Azure Information Protection requirements

Applies to: Azure Information Protection

Relevant for: AIP unified labeling client and AIP classic client.

Note

To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.

Before deploying Azure Information Protection, ensure that your system meets the following prerequisites:

Subscription for Azure Information Protection

You must have an Azure Information Protection plan for classification, labeling, and protection using the Azure Information Protection scanner or client. To verify that your subscription includes the Azure Information Protection features you want to use, check the feature list at Azure Information Protection pricing.

If you have questions about subscriptions or licensing, do not post them on this page. Instead, see if they are answered in the frequently asked questions for licensing. If your question is not answered there, contact your Microsoft Account Manager or Microsoft Support.

Tip

For a full picture of the Microsoft Information Protection (MIP) licensing requirements per feature, see the Microsoft 365 Compliance Licensing Comparison spreadsheet.

Azure Active Directory

To support authentication and authorization for Azure Information Protection, you must have an Azure Active Directory (AD). To use user accounts from your on-premises directory (AD DS), you must also configure directory integration.

  • Single sign-on (SSO) is supported for Azure Information Protection so that users are not repeatedly prompted for their credentials. If you use another vendor solution for federation, check with that vendor for how to configure it for Azure AD. WS-Trust is a common requirement for these solutions to support single sign-on.

  • Multi-factor authentication (MFA) is supported with Azure Information Protection when you have the required client software and have correctly configured the MFA-supporting infrastructure.

Conditional access is supported in preview for documents protected by Azure Information Protection. For more information, see: I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?

Additional prerequisites are required for specific scenarios, such as when using certificate-based or multi-factor authentication, or when UPN values don't match user email addresses.

For more information, see:

Client devices

User computers or mobile devices must run on an operating system that supports Azure Information Protection.

Supported operating systems for client devices

The Azure Information Protection clients for Windows are supported are the following operating systems:

  • Windows 10 (x86, x64). Handwriting is not supported in the Windows 10 RS4 build and later.

  • Windows 8.1 (x86, x64)

  • Windows 8 (x86, x64)

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2012 R2 and Windows Server 2012

For details about support in earlier versions of Windows, contact your Microsoft account or support representative.

Note

When the Azure Information Protection clients protect the data by using the Azure Rights Management service, the data can be consumed by the same devices that support the Azure Rights Management service.

ARM64

ARM64 is not currently supported.

Virtual machines

If you're working with virtual machines, check whether the software vendor for your virtual desktop solution as additional configurations required for running the Azure Information Protection unified labeling or the Azure Information Protection client.

For example, for Citrix solutions, you might need to disable Citrix Application Programming Interface (API) hooks for Office, the Azure Information Protection unified labeling client, or the Azure Information Protection client.

These applications use the following files, respectively: winword.exe, excel.exe, outlook.exe, powerpnt.exe, msip.app.exe, msip.viewer.exe

Server support

For each of the server versions listed above, Azure Information Protection clients are supported for Remote Desktop Services.

If you delete user profiles when you use the Azure Information Protection clients with Remote Desktop Services, do not delete the %Appdata%\Microsoft\Protect folder.

Additionally, Server Core and Nano Server are not supported.

Additional requirements per client

Each Azure Information Protection client has additional requirements. For details, see:

Applications

The Azure Information Protection clients can label and protect documents and emails by using Microsoft Word, Excel, PowerPoint, and Outlook from any of the following Office editions:

  • Office apps, for the versions listed in the table of supported versions for Microsoft 365 Apps by update channel, from Microsoft 365 Apps for Business or Microsoft 365 Business Premium, when the user is assigned a license for Azure Rights Management (also known as Azure Information Protection for Office 365)

  • Microsoft 365 Apps for Enterprise

  • Office Professional Plus 2019

  • Office Professional Plus 2016

  • Office Professional Plus 2013 with Service Pack 1

  • Office Professional Plus 2010 with Service Pack 2

Other editions of Office cannot protect documents and emails by using a Rights Management service. For these editions, Azure Information Protection is supported for classification only, and labels that apply protection are not displayed for users.

Labels are displayed in a bar displayed at the top of the Office document, accessible from the Sensitivity button in the unified labeling client, or the Protect button in the classic client.

For more information, see Applications that support Azure Rights Management data protection.

Important

Office 2010 extended support ended on October 13, 2020. For more information, see AIP and legacy Windows and Office versions.

Office features and capabilities not supported

  • The Azure Information Protection clients for Windows do not support multiple versions of Office on the same computer, or switching user accounts in Office.

  • The Office mail merge feature is not supported with any Azure Information Protection feature.

Firewalls and network infrastructure

If you have a firewalls or similar intervening network devices that are configured to allow specific connections, the network connectivity requirements are listed in this Office article: Microsoft 365 Common and Office Online.

Azure Information Protection has the following additional requirements:

  • Unified labeling client. To download labels and label policies, allow the following URL over HTTPS: *.protection.outlook.com

  • Web proxies. If you use a web proxy that requires authentication, you must configure the proxy to use integrated Windows authentication with the user's Active Directory sign in credentials.

    To support Proxy.pac files when using a proxy to acquire a token, add the following new registry key:

    • Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP\
    • Key: UseDefaultCredentialsInProxy
    • Type: DWORD
    • Value: 1
  • TLS client-to-service connections. Do not terminate any TLS client-to-service connections, for example to perform packet-level inspection, to the aadrm.com URL. Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.

    To determine whether your client connection is terminated before it reaches the Azure Rights Management service, use the following PowerShell commands:

    $request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc")
    $request.GetResponse()
    $request.ServicePoint.Certificate.Issuer
    

    The result should show that the issuing CA is from a Microsoft CA, for example: CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.

    If you see an issuing CA name that is not from Microsoft, it is likely that your secure client-to-service connection is being terminated and needs reconfiguration on your firewall.

  • TLS version 1.2 or higher (unified labeling client only). The unified labeling client requires a TLS version of 1.2 or higher to ensure the use of cryptographically secure protocols and align with Microsoft security guidelines.

  • Microsoft 365 Enhanced Configuration Service (ECS). AIP must have access to the config.edge.skype.com URL, which is a Microsoft 365 Enhanced Configuration Service (ECS).

    ECS provides Microsoft the ability to reconfigure AIP installations without the need for you to redeploy AIP. It’s used to control the gradual rollout of features or updates, while the impact of the rollout is monitored from diagnostic data being collected.

    ECS is also used to mitigate security or performance issues with a feature or update. ECS also supports configuration changes related to diagnostic data, to help ensure that the appropriate events are being collected.

    Limiting the config.edge.skype.com URL may affect Microsoft’s ability to mitigate errors and may affect your ability to test preview features.

    For more information, see Essential services for Office - Deploy Office.

  • Audit logging URL network connectivity. AIP must be able to access the following URLs in order to support AIP audit logs:

    • https://*.events.data.microsoft.com
    • https://*.aria.microsoft.com (Android device data only)

    For more information, see Prerequisites for AIP reporting.

Coexistence of AD RMS with Azure RMS

Using AD RMS and Azure RMS side by side, in the same organization, to protect content by the same user in the same organization, is only supported in AD RMS for HYOK (hold your own key) protection with Azure Information Protection.

This scenario is not supported during migration. Supported migration paths include:

Tip

If you deploy Azure Information Protection and then decide that you no longer want to use this cloud service, see Decommissioning and deactivating Azure Information Protection.

For other, non-migration scenarios, where both services are active in the same organization, both services must be configured so that only one of them allows any given user to protect content. Configure such scenarios as follows:

  • Use redirections for an AD RMS to Azure RMS migration

  • If both services must be active for different users at the same time, use service-side configurations to enforce exclusivity. Use the Azure RMS onboarding controls in the cloud service, and an ACL on the Publish URL to set Read-Only mode for AD RMS.

Service Tags

If you are using an Azure endpoint and an NSG, make sure to allow access to all ports for the following Service Tags:

  • AzureInformationProtection
  • AzureActiveDirectory
  • AzureFrontDoor.Frontend

Additionally, in this case, the Azure Information Protection service also depends on the following IP addresses and port:

  • 13.107.9.198
  • 13.107.6.198
  • 2620:1ec:4::198
  • 2620:1ec:a92::198
  • 13.107.6.181
  • 13.107.9.181
  • Port 443, for HTTPS traffic

Make sure to create rules that allow outbound access to these specific IP addresses, and via this port.

Supported on-premises servers for Azure Rights Management data protection

The following on-premises servers are supported with Azure Information Protection when you use the Microsoft Rights Management connector.

This connector acts as a communications interface, and relays between on-premises servers and the Azure Rights Management service, which is used by Azure Information Protection to protect Office documents and emails.

To use this connector, you must configure directory synchronization between your Active Directory forests and Azure Active Directory.

Supported servers include:

Server type Supported versions
Exchange Server - Exchange Server 2019
- Exchange Server 2016
- Exchange Server 2013
- Exchange Server 2010
Office SharePoint Server - Office SharePoint Server 2016
- Office SharePoint Server 2013
- Office SharePoint Server 2010
File servers that run Windows Server and use File Classification Infrastructure (FCI) - Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012

For more information, see Deploying the Microsoft Rights Management connector.

Supported operating systems for Azure Rights Management

The following operating systems support the Azure Rights Management service, which provides data protection for AIP:

OS Supported versions
Windows computers - Windows 7 (x86, x64)
- Windows 8 (x86, x64)
- Windows 8.1 (x86, x64)
- Windows 10 (x86, x64)
macOS Minimum version of macOS 10.8 (Mountain Lion)
Android phones and tablets Minimum version of Android 6.0
iPhone and iPad Minimum version of iOS 11.0
Windows phones and tablets Windows 10 Mobile

Next steps

Once you've reviewed all AIP requirements and confirmed that your system complies, continue with Preparing users and groups for Azure Information Protection.