Frequently asked questions for Azure Information Protection

Applies to: Azure Information Protection, Office 365

Note

To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. Learn more in the official deprecation notice.

Have a question about Azure Information Protection, or about the Azure Rights Management service (Azure RMS)? See if it's answered here.

What's the difference between Azure Information Protection and Microsoft Information Protection?

Unlike Azure Information Protection, Microsoft Information Protection isn't a subscription or product that you can buy. Instead, it's a framework for products and integrated capabilities that help you protect your organization's sensitive information.

Microsoft Information Protection products include:

  • Azure Information Protection
  • Office 365 Information Protection, such as Office 365 DLP
  • Windows Information Protection
  • Microsoft Cloud App Security

Microsoft Information Protection capabilities include:

  • Unified label management
  • End-user labeling experiences built into Office apps
  • The ability for Windows to understand unified labels and apply protection to data
  • The Microsoft Information Protection SDK
  • Functionality in Adobe Acrobat Reader to view labeled and protected PDFs

For more information, see Information protection capabilities to help protect your sensitive data.

What's the difference between labels in Azure Information Protection and labels in Office 365?

Originally, Office 365 had just retention labels that enabled you to classify documents and emails for auditing and retention when that content was stored in Office 365 services.

In contrast, Azure Information Protection labels enabled you apply a consistent classification and protection policy for documents and emails whether they were stored on-premises or in the cloud.

Announced at Microsoft Ignite 2018 in Orlando, Office 365 now has the option to create and configure sensitivity labels, in addition to retention labels. Sensitivity labels can be created and configured in the following admin centers:

  • Office 365 Security & Compliance Center
  • Microsoft 365 security center
  • Microsoft 365 compliance center

Use Azure Information Protection labels as sensitivity labels with Office 365 apps by migrating your AIP labels to the unified labeling store.

For more information about unified labeling management and support, see Announcing availability of information protection capabilities to help protect your sensitive data.

How can I determine if my tenant is on the unified labeling platform?

When your tenant is on the unified labeling platform, it supports sensitivity labels that can be used by clients and services that support unified labeling. If you obtained your subscription for Azure Information Protection in June 2019 or later, your tenant is automatically on the unified labeling platform and no further action is needed. Your tenant might also be on this platform because somebody migrated your Azure Information Protection labels.

If your tenant is not on the unified labeling platform, you'll see the following information banner in the Azure portal, on the Azure Information Protection panes:

Migration information banner

You can also check by going to Azure Information Protection > Manage > Unified labeling, and view the Unified labeling status:

Status Description
Activated Your tenant is on the unified labeling platform.
You can create, configure, and publish labels from the Microsoft 365 compliance center.
Not activated Your tenant is not on the unified labeling platform.
For migration instructions and guidance, see How to migrate Azure Information Protection labels to unified sensitivity labels.

What's the difference between the Azure Information Protection classic and unified labeling clients?

The original client, referred to as the Azure Information client or the classic client, downloads labels and policy settings from Azure and enables you to configure the AIP policy from the Azure portal.

The unified labeling client is a more recent addition and supports the unified labeling store used by multiple applications and services. The unified labeling client downloads sensitivity labels and policy settings from the following admin centers:

  • Office 365 Security & Compliance Center
  • Microsoft 365 security center
  • Microsoft 365 compliance center

If you're an admin and aren't sure which client to use, see Choose which Azure Information Protection client to use.

Identify the client you have installed

If you are a user who wants to understand verify whether you have the classic or unified labeling client installed, select Help and Feedback to show the Microsoft Azure Information Protection dialog box.

For example:

Identify whether you have the classic or unified client installed

The version number indicates the client, as follows:

  • Versions 1.x indicate that you have the classic client. Example: 1.54.59.0
  • Versions 2.x indicate that you have the unified labeling client. Example: 2.6.111.0

Access this dialog using one of the following methods:

  • In the File Explorer, right-click a file, files, or folder, select Classify and protect > Help and Feedback.
  • In Office applications, the classic client has a Protect button, and the unified labeling client has a Sensitivity button. Select either of these buttons and then select Help and Feedback.

When is the right time to migrate my labels?

We recommend that you migrate your Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels with other clients and services that support unified labeling.

For more information and instructions, see How to migrate Azure Information Protection labels to unified sensitivity labels.

After I've migrated my labels, which management portal do I use?

After you've migrated your labels in the Azure portal, continue managing them in one of the following locations, depending on the clients you have installed:

Client Column2
Unified labeling clients and services only If you only have unified labeling clients installed, manage your labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center. Unified labeling clients download the labels and policy settings from these admin centers.

For instructions, see Create and configure sensitivity labels and their policies.
Classic client only If you've migrated your labels, but still have the classic client installed, continue to use the Azure portal to edit labels and policy settings. The classic client continues to download labels and policy settings from Azure.
Both the AIP classic client and unified labeling clients If you have both of the clients installed, use the admin centers or the Azure portal to make label changes.

For the classic clients to pick up label changes made in the admin centers, return to the Azure portal to publish them. In the Azure portal > Azure Information Protection - Unified labeling pane, select Publish.

Continue to use the Azure portal for central reporting and the scanner.

What's the difference between Azure Information Protection and Azure Rights Management?

Azure Information Protection (AIP) provides classification, labeling, and protection for an organization's documents and emails.

Content is protected using the Azure Rights Management service, which is now a component of AIP.

For more information, see How data is protected and What is Azure Rights Management?.

What's the role of identity management for Azure Information Protection?

Identity management is an important component of AIP, as users must have a valid user name and password to access protected content.

To read more about how Azure Information Protection helps to secure your data, see The role of Azure Information Protection in securing data.

What subscription do I need for Azure Information Protection and what features are included?

To understand more about AIP subscriptions, see the subscription information and feature list on the Azure Information Protection pricing page.

If you have an Office 365 subscription that includes Azure Rights Management data protection, download the Azure Information Protection licensing datasheet for more details about integrating with AIP.

Still have questions about licensing? See if they are answered in the frequently asked questions for licensing section.

Is the Azure Information Protection client only for subscriptions that include classification and labeling?

No. The classic AIP client can also be used with subscriptions that include just the Azure Rights Management service, for data protection only.

When the classic client is installed without an Azure Information Protection policy, the client automatically operates in protection-only mode, which enables users to apply Rights Management templates and custom permissions.

If you later purchase a subscription that does include classification and labeling, the client automatically switches to standard mode when it downloads the Azure Information Protection policy.

Do you need to be a global admin to configure Azure Information Protection, or can I delegate to other administrators?

Global administrators for an Office 365 tenant or Azure AD tenant can obviously run all administrative tasks for Azure Information Protection.

However, if you want to assign administrative permissions to other users, do so using the following roles:

Additionally, note the following when managing administrative tasks and roles:

Topic Details
Supported account types Microsoft accounts are not supported for delegated administration of Azure Information Protection, even if these accounts are assigned to one of the administrative roles listed.
Onboarding controls If you have configured onboarding controls, this configuration does not affect the ability to administer Azure Information Protection, except the RMS connector.

For example, if you have configured onboarding controls so that the ability to protect content is restricted to the IT department group, the account used to install and configure the RMS connector must be a member of that group.
Removing protection Administrators cannot automatically remove protection from documents or emails that were protected by Azure Information Protection.

Only users who are assigned as super users can do remove protection, and only when the super user feature is enabled.

Any user with administrative permissions to Azure Information Protection can enable the super user feature, and assign users as super users, including their own account.

These actions are recorded in an administrator log.

For more information, see the security best practices section in Configuring super users for Azure Information Protection and discovery services or data recovery.
Migrating to the unified labeling store If you are migrating your Azure Information Protection labels to the unified labeling store, be sure to read the following section from the label migration documentation:
Administrative roles that support the unified labeling platform.

Azure Information Protection administrator

This Azure Active Directory administrator role lets an administrator configure Azure Information Protection but not other services.

Administrators with this role can:

  • Activate and deactivate the Azure Rights Management protection service
  • Configure protection settings and labels
  • Configure the Azure Information Protection policy
  • Run all the PowerShell cmdlets for the Azure Information Protection client and from the AIPService module

To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

Note

This role doesn't support tracking and revoking documents for users, and is not supported in the Azure portal if your tenant is on the unified labeling platform.

Compliance administrator or Compliance data administrator

These Azure Active Directory administrator roles enable administrators to:

  • Configure Azure Information Protection, including activating and deactivating the Azure Rights Management protection service
  • Configure protection settings and labels
  • Configure the Azure Information Protection policy
  • Run all the PowerShell cmdlets for the Azure Information Protection client and from the AIPService module.

To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

To see what other permissions a user with these roles have, see the Available roles section from the Azure Active Directory documentation.

Note

These roles don't support tracking and revoking documents for users.

Security reader or Global reader

These roles are used for Azure Information Protection analytics only, and enable administrators to:

  • View how your labels are being used
  • Monitor user access to labeled documents and emails
  • View changes made to classification
  • Identify documents that contain sensitive information that must be protected

Because this feature uses Azure Monitor, you must also have a supporting RBAC role.

Security administrator

This Azure Active Directory administrator role enables administrators to configure Azure Information Protection in the Azure portal as well as some aspects of other Azure services.

Administrators with this role cannot run any of the PowerShell cmdlets from the AIPService module, or track and revoke documents for users.

To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

To see what other permissions a user with this role has, see the Available roles section from the Azure Active Directory documentation.

Azure Rights Management Global Administrator and Connector Administrator

The Global Administrator role enables users to run all PowerShell cmdlets from the AIPService module without making them a global administrator for other cloud services.

The Connector Administrator role enables users to run only the Rights Management (RMS) connector.

These administrative roles don't grant permissions to management consoles, or support tracking and revoking documents for users.

To assign either of these administrative roles, use the AIPService PowerShell cmdlet, Add-AipServiceRoleBasedAdministrator.

Does Azure Information Protection support on-premises and hybrid scenarios?

Yes. Although Azure Information Protection is a cloud-based solution, it can classify, label, and protect documents and emails that are stored on-premises, as well as in the cloud.

If you have Exchange Server, SharePoint Server, and Windows file servers, use one or both of the following methods:

  • Deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents
  • Synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users. For example, use Azure AD Connect.

The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn't use an on-premises PKI.

For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption.

What types of data can Azure Information Protection classify and protect?

Azure Information Protection can classify and protect email messages and documents, whether they are located on-premises or in the cloud. These documents include Word documents, Excel spreadsheets, PowerPoint presentations, PDF documents, text-based files, and image files.

For more information, see the full list file types supported.

Note

Azure Information Protection cannot classify and protect structured data such as database files, calendar items, Yammer posts, Sway content, and OneNote notebooks.

Tip

Power BI now supports classification by using sensitivity labels and can apply protection from those labels to data that is exported to the following file formats: .pdf, .xls, and .ppt. For more information, see Data protection in Power BI.

I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?

Yes, as a preview offering, you can now configure Azure AD conditional access for Azure Information Protection.

When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. Requiring multi-factor authentication (MFA) is one of the most commonly requested conditions. Another one is that devices must be compliant with your Intune policies so that for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.

For more information and some walk-through examples, see the following blog post: Conditional Access policies for Azure Information Protection.

Additional information:

Topic Details
Evaluation frequency For Windows computers, and the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.

To fine-tune how often your conditional access policies get evaluated, configure the token lifetime.
Administrator accounts We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection pane in the Azure portal.
MFA and B2B collaboration If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Azure AD B2B collaboration and create guest accounts for the users you want to share with in the other organization.
Terms of Use prompts With the Azure AD December 2018 preview release, you can now prompt users to accept a terms of use before they open a protected document for the first time.
Cloud apps If you use many cloud apps for conditional access, you might not see Microsoft Azure Information Protection displayed in the list to select.

In this case, use the search box at the top of the list. Start typing "Microsoft Azure Information Protection" to filter the available apps. Providing you have a supported subscription, you'll then see Microsoft Azure Information Protection to select.

I see Azure Information Protection is listed as a security provider for Microsoft Graph Security—how does this work and what alerts will I receive?

Yes, as a public preview offering, you can now receive an alert for Azure Information Protection anomalous data access. This alert is triggered when there are unusual attempts to access data that is protected by Azure Information Protection. For example, accessing an unusually high volume of data, at an unusual time of day, or access from an unknown location.

Such alerts can help you to detect advanced data-related attacks and insider threats in your environment. These alerts use machine learning to profile the behavior of users who access your protected data.

The Azure Information Protection alerts can be accessed by using the Microsoft Graph Security API, or you can stream alerts to SIEM solutions, such as Splunk and IBM Qradar, by using Azure Monitor.

For more information about the Microsoft Graph Security API, see Microsoft Graph Security API overview.

What's the difference between Windows Server FCI and the Azure Information Protection scanner?

Windows Server File Classification Infrastructure has historically been an option to classify documents and then protect them by using the Rights Management connector (Office documents only) or a PowerShell script (all file types).

We now recommend you use the Azure Information Protection scanner. The scanner uses the Azure Information Protection client and your Azure Information Protection policy to label documents (all file types) so that these documents are then classified and optionally, protected.

The main differences between these two solutions:

Windows Server FCI Azure Information Protection scanner
Supported data stores Local folders on Windows Server - Windows file shares and network-attached storage

- SharePoint Server 2016 and SharePoint Server 2013. SharePoint Server 2010 is also supported for customers who have extended support for this version of SharePoint.
Operational mode Real time Systematically crawls the data stores once or repeatedly
Supported file types - All file types are protected by default

- Specific file types can be excluded from protection by editing the registry
Support for file types:

- Office file types and PDF documents are protected by default

- Additional file types can be included for protection by editing the registry

Setting Rights Management owners

By default, for both Windows Server FCI and the Azure Information Protection scanner, the Rights Management owner is set to the account that protects the file.

Override the default settings as follows:

  • Windows Server FCI: Set the Rights Management owner to be a single account for all files, or dynamically set the Rights Management owner for each file.

    To dynamically set the Rights Management owner, use the -OwnerMail [Source File Owner Email] parameter and value. This configuration retrieves the user's email address from Active Directory by using the user account name in the file's Owner property.

  • Azure Information Protection scanner: For newly protected files, set the Rights Management owner to be a single account for all files on a specified data store, by specifying the -Default owner setting in the scanner profile.

    Dynamically setting the Rights Management owner for each file is not supported, and the Rights Management owner is not changed for previously protected files.

    Note

    When the scanner protects files on SharePoint sites and libraries, the Rights Management owner is dynamically set for each file by using the SharePoint Editor value.

I've heard a new release is going to be available soon, for Azure Information Protection—when will it be released?

The technical documentation does not contain information about upcoming releases. For this type of information, use the Microsoft 365 Roadmap, check the Enterprise Mobility + Security Blog.

Is Azure Information Protection suitable for my country?

Different countries have different requirements and regulations. To help you answer this question for your organization, see Suitability for different countries.

How can Azure Information Protection help with GDPR?

To see how Azure Information Protection can help you meet the General Data Protection Regulation (GDPR), see the following blog post announcement, with video:

Microsoft 365 provides an information protection strategy to help with the GDPR

See Compliance and supporting information for Azure Information Protection.

How can I report a problem or send feedback for Azure Information Protection?

For technical support, use your standard support channels or contact Microsoft Support.

We also invite you to engage with our engineering team, on their Azure Information Protection Yammer site.

What do I do if my question isn't here?

First, review the frequently asked questions listed below, which are specific to classification and labeling, or specific to data protection. The Azure Rights Management service (Azure RMS) provides the data protection technology for Azure Information Protection. Azure RMS can be used with classification and labeling, or by itself.

If your question isn't answered, see the links and resources listed in Information and support for Azure Information Protection.

In addition, there are FAQs designed for end users: