Operations for your Azure Information Protection tenant key

Applies to: Azure Information Protection, Office 365

Relevant for: AIP unified labeling client and classic client

Note

To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. No further support is provided for the classic client and maintenance versions will no longer be released.

The classic client will be officially retired, and will stop functioning, on March 31, 2022.

All current Azure Information Protection classic client customers must migrate to the Microsoft Information Protection unified labeling platform and upgrade to the unified labeling client. Learn more in our migration blog.

Depending on your tenant key topology for Azure Information Protection, you have different levels of control and responsibility for your Azure Information Protection tenant key. The two key topologies are Microsoft-managed and customer-managed.

When you manage your own tenant key in Azure Key Vault, this is often referred to as bring your own key (BYOK). For more information about this scenario and how to choose between the two tenant key topologies, see Planning and implementing your Azure Information Protection tenant key.

The following table identifies the operations that you can do, depending on the topology that you’ve chosen for your Azure Information Protection tenant key.

Life cycle operation Microsoft-managed (default) Customer-managed (BYOK)
Revoke your tenant key No (automatic) Yes
Rekey your tenant key Yes Yes
Backup and recover your tenant key No Yes
Export your tenant key Yes No
Respond to a breach Yes Yes

After you have identified which topology you have implemented, select one of the following links for more information about these operations for your Azure Information Protection tenant key:

However, if you want to create an Azure Information Protection tenant key by importing a trusted publishing domain (TPD) from Active Directory Rights Management Services, this import operation is part of the migration from AD RMS to Azure Information Protection. As part of the design, an AD RMS TPD can only be imported to one tenant.