Additional Azure AD requirements for Azure Information Protection
Relevant for: AIP unified labeling client and AIP classic client.
To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021.
This time-frame allows all current Azure Information Protection customers to transition to the Microsoft Information Protection unified labeling solution. Learn more in the official deprecation notice.
An Azure AD directory is a requirement for using Azure Information protection. Use an account from an Azure AD directory to sign in to the Azure portal, where you can configure Azure Information Protection settings.
If you have a subscription that includes Azure Information Protection or Azure Rights Management, your Azure AD directory is automatically created for you if needed.
The following sections list additional AIP and Azure AD requirements for specific scenarios.
Support for certificate-based authentication (CBA)
The Azure Information Protection apps for iOS and Android support certificate-based authentication.
For more information, see Get started with certificate-based authentication in Azure Active Directory.
Multi-factor authentication (MFA) and Azure Information Protection
To use multi-factor authentication (MFA) with Azure Information Protection, you must have at least one of the following installed:
- Microsoft Office, version 2013 or higher
- An AIP client. No minimum version required. The AIP clients for Windows, as well as the viewer apps for iOS and Android all support MFA.
- The Rights Management sharing app for Mac computers. The RMS sharing apps have supported MFA since the September 2015 release.
If you have Office 2013, you might need to install an additional update to support Active Directory Authentication Library (ADAL), such as the June 9, 2015, update for Office 2013 (KB3054853).
For more information, see Office 2013 modern authentication public preview announced on the Office blog.
Once you've confirmed these prerequisites, do one of the following, depending on your tenant configuration:
Microsoft-managed tenants, with Azure AD or Microsoft 365. Configure Azure MFA to enforce MFA for users.
For more information, see:
Federated tenants, where federation servers operate on-premises. Configure your federation servers for Azure Active Directory or Microsoft 365. For example, if you are using AD FS, see Configure Additional Authentication Methods for AD FS.
For more information about this scenario, see The Works with Microsoft 365 – Identity program now streamlined on the Office blog.
Rights Management connector / AIP scanner requirements
The Rights Management connector and the Azure Information Protection scanner do not support MFA.
If you deploy the connector or scanner, the following accounts must not require MFA:
- The account that installs and configures the connector.
- The service principal account in Azure AD, Aadrm_S-1-7-0, that the connector creates.
- The service account that runs the scanner.
User UPN values don't match their email addresses
Configurations where users' UPN values don't match their email addresses is not a recommended configuration, and does not support single-sign on for Azure Information Protection.
If you cannot change the UPN value, configure alternate IDs for the relevant users, and instruct them how to sign in to Office by using this alternate ID.
For more information, see:
- Configuring Alternate Login ID
- Office applications periodically prompt for credentials to SharePoint, OneDrive, and Lync Online.
If the domain name in the UPN value is a domain that is verified for your tenant, add the user's UPN value as another email address to the Azure AD proxyAddresses attribute. This allows the user to be authorized for Azure Rights Management if their UPN value is specified at the time the usage rights are granted.
For more information, see Preparing users and groups for Azure Information Protection.
Authenticating on-premises using AD FS or another authentication provider
If you're using a mobile device or Mac computer that authenticates on-premises using AD FS, or an equivalent authentication provider, you must use AD FS on one of the following configurations:
- A minimum server version of Windows Server 2012 R2
- An alternative authentication provider that supports the OAuth 2.0 protocol
Computers running Office 2010
Office 2010 extended support ended on October 13, 2020. For more information, see AIP and legacy Windows and Office versions.
In addition to an Azure AD account, computers running Microsoft 2010 require the Azure Information Protection client for Windows to authenticate to Azure Information Protection, and its data protection service, Azure Rights Management.
If your user accounts are federated (for example, you use AD FS), these computers must use Windows-Integrated Authentication. Forms-based authentication in this scenario fails to authenticate users for Azure Information Protection.
We recommend that you deploy the Azure Information Protection unified labeling client. If you haven't yet upgraded, your system may still have the Azure Information Protection classic client deployed.
For more information, see The client side of Azure Information Protection.
To check for other requirements, see Requirements for Azure Information Protection.