What's the difference between Azure Information Protection and Microsoft Purview Information Protection?
Unlike Azure Information Protection, Microsoft Purview Information Protection isn't a subscription or product that you can buy. Instead, it's a framework for products and integrated capabilities that help you protect your organization's sensitive information.
Microsoft Purview Information Protection products include:
Azure Information Protection
Microsoft 365 Information Protection, such as Microsoft 365 DLP
Windows Information Protection
Microsoft Defender for Cloud Apps
Microsoft Purview Information Protection capabilities include:
Unified label management
End-user labeling experiences built into Office apps
The ability for Windows to understand unified labels and apply protection to data
The Microsoft Information Protection SDK
Functionality in Adobe Acrobat Reader to view labeled and protected PDFs
Do you need to be a global admin to configure Azure Information Protection, or can I delegate to other administrators?
Global administrators for a Microsoft 365 tenant or Microsoft Entra tenant can obviously run all administrative tasks for Azure Information Protection.
However, if you want to assign administrative permissions to other users, do so using the following roles:
Additionally, note the following when managing administrative tasks and roles:
Issue
Details
Supported account types
Microsoft accounts are not supported for delegated administration of Azure Information Protection, even if these accounts are assigned to one of the administrative roles listed.
Onboarding controls
If you have configured onboarding controls, this configuration does not affect the ability to administer Azure Information Protection, except the RMS connector.
For example, if you have configured onboarding controls so that the ability to protect content is restricted to the IT department group, the account used to install and configure the RMS connector must be a member of that group.
Removing protection
Administrators cannot automatically remove protection from documents or emails that were protected by Azure Information Protection.
Only users who are assigned as super users can remove protection, and only when the super user feature is enabled.
Any user with administrative permissions to Azure Information Protection can enable the super user feature, and assign users as super users, including their own account.
These actions are recorded in an administrator log.
This Microsoft Entra administrator role enables administrators to configure Azure Information Protection in the Azure portal and some aspects of other Azure services.
The Connector Administrator role enables users to run only the Rights Management (RMS) connector.
These administrative roles don't grant permissions to management consoles. The Connector Administrator role also does not support tracking and revoking documents for users.
Does Azure Information Protection support on-premises and hybrid scenarios?
Yes. Although Azure Information Protection is a cloud-based solution, it can classify, label, and protect documents and emails that are stored on-premises, as well as in the cloud.
If you have Exchange Server, SharePoint Server, and Windows file servers, use one or both of the following methods:
Deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents
Synchronize and federate your Active Directory domain controllers with Microsoft Entra ID for a more seamless authentication experience for users. For example, use Microsoft Entra Connect.
The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn't use an on-premises PKI.
What types of data can Azure Information Protection classify and protect?
Azure Information Protection can classify and protect email messages and documents, whether they are located on-premises or in the cloud. These documents include Word documents, Excel spreadsheets, PowerPoint presentations, PDF documents, text-based files, and image files.
Azure Information Protection cannot classify and protect structured data such as database files, calendar items, Yammer posts, Sway content, and OneNote notebooks.
Tip
Power BI supports classification by using sensitivity labels and can apply protection from those labels to data that is exported to the following file formats: .pdf, .xls, and .ppt. For more information, see Data protection in Power BI.
I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?
Yes, you can configure Microsoft Entra Conditional Access for Azure Information Protection.
When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. Requiring multifactor authentication (MFA) is one of the most commonly requested conditions. Another one is that devices must be compliant with your Intune policies so that, for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.
For Windows computers, and the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.
We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection pane in the Azure portal.
MFA and B2B collaboration
If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Microsoft Entra B2B collaboration and create guest accounts for the users you want to share with in the other organization.
Terms of Use prompts
With the Microsoft Entra December 2018 preview release, you can now prompt users to accept a terms of use before they open a protected document for the first time.
Cloud apps
If you use many cloud apps for conditional access, you might not see Microsoft Information Protection Sync Service and Microsoft Rights Management Service displayed in the list to select.
In this case, use the search box at the top of the list. Start typing "Microsoft Information Protection Sync Service" and "Microsoft Rights Management Service" to filter the available apps. Providing you have a supported subscription; you'll then see these options and will be able to select them.
Note
The Azure Information Protection support for conditional access is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Is Azure Information Protection suitable for my country?
Different countries have different requirements and regulations. To help you answer this question for your organization, see Suitability for different countries.
How can Azure Information Protection help with GDPR?
First, review the frequently asked questions listed below, which are specific to classification and labeling, or specific to data protection. The Azure Rights Management service (Azure RMS) provides the data protection technology for Azure Information Protection. Azure RMS can be used with classification and labeling, or by itself.
Organizations need to classify, label, and protect sensitive data to prevent exposure and ensure compliance. Microsoft Purview solutions provide data classification, sensitivity labels, and encryption to secure information across Microsoft 365 and on-premises storage. This learning path aligns with exam SC-401: Microsoft Information Security Administrator.