Getting started with tenant root keys

Applies to: Azure Information Protection, Office 365

Relevant for: AIP unified labeling client and classic client


To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. No further support is provided for the classic client, and maintenance versions will no longer be released.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.

After planning, creating, and configuring your tenant key as needed, continue with the following steps:

For more information about the life-cycle operations supported for your tenant key, see Operations for your Azure Information Protection tenant key.

If your organization requires on-premises protection for highly sensitive content, configure DKE protection (unified labeling client only).

If you need on-premises protection and are using the classic client, configure HYOK protection instead.

Start using your tenant key

Activate the Rights Management service if it's not yet activated, to enable your organization to start using Azure Information Protection. Users immediately start to use your tenant key.

For more information, see Activating the protection service from Azure Information Protection.


If you decided to manage your own tenant key after the Rights Management service was activated, users are gradually transitioned from the old key to the new key over the course of a few weeks.

During this transition, documents and files that were protected with the old tenant key remain accessible to authorized users.

Consider usage logging

Usage logging logs every transaction that the Azure Rights Management service performs.

Depending on your key management method, logging information may include details about your tenant key. The following image shows an example from a log file displayed in Excel, where the KeyVaultDecryptRequest and KeyVaultSignRequest request types show that the tenant key is being used.

log file in Excel where tenant key is being used

For more information about usage logging, see Logging and analyzing the protection usage from Azure Information Protection.