Azure Active Directory requirements for Azure Information Protection

Applies to: Azure Information Protection, Office 365

You must have an Azure AD directory to use Azure Information Protection. You use an account from this directory to sign in to the Azure portal, where, for example, you can configure and manage Azure Information Protection labels and Azure Rights Management templates.

If you have a subscription that includes Azure Information Protection or Azure Rights Management, your Azure AD directory is automatically created for you if needed.

For more information about Azure AD, see What is Azure AD Directory?

To integrate your Azure AD directory with your on-premises AD forests, see Integrate on-premises Active Directory domains with Azure Active Directory.

Scenarios that have specific requirements

Computers running Office 2010:

  • These computers require the Azure Information Protection unified labeling client or Azure Information Protection client to authenticate to Azure Information Protection and its data protection service, Azure Rights Management.

  • If your user accounts are federated (for example, you use AD FS), they must use Windows Integrated Authentication. Forms-based authentication in this scenario fails to authenticate users for Azure Information Protection.

Support for certificate-based authentication (CBA):

Users' UPN value doesn't match their email address:

Mobile devices or Mac computers that authenticate on-premises by using AD FS or an equivalent authentication provider:

  • You must use AD FS on the minimum server version of Windows Server 2012 R2, or an alternative authentication provider that supports the OAuth 2.0 protocol.

Multi-factor authentication (MFA) and Azure Information Protection

To use multi-factor authentication (MFA) with Azure Information Protection requires at least one of the following:

  • Office 2013 (minimum version):

  • Azure Information Protection client:

    • The Azure Information Protection clients for Windows and the viewer app for iOS and Android has always supported MFA; no minimum version is required.
  • Rights Management sharing app for Mac computers:

    • MFA support went into the September 2015 release of the RMS sharing app.

Then, configure your MFA solution:

The Rights Management connector and the Azure Information Protection scanner do not support MFA. If you deploy the connector or scanner, the following accounts must not require MFA:

  • The account that installs and configures the connector.

  • The service principal account in Azure AD, Aadrm_S-1-7-0, that the connector creates.

  • The service account that runs the scanner.

Next steps

To check for other requirements, see Requirements for Azure Information Protection.