Azure Information Protection deployment roadmap

Applies to: Azure Information Protection, Office 365

Use the following steps as recommendations to help you prepare for, implement, and manage Azure Information Protection for your organization.

Alternatively:

Identify your deployment roadmap

Before you implement any of the following steps to deploy Azure Information Protection, make sure that you have reviewed Requirements for Azure Information Protection.

Then choose the deployment roadmap that's applicable for your organization and that matches the subscription functionality and features that you need:

  • Use classification, labeling, and protection

    The recommended path when you have a supporting subscription because the additional capabilities support discovering sensitive information, and labeling documents and emails for classification. The labels can also apply protection, abstracting this complexity from users.

    The deployment steps are suitable for Azure Information Protection labels, and sensitivity labels that use the unified labeling platform.

  • Use data protection only

    The path to use when you don't have a subscription that supports classification and labels, but does support protection without labels.

Deployment roadmap for classification, labeling, and protection

Note

Already using the protection functionality from Azure Information Protection? You can skip many of these steps and focus on steps 3 and 5.1.

Step 1: Confirm your subscription and assign user licenses

Review the subscription information and feature list from the Azure Information Protection Pricing page to confirm that your organization has a subscription that includes the functionality and features that you expect. Then, assign licenses from this subscription to each user in your organization who will classify, label, and protect documents and emails.

Note: Do not manually assign user licenses from the free RMS for individuals subscription and do not use this license to administer the Azure Rights Management service for your organization. These licenses display as Rights Management Adhoc in the Microsoft 365 admin center, and RIGHTSMANAGEMENT_ADHOC when you run the Azure AD PowerShell cmdlet, Get-MsolAccountSku. For more information about how the RMS for individuals subscription is automatically granted and assigned to users, see RMS for individuals and Azure Information Protection.

Step 2: Prepare your tenant to use Azure Information Protection

Before you begin using Azure Information Protection, make sure that you have user accounts and groups in Office 365 or Azure Active Directory. These user accounts and groups will be used by Azure Information Protection to authenticate and authorize users from your organization. If necessary, create these account and groups, or synchronize them from your on-premises directory.

For more information, see Preparing users and groups for Azure Information Protection.

Step 3: Configure and deploy classification and labeling

Before you configure labels and policy settings, decide which Azure Information Protection client you're going to use: The classic client or the unified labeling client. Or you might need both clients. This client decision is needed now, so you know which management portal to use to configure labels and policy settings. For more information and to help you with this decision, see Choose which Azure Information Protection client to use.

Tip

Optional but recommended: Consider using the scanner quickstart to discover what sensitive information you have on your local data stores. The information that the scanner finds can help you with your classification taxonomy, provide valuable information about what labels you need, and which files need protecting.

Because the scanner discovery mode doesn't require you to configure labels or even have your classification taxonomy defined, running the scanner in this way is suitable for this very early stage of your deployment. You can also use this configuration of the scanner in parallel with the following deployment steps, until you configure recommended or automatic labeling.

If you don't already have a classification strategy, review the default Azure Information Protection policy and use this as the basis for deciding what classification labels to assign to your organization data. You can customize these to meet your business requirements.

Reconfigure your labels to make any changes you need to support your classification decisions. Configure the policy for manual labeling by users, and write user guidance that explains which label to apply and when. If your default policy was created with labels that automatically apply protection, temporarily remove the protection settings or disable the label. For more information about how to configure the labels and policy settings, see the following documentation:

Then deploy the Azure Information Protection client (classic) or the Azure Information Protection unified labeling client for users. Provide user training and specific instructions when to select the labels. For more information about installing and supporting the clients, see the admin guides:

After a period of time, when users are comfortable labeling their documents and emails, introduce more advanced configurations. These might include the following:

  • Apply a default label

  • Prompt users for justification if they chose a label with a lower classification level or remove a label

  • Mandate that all documents and emails have a label

  • Customized headers, footers, or watermarks

  • Recommended and automatic labeling

At this stage, do not select the option to protect documents and emails. However, after you have configured labels for automatic labeling, run the Azure Information Protection scanner on your local data stores in discovery mode and to match your policy. Running the scanner with this configuration tells you which labels would be applied to files. This information helps you fine-tune your label configuration and prepares you for classifying and protecting files in bulk.

Step 4: Prepare for data protection

When users are comfortable labeling documents and emails, you're ready to start introducing data protection for your most sensitive data. This stage requires the following preparation:

  1. Decide whether you want Microsoft to manage your tenant key (the default), or generate and manage your tenant key yourself (known as bring your own key, or BYOK). For more information, see Planning and implementing your Azure Information Protection tenant key.

  2. Install the PowerShell module for AIPService on at least one computer that has internet access. You can do this step now, or later. For more information, see Installing the AIPService PowerShell module.

  3. If you are currently using AD RMS: Perform a migration to move the keys, templates, and URLs to the cloud. For more information, see Migrating from AD RMS to Information Protection.

  4. Make sure that the protection service is activated so that you can begin to protect documents and emails. If a phased deployment is required, configure user onboarding controls to restrict users' ability to apply protection. For more information, see Activating the protection service from Azure Information Protection.

Optionally, consider configuring the following:

Step 5: Configure labels and settings, applications, and services for data protection

  1. Update your labels to apply protection

    For the Azure Information Protection client (classic), see How to configure a label for Rights Management protection.

    For the Azure Information Protection unified labeling client, see Restrict access to content by using encryption in sensitivity labels.

    Note that users can apply labels in Outlook that apply Rights Management protection even if Exchange is not configured for information rights management (IRM). However, until Exchange is configured for IRM or Office 365 Message Encryption with new capabilities, your organization will not get the full functionality of using Azure Rights Management protection with Exchange. This additional configuration is included in the following list (2 for Exchange Online, and 5 for Exchange on-premises).

  2. Configure Office applications and services

    Configure Office applications and services for the information rights management (IRM) features in SharePoint Online or Exchange Online. For more information, see Configuring applications for Azure Rights Management.

  3. Configure the super user feature for data recovery

    If you have existing IT services that need to inspect files that Azure Information Protection will protect—such as data leak prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products—configure the service accounts to be super users for Azure Rights Management. For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

  4. Classify and protect existing files in bulk

    For your on-premises data stores, now run the Azure Information Protection scanner in enforcement mode so that files are automatically labeled. For cloud-based data stores, use Azure Cloud App Security.

    For files on PCs, you can use PowerShell cmdlets to classify and protect files. For more information, see the following admin guides:

  5. Deploy the connector for IRM-protected libraries on SharePoint Server, and IRM-protected emails for Exchange on-premises

    If you have SharePoint and Exchange on-premises and want to use their information rights management (IRM) features, install and configure the Rights Management connector. For more information, see Deploying the Azure Rights Management connector.

Step 6: Use and monitor your data protection solutions

You’re now ready to monitor how your organization is using the labels that you've configured and confirm that you're protecting sensitive information. For addition information to support this deployment phase, see the following:

Step 7: Administer the protection service for your tenant account as needed

As you begin to use the protection service, you might find PowerShell useful to help script or automate administrative changes. PowerShell might also be needed for some of the advanced configurations.

For more information, see Administering protection from Azure Information Protection by using PowerShell.

Deployment roadmap for data protection only

Step 1: Confirm that you have a subscription that includes the protection service from Azure Information Protection

Review the subscription information and feature list from the Azure Information Protection Pricing page to confirm that your organization has a subscription that includes the functionality and features that you expect. Then, assign a license from this subscription to each user in your organization who will protect documents and emails.

Note: Do not manually assign user licenses from the free RMS for individuals subscription and do not use this license to administer the Azure Rights Management service for your organization. These licenses display as Rights Management Adhoc in the Microsoft 365 admin center, and RIGHTSMANAGEMENT_ADHOC when you run the Azure AD PowerShell cmdlet, Get-MsolAccountSku. For more information about how the RMS for individuals subscription is automatically granted and assigned to users, see RMS for individuals and Azure Information Protection.

Step 2: Prepare your tenant to use Azure Information Protection

Before you begin using the protection service from Azure Information Protection, do the following preparation:

  1. Make sure that your Office 365 tenant contains the user accounts and groups that will be used by Azure Information Protection to authenticate and authorize users from your organization. If necessary, create these account and groups, or synchronize them from your on-premises directory. For more information, see Preparing users and groups for Azure Information Protection.

  2. Decide whether you want Microsoft to manage your tenant key (the default), or generate and manage your tenant key yourself (known as bring your own key, or BYOK). For more information, see Planning and implementing your Azure Information Protection tenant key.

  3. Install the PowerShell module for AIPService on at least one computer that has internet access. You can do this step now, or later. For more information, see Installing the AIPService PowerShell module.

  4. If you are currently using AD RMS: Perform a migration to move the keys, templates, and URLs to the cloud. For more information, see Migrating from AD RMS to Azure Information Protection.

  5. Make sure that the protection service is activated so that you can begin to protect documents and emails. If a phased deployment is required, configure user onboarding controls to restrict users' ability to apply protection. For more information, see Activating the protection service from Azure Information Protection.

Optionally, consider configuring the following:

Step 3: Install the Azure Information Protection client (classic) and configure applications and services for Rights Management

  1. Deploy the Azure Information Protection client (classic)

    Install the classic client for users to support Office 2010, to protect files other than Office documents and emails, and to track protected documents. Provide user training for this client. For more information, see Azure Information Protection client for Windows.

  2. Configure Office applications and services

    Configure Office applications and services for the information rights management (IRM) features in SharePoint Online or Exchange Online. For more information, see Configuring applications for Azure Rights Management.

  3. Configure the super user feature for data recovery

    If you have existing IT services that need to inspect files that Azure Information Protection will protect—such as data leak prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products—configure the service accounts to be super users for Azure Rights Management. For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

  4. Protect existing files in bulk

    You can use PowerShell cmdlets to bulk-protect or bulk-unprotect multiple file types. For more information, see Using PowerShell with the Azure Information Protection client from the admin guide.

    For files on Windows-based file servers, you can use these cmdlets with a script and Windows Server File Classification Infrastructure. For more information, see RMS protection with Windows Server File Classification Infrastructure (FCI).

  5. Deploy the connector for on-premises servers

    If you have on-premises services that you want to use with the protection service, install and configure the Rights Management connector. For more information, see Deploying the Azure Rights Management connector.

Step 4: Use and monitor your data protection solutions

You’re now ready to protect your data, and log how your company is using the protection service. For addition information to support this deployment phase, see Helping users to protect files by using the Azure Rights Management service and Logging and analyzing the protection usage from Azure Information Protection.

Step 5: Administer the protection service for your tenant account as needed

As you begin to use the protection service, you might find PowerShell useful to help script or automate administrative changes. PowerShell might also be needed for some of the advanced configurations.

For more information, see Administering protection from Azure Information Protection by using PowerShell.

Next steps

As you deploy Azure Information Protection, you might find it helpful to check the frequently asked questions, and the information and support page for additional resources.