Azure Information Protection requirements
Before deploying Azure Information Protection, ensure that your system meets the following prerequisites:
- Subscription for Azure Information Protection
- Azure Active Directory
- Client devices
- Firewalls and network infrastructure
Subscription for Azure Information Protection
You must have one of the following, depending on the Azure Information Protection features you'll be using:
An Azure Information Protection plan. Required for classification, labeling, and protection by using the Azure Information Protection scanner or client (classic, or unified labeling)
An Office 365 plan that includes Azure Information Protection. Required for protection only.
To verify that your subscription includes the Azure Information Protection features you want to use, check the feature list at Azure Information Protection pricing.
If you have questions about licensing, read through the frequently asked questions for licensing.
Looking to see if your Office 365 plan or Exchange Online standalone plan supports the new capabilities from Office 365 Message Encryption, to send protected emails to personal email addresses? For example, Gmail, Yahoo, and Microsoft. Check the following resources:
If you have questions about subscriptions or licensing, do not post them on this page. Instead, see if they are answered in the frequently asked questions for licensing. If your question is not answered there, contact your Microsoft Account Manager or Microsoft Support.
Azure Active Directory
To support authentication and authorization for Azure Information Protection, you must have an Azure Active Directory (AD). To use user accounts from your on-premises director (AD DS), you must also configure directory integration.
Single sign-on (SSO) is supported for Azure Information Protection so that users are not repeatedly prompted for their credentials. If you use another vendor solution for federation, check with that vendor for how to configure it for Azure AD. WS-Trust is a common requirement for these solutions to support single sign-on.
Multi-factor authentication (MFA) is supported with Azure Information Protection when you have the required client software and have correctly configured the MFA-supporting infrastructure.
Conditional access is supported in preview for documents protected by Azure Information Protection. For more information, see: I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?
Additional prerequisites are required for specific scenarios, such as when using Office 2010, certificate-based or multi-factor authentication, or when UPN values don't match user email addresses. For more information, see Additional Azure AD requirements for Azure Information Protection.
For more information, see:
- What is Azure AD Directory?
- Integrate on-premises Active Directory domains with Azure Active Directory.
User computers or mobile devices must run on an operating system that supports Azure Information Protection.
- Supported operating systems for client devices
- Virtual machines
- Server support
- Additional requirements per client
Supported operating systems for client devices
The following operating systems support both the Azure Information Protection unified labeling and the Azure Information Protection clients:
Windows 10 (x86, x64). Handwriting is not supported in the Windows 10 RS4 build and later.
Windows 8.1 (x86, x64)
Windows 8 (x86, x64)
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2 and Windows Server 2012
Both clients let users classify and label their documents and emails.
For details about support in earlier versions of Windows, contact your Microsoft account or support representative.
When the Azure Information Protection clients protect the data by using the Azure Rights Management service, the data can be consumed by the same devices that support the Azure Rights Management service.
If you're working with virtual machines, check whether the software vendor for your virtual desktop solution as additional configurations required for running the Azure Information Protection unified labeling or the Azure Information Protection client.
For example, for Citrix solutions, you might need to disable Citrix Application Programming Interface (API) hooks for Office, the Azure Information Protection unified labeling client, or the Azure Information Protection client.
These applications use the following files, respectively: winword.exe, excel.exe, outlook.exe, powerpnt.exe, msip.app.exe, msip.viewer.exe
For each of the server versions listed above, Azure Information Protection clients are supported for Remote Desktop Services.
If you delete user profiles when you use the Azure Information Protection clients with Remote Desktop Services, do not delete the %Appdata%\Microsoft\Protect folder.
Additionally, Server Core and Nano Server are not supported.
Additional requirements per client
Each Azure Information Protection client has additional prerequisites. For details, see:
The Azure Information Protection clients can label and protect documents and emails by using Microsoft Word, Excel, PowerPoint, and Outlook from any of the following Office editions:
Office apps minimum version 1805, build 9330.2078 from Office 365 Business or Microsoft 365 Business.
This edition is supported only when the user is assigned a license for Azure Rights Management, also known as Azure Information Protection for Office 365.
Office 365 ProPlus
Office Professional Plus 2019
Office Professional Plus 2016
Office Professional Plus 2013 with Service Pack 1
Office Professional Plus 2010 with Service Pack 2
Other editions of Office cannot protect documents and emails by using a Rights Management service. For these editions, Azure Information Protection is supported for classification only, and labels that apply protection are not displayed for users.
These labels would have otherwise been displayed on the Azure Information Protection bar or in the unified labeling client on the Office ribbon (from the Protect button in the classic client or the Sensitivity button in the unified labeling client).
For more information, see Applications that support Azure Rights Management data protection.
Office features and capabilities not supported
The Azure Information Protection clients, including both classic and unified labeling, do not support multiple versions of Office on the same computer, or switching user accounts in Office.
The Office mail merge feature is not supported with any Azure Information Protection feature.
Firewalls and network infrastructure
If you have a firewalls or similar intervening network devices that are configured to allow specific connections, the network connectivity requirements are listed in this Office article: Office 365 URLs and IP address ranges > Microsoft 365 Common and Office Online.
Azure Information Protection has the following additional requirements:
Unified labeling client. To download labels and label policies, allow the following URL over HTTPS: *.protection.outlook.com
Web proxies. If you use a web proxy that requires authentication, you must configure the proxy to use integrated Windows authentication with the user's Active Directory sign in credentials.
TLS client-to-service connections. Do not terminate any TLS client-to-service connections, for example to perform packet-level inspection, to the aadrm.com URL. Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.
To determine whether your client connection is terminated before it reaches the Azure Rights Management service, use the following PowerShell commands:
$request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc") $request.GetResponse() $request.ServicePoint.Certificate.Issuer
The result should show that the issuing CA is from a Microsoft CA, for example:
CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.
If you see an issuing CA name that is not from Microsoft, it is likely that your secure client-to-service connection is being terminated and needs reconfiguration on your firewall.
TLS version 1.2 or higher (unified labeling client only). The unified labeling client requires a TLS version of 1.2 or higher to ensure the use of cryptographically secure protocols and align with Microsoft security guidelines.
Coexistence of AD RMS with Azure RMS
Using AD RMS and Azure RMS side by side, in the same organization, to protect content by the same user in the same organization, is only supported in AD RMS for HYOK (hold your own key) protection with Azure Information Protection.
This scenario is not supported during migration. Supported migration paths include:
If you deploy Azure Information Protection and then decide that you no longer want to use this cloud service, see Decommissioning and deactivating Azure Information Protection.
For other, non-migration scenarios, where both services are active in the same organization, both services must be configured so that only one of them allows any given user to protect content. Configure such scenarios as follows:
Use redirections for an AD RMS to Azure RMS migration
If both services must be active for different users at the same time, use service-side configurations to enforce exclusivity. Use the Azure RMS onboarding controls in the cloud service, and an ACL on the Publish URL to set Read-Only mode for AD RMS.
Make sure to allow access to all ports for the following Service Tags:
The Azure Information Protection service also depends on two specific IP addresses:
Make sure to create rules to allow outbound access to these specific IP addresses.
Supported on-premises servers for Azure Rights Management data protection
The following on-premises servers are supported with Azure Information Protection when you use the Azure Rights Management connector.
This connector acts as a communications interface, and relays between on-premises servers and the Azure Rights Management service, which is used by Azure Information Protection to protect Office documents and emails.
To use this connector, you must configure directory synchronization between your Active Directory forests and Azure Active Directory.
Supported servers include:
|Server type||Supported versions|
|Exchange Server||- Exchange Server 2016 - Exchange Server 2013 - Exchange Server 2010|
|Office SharePoint Server||- Office SharePoint Server 2016 - Office SharePoint Server 2013 - Office SharePoint Server 2010|
|File servers that run Windows Server and use File Classification Infrastructure (FCI)||- Windows Server 2016 - Windows Server 2012 R2 - Windows Server 2012|
For more information, see Deploying the Azure Rights Management connector.
Supported operating systems for Azure Rights Management
The following operating systems support the Azure Rights Management service, which provides data protection for AIP:
|Windows computers||- Windows 7 (x86, x64) - Windows 8 (x86, x64) - Windows 8.1 (x86, x64) - Windows 10 (x86, x64)|
|macOS||Minimum version of macOS 10.8 (Mountain Lion)|
|Android phones and tablets||Minimum version of Android 6.0|
|iPhone and iPad||Minimum version of iOS 11.0|
|Windows phones and tablets||Windows 10 Mobile|
Once you've reviewed all AIP requirements and confirmed that your system complies, continue with Preparing users and groups for Azure Information Protection.