Azure Active Directory requirements for Azure Information Protection

Applies to: Azure Information Protection, Office 365

You must have an Azure AD directory to use Azure Information Protection. You use an account from this directory to sign in to the Azure portal, where, for example, you can configure and manage Azure Information Protection labels and Azure Rights Management templates.

If you have a subscription that includes Azure Information Protection or Azure Rights Management, your Azure AD directory is automatically created for you if needed.

For more information about Azure AD, see What is Azure AD Directory?

To integrate your Azure AD directory with your on-premises AD forests, see Integrating your on-premises identities with Azure Active Directory.

Scenarios that have specific requirements

Computers running Office 2010:

  • These computers require the Azure Information Protection client (recommended) or the Rights Management sharing application for Windows to authenticate to Azure Information Protection and its data protection service, Azure Rights Management.

  • If your user accounts are federated (for example, you use AD FS), they must use Windows Integrated Authentication. Forms-based authentication in this scenario fails to authenticate users for Azure Information Protection.

Support for certificate-based authentication (CBA):

Users' UPN value doesn't match their email address:

Mobile devices or Mac computers that authenticate on-premises by using AD FS or an equivalent authentication provider:

  • You must use AD FS on the minimum server version of Windows Server 2012 R2, or an alternative authentication provider that supports the OAuth 2.0 protocol.

Multi-factor authentication (MFA) and Azure Information Protection

To use multi-factor authentication (MFA) with Azure Information Protection requires at least one of the following:

  • Office 2013 (minimum version):

  • Azure Information Protection client:

  • Rights Management sharing application for Windows:

    • You must have installed the minimum version of 1.0.1908.0, which you can confirm by using Control Panel > Programs and Features. Note that the Rights Management Sharing application is now replaced by the Azure Information Protection client. For more information about the sharing application, see Rights Management sharing application for Windows.
  • Rights Management sharing app for mobile devices and Mac computers:

    • Make sure that you have the latest version installed. MFA support went into the September 2015 release of the RMS sharing app.

Then, configure your MFA solution:

The Rights Management connector and the Azure Information Protection scanner do not support MFA. If you deploy the connector or scanner, the following accounts must not require MFA:

  • The account that installs and configures the connector.

  • The service principal account in Azure AD, Aadrm_S-1-7-0, that the connector creates.

  • The service account that runs the scanner.

Next steps

To check for other requirements, see Requirements for Azure Information Protection.