusts that are created using Active Directory Federation Services (AD FS).
Microsoft Office supported version Users who are protecting or consuming HYOK-protected content must have:

- A version of Office that supports Information Rights Management (IRM)
- Microsoft Office Professional Plus version 2013 or later with Service Pack 1, running on Windows 7 Service Pack 1 or later.
- For the Office 2016 Microsoft Installer (.msi)-based edition, you must have the update 4018295 for Microsoft Office 2016 that was released on March 6, 2018.

Note: Office 2010 and Office 2007 are not supported. For more information, see AIP and legacy Windows and Office versions.

Important

To fulfill the high assurance that HYOK protection offers, we recommend:

  • Locating your AD RMS servers outside of your DMZ, and ensuring that they are used only by managed devices.

  • Configure your AD RMS cluster with a hardware security module (HSM). This helps to ensure that your Server Licensor Certificate (SLC) private key cannot be exposed or stolen if your AD RMS deployment should ever be breached or compromised.

Tip

For deployment information and instructions for AD RMS, see Active Directory Rights Management Services in the Windows Server library.

AD RMS configuration requirements

To support HYOK, ensure that your AD RMS system has the following configurations:

Requirement Description
Windows version At minimum, one of the following Windows versions:

Production environments: Windows Server 2012 R2
Testing/evaluation environments: Windows Server 2008 R2 with Service Pack 1
Topology HYOK requires one of the following topologies:
- A single forest, with a single AD RMS cluster
- Multiple forests, with AD RMS clusters in each of them.

Licensing for multiple forests
If you have multiple forests, each AD RMS cluster shares a licensing URL that points to the same AD RMS cluster.
On this AD RMS cluster, import all the trusted user domain (TUD) certificates from all other AD RMS clusters.
For more information about this topology, see Trusted User Domain.

Global policy labels for multiple forests
When you have multiple AD RMS clusters in separate forests, delete any labels in the global policy that apply HYOK (AD RMS) protection and configure a scoped policy for each cluster.
Assign users for each cluster to their scoped policy, making sure that you do not use groups that would result in a user being assigned to more than one scoped policy.
The result should be that each user has labels for one AD RMS cluster only.
Cryptographic mode Your AD RMS must be configured with Cryptographic Mode 2.
Confirm the mode by checking the AD RMS cluster properties, General tab.
Certification URL configuration Each AD RMS server must be configured for the certification URL.
For more information, see below.
Service connection points A service connection point (SCP) is not used when you use AD RMS protection with Azure Information Protection.

If you have an SCP registered for your AD RMS deployment, remove it to ensure that service discovery is successful for Azure Rights Management protection.

If you are installing a new AD RMS cluster for HYOK, do not register the SCP when configuring the first node. For each additional node, make sure that the server is configured for the certification URL before you add the AD RMS role and join the existing cluster.
SSL/TLS In production environments, the AD RMS servers must be configured to use SSL/TLS with a valid x.509 certificate that is trusted by the connecting clients.

This is not required for testing or evaluation purposes.
Rights templates You must have rights templates configured for your AD RMS.
Exchange IRM Your AD RMS cannot not be configured for Exchange IRM.
Mobile devices / Mac computers You must have the Active Directory Rights Management Services Mobile Device Extension installed and configured.

Configuring AD RMS servers to locate the certification URL

  1. On each AD RMS server in the cluster, create the following registry entry:

    Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\GICURL = "<string>"`
    

    For the <string value>, specify one of the following strings:

    Environment String value
    Production
    (AD RMS clusters using SSL/TLS)
    https://<cluster_name>/_wmcs/certification/certification.asmx
    Testing / evaluation
    (no SSL/TLS)
    http://<cluster_name>/_wmcs/certification/certification.asmx
  2. Restart IIS.

Locating the information to specify AD RMS protection with an Azure Information Protection label

Configuring HYOK-protection labels requires that you specify the licensing URL of your AD RMS cluster.

Additionally, you must either specify a template that you've configured with the permissions you want to grant users, or enable users to define permissions and users.

Do the following to locate the template GUID and licensing URL values from the Active Directory Rights Management Services console:

Locate a template GUID

  1. Expand the cluster and click Rights Policy Templates.

  2. From the Distributed Rights Policy Templates information, copy the GUID from the template you want to use.

For example: 82bf3474-6efe-4fa1-8827-d1bd93339119

Locate the licensing URL

  1. Click the cluster name.

  2. From the Cluster Details information, copy the Licensing value minus the /_wmcs/licensing string.

For example: https://rmscluster.contoso.com

Note

If you have different extranet and intranet licensing values, specify the extranet value only if you will be sharing protected content with partners. Partners who share protected content must be defined with explicit point-to-point trusts.

If you are not sharing protected content, use the intranet value and make sure that all client computers that are using AD RMS protection with Azure Information Protection connect via an intranet connection. For example, remote computers must use a VPN connection.

Next steps

When you're done configuring your system to support HYOK, continue with configuring labels for HYOK protection. For more information, see How to configure a label for Rights Management protection.