Requirements for Azure Information Protection
Before you deploy Azure Information Protection for your organization, make sure that you have the following prerequisites.
Subscription for Azure Information Protection
For classification, labeling, and protection by using the Azure Information Protection client (classic or unified labeling) or scanner: You must have an Azure Information Protection plan.
For protection-only: You must have an Office 365 plan that includes Azure Information Protection.
To make sure that your organization's subscription includes the Azure Information Protection features that you want to use, review the feature list from the Azure Information Protection pricing page.
If you have questions about licensing, read through the frequently asked questions for licensing.
Looking to see if your Office 365 plan or Exchange Online standalone plan supports the new capabilities from Office 365 Message Encryption, to send protected emails to personal email addresses? For example, Gmail, Yahoo, and Microsoft. Check the following resources:
If you have questions about subscriptions or licensing, do not post them on this page. Instead, see if they are answered in the frequently asked questions for licensing. If your question is not answered there, contact your Microsoft Account Manager or Microsoft Support.
Azure Active Directory
Your organization must have an Azure Active Directory (Azure AD) to support user authentication and authorization for Azure Information Protection. In addition, if you want to use your user accounts from your on-premises directory (AD DS), you must also configure directory integration.
Single sign-on (SSO) is supported for Azure Information Protection, so that users are not repeatedly prompted for their credentials. If you use another vendor solution for federation, check with that vendor how to configure it for Azure AD. WS-Trust is a common requirement for these solutions to support single sign-on.
Multi-factor authentication (MFA) is supported with Azure Information Protection when you have the required client software and correctly configured MFA supporting infrastructure.
Conditional access is supported in preview for documents protected by Azure Information Protection. For more information, see the following FAQ: I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?
For more information about authentication requirements, see Azure Active Directory requirements for Azure Information Protection.
For more information about the requirements for user and group accounts for authorization, see Preparing users and groups for Azure Information Protection.
Users must have client devices (computer or mobile device) that run an operating system that supports Azure Information Protection.
The following devices support the Azure Information Protection unified labeling client, and the Azure Information Protection client. Both clients let users classify and label their documents and emails:
Windows 10 (x86, x64)
- No support for handwriting in the Windows 10 RS4 build and later.
Windows 8.1 (x86, x64)
Windows 8 (x86, x64)
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2 and Windows Server 2012
For information about support options for earlier versions of Windows, contact your Microsoft account or support representative.
In addition to installing the client on physical computers, you can also install it on virtual machines. Check whether the software vendor for the virtual desktop solution has additional configuration that might be required to run the Azure Information Protection unified labeling client or the Azure Information Protection client. For example, for Citrix solutions, you might need to disable Citrix Application Programming Interface (API) hooks for Office (winword.exe, excel.exe, outlook.exe, powerpnt.exe) and the executable for the Azure Information Protection unified labeling client or Azure Information Protection client (msip.app.exe, msip.viewer.exe).
For the listed server versions:
The Azure Information Protection clients are supported for Remote Desktop Services. If you delete user profiles when you use the Azure Information Protection clients with Remote Desktop Services, do not delete the %Appdata%\Microsoft\Protect folder.
Server Core and Nano Server are not supported.
When the Azure Information Protection clients protect the data by using the Azure Rights Management service, the data can be consumed by the same devices that support the Azure Rights Management service.
The Azure Information Protection clients have additional prerequisites that are listed in their respective admin guides:
Azure Information Protection unified labeling client: Prerequisites
Azure Information Protection client: Prerequisites
The Azure Information Protection clients can label and protect documents and emails by using the Office applications Word, Excel, PowerPoint, and Outlook from any of the following Office editions:
Office apps minimum version 1805, build 9330.2078 from Office 365 Business or Microsoft 365 Business when the user is assigned a license for Azure Rights Management (also known as Azure Information Protection for Office 365)
Office 365 ProPlus
Office Professional Plus 2019
Office Professional Plus 2016
Office Professional Plus 2013 with Service Pack 1
Office Professional Plus 2010 with Service Pack 2
Other editions of Office cannot protect documents and emails by using a Rights Management service. For these editions, Azure Information Protection is supported for classification only. Consequently, labels that apply protection do not display to users on the Azure Information Protection bar or from the Protect button (classic client) or Sensitivity button (unified labeling client) on the Office ribbon.
For information about which Office editions support the protection service, see Applications that support Azure Rights Management data protection.
Office features and capabilities not supported
The Azure Information Protection clients (classic client and unified labeling client) do not support multiple versions of Office on the same computer, or switching user accounts in Office.
The Office mail merge feature is not supported with any Azure Information Protection feature.
Firewalls and network infrastructure
If you have a firewall or similar intervening network devices that are configured to allow specific connections, the network connectivity requirements are included in the Office article, Office 365 URLs and IP address ranges. See the Microsoft 365 Common and Office Online section.
In addition to the information in the Office article, specific to Azure Information Protection:
For the unified labeling client to download labels and label policies: Allow the URL *.protection.outlook.com over HTTPS.
If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.
Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection) to the aadrm.com URL. Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.
You can use the following PowerShell commands to help you determine whether your client connection is terminated before it reaches the Azure Rights Management service:
$request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc") $request.GetResponse() $request.ServicePoint.Certificate.Issuer
The result should show that the issuing CA is from a Microsoft CA, for example:
CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US. If you see an issuing CA name that is not from Microsoft, it is very likely your secure client-to-service connection is being terminated and needs reconfiguration on your firewall.
If you want to use the Azure Rights Management service from Azure Information Protection with on-premises servers, the following products are supported:
Windows Server file servers that support File Classification Infrastructure
For information about the additional requirements for this scenario, see On-premises servers that support Azure Rights Management data protection.
Coexistence of AD RMS with Azure RMS
The following deployment scenario is not supported unless you are using AD RMS for HYOK protection with Azure Information Protection (the "hold your own key" configuration):
- Running AD RMS and Azure RMS side by side in the same organization, except during migration, as described in Migrating from AD RMS to Azure Information Protection.
There is a supported migration path from AD RMS to Azure Information Protection, and from Azure Information Protection to AD RMS. If you deploy Azure Information Protection and then decide that you no longer want to use this cloud service, see Decommissioning and deactivating Azure Information Protection.
Make sure to allow access to all ports for the following Service Tags:
The Azure Information Protection service also depends on two specific IP addresses:
Make sure to create rules to allow outbound access to these specific IP addresses.