Azure Information Protection deployment roadmap for protection only

Applies to: Azure Information Protection, Office 365

Note

To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. Learn more in the official deprecation notice.

Use the following steps as recommendations to help you prepare for, implement, and manage Azure Information Protection for your organization, when you want to implement data protection only.

This roadmap is recommended for customers with a subscription that doesn't support both classification and labels, but does support protection without labels. You must have the AIP classic client installed.

Deployment process

Perform the following steps:

  1. Confirm that you have a subscription that includes the AIP protection service
  2. Prepare your tenant to use Azure Information Protection
  3. Install the Azure Information Protection classic and client configure applications and services for Rights Management
  4. Use and monitor your data protection solutions
  5. Administer the protection service for your tenant account as needed

Confirm that you have a subscription that includes the AIP protection service

Verify that your organization has a subscription that includes the functionality and features you expect. You can use the subscription information and feature list on the Azure Information Protection Pricing page.

Assign a license from this subscription to each user in your organization who will protect documents and emails.

Important

Do not manually assign user licenses from the free RMS for individuals subscription and do not use this license to administer the Azure Rights Management service for your organization.

These licenses display as Rights Management Adhoc in the Microsoft 365 admin center, and RIGHTSMANAGEMENT_ADHOC when you run the Azure AD PowerShell cmdlet, Get-MsolAccountSku.

For more information about how the RMS for individuals subscription is automatically granted and assigned to users, see RMS for individuals and Azure Information Protection.

Prepare your tenant to use Azure Information Protection

Before you begin using the protection service from Azure Information Protection, do the following preparation:

  1. Set up your user accounts and groups for AIP.

    Make sure that your Microsoft 365 tenant contains the user accounts and groups that will be used by Azure Information Protection to authenticate and authorize users from your organization. If necessary, create these accounts and groups, or synchronize them from your on-premises directory.

    For more information, see Preparing users and groups for Azure Information Protection.

  2. Decide how you want to manage your tenant key.

    Decide whether you want Microsoft to manage your tenant key (the default), or generate and manage your tenant key yourself (known as bring your own key, or BYOK). For additional security, implement "hold your own key" (HYOK) protection.

    For more information, see Planning and implementing your Azure Information Protection tenant key.

  3. Install PowerShell for AIP.

    Install the PowerShell module for AIPService on at least one computer that has internet access. You can do this step now, or later.

    For more information, see Installing the AIPService PowerShell module.

  4. AD RMS only: Migrate your data to the cloud.

    If you are currently using AD RMS: Perform a migration to move the keys, templates, and URLs to the cloud.

    For more information, see Migrating from AD RMS to Azure Information Protection.

  5. Activate protection.

    Make sure that the protection service is activated so that you can begin to protect documents and emails. If you are deploying in phases, configure user onboarding controls to restrict users' ability to apply protection.

    For more information, see Activating the protection service from Azure Information Protection.

  6. Configure optional features as needed.

    Consider configuring either of the following features, either now or later.

    Feature Description
    Custom templates for protection settings If the default templates are not sufficient for your organization, configure custom templates.
    For more information, see Configuring and managing templates for Azure Information Protection.
    Usage logging Configure usage logging to monitor how your organization is using the protection service.
    For more information, see Logging and analyzing the protection usage from Azure Information Protection.

Install the Azure Information Protection classic and client configure applications and services for Rights Management

Perform the following steps:

  1. Deploy the Azure Information Protection classic client

    Install the classic client for users to support Office 2010, to protect files other than Office documents and emails, and to track protected documents, and provide user training for this client.

    For more information, see Azure Information Protection client for Windows.

  2. Configure Office applications and services

    Configure Office applications and services for the information rights management (IRM) features in SharePoint or Exchange Online.

    For more information, see Configuring applications for Azure Rights Management.

  3. Configure the super user feature for data recovery

    If you have existing IT services that need to inspect files that Azure Information Protection will protect—such as data leak prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products—configure the service accounts to be super users for Azure Rights Management.

    For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

  4. Protect existing files in bulk

    You can use PowerShell cmdlets to bulk-protect or bulk-unprotect multiple file types.

    For more information, see Using PowerShell with the Azure Information Protection client from the admin guide.

    For files on Windows-based file servers, you can use these cmdlets with a script and Windows Server File Classification Infrastructure. For more information, see RMS protection with Windows Server File Classification Infrastructure (FCI).

  5. Deploy the connector for on-premises servers

    If you have on-premises services that you want to use with the protection service, install and configure the Rights Management connector.

    For more information, see Deploying the Azure Rights Management connector.

Use and monitor your data protection solutions

You're now ready to protect your data, and log how your company is using the protection service.

For more information, see:

Administer the protection service for your tenant account as needed

As you begin to use the protection service, you might find PowerShell useful to help script or automate administrative changes. PowerShell might also be needed for some of the advanced configurations.

For more information, see Administering protection from Azure Information Protection by using PowerShell.

Next steps

As you deploy Azure Information Protection, you might find it helpful to check the frequently asked questions, and the information and support page for additional resources.