The client side of Azure Information Protection

Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

Azure Information Protection provides a client-server solution that helps to protect an organization's documents and emails:

  • The client can be the Azure Information Protection client or the Rights Management client, and this client integrates with applications that you run on computers and mobile devices.

  • The service resides in the cloud (Azure Information Protection, which uses the Azure Rights Management service for the data protection) or on-premises (Active Directory Rights Management Services, more commonly known as AD RMS).

The Azure Information Protection client supports classification and protection with labeling, in addition to protection without labeling. This client integrates with Office applications and must be installed separately.

The Rights Management (RMS) client is automatically installed with some applications, such as Office applications, the Azure Information Protection client, and RMS-enlightened applications from software vendors. However, it can also be installed by itself, to support synchronizing files from IRM-protected libraries and OneDrive for Business, and for developers who want to integrate rights management protection into line-of-business applications.

Choose which Azure Information Protection client to use

The Azure Information Protection client that downloads labels and policy settings from the Azure portal is in general availability, and has a preview version for testing new functionality and fixes. For more information about these versions of the client, see the Azure Information Protection client: Version release history and support policy.

The Azure Information Protection unified labeling client downloads labels and policy settings from the Office 365 Security & Compliance Center. This client is currently in preview for testing. For more information about this version of the client, see the Azure Information Protection unified labeling client: Version release information.

Which client should you install?

  • If you are deploying in production, use the Azure Information Protection client that is generally available.

  • If you are in a testing and evaluating phase, use one of the preview clients.

    Currently, the preview versions of the Azure Information Protection client and the Azure Information Protection unified labeling client don't have parity for their features. However, expect this gap to close and then, new features to be added only to the Azure Information Protection unified labeling client. For this reason, we recommend you test with the Azure Information Protection unified labeling client if its current feature set and functionality meet your business requirements. If not, or if you have configured labels in the Azure portal that you haven't yet migrated to the unified labeling store, use the Azure Information Protection client.

Feature comparisons for the clients

Use the following table to help compare which features are supported by the two current preview versions.

Feature Azure Information Protection client Azure Information Protection
unified labeling client
Labeling actions: Manual, recommended, automatic Yes Yes
Central reporting (analytics): Yes Yes
Reset settings and export logs: Yes Yes
User-defined permissions: Yes For Outlook only (Do Not Forward)
Custom permissions: Yes File Explorer only

In Office apps, as an alternative, users can select File Info > Protect Document > Restrict Access
Information Protection bar in Office apps: Yes Yes with limitations:

- No title or customizable tooltip

- Label color not displayed for applied label
File Explorer, right-click actions: Yes Yes with limitations:

- Can't protect PDF documents for .ppdf format

- No support for protection-only mode
A viewer for protected files: Yes Yes with limitations:

- For generically protected files (.pfile), unlike the viewer from the Azure Information Protection client, there's no ability to save changes to the originally opened file.
PowerShell commands: Yes Yes with limitations:

- Cmdlets included: Get-AIPFileStatus, Set-AIPFileClassification, Set-AIPFileLabel, Set-AIPAuthentication

- Cmdlets that connect directly to a protection service are not included
Offline support for protection actions: Yes Yes with limitations:

- For File Explorer and PowerShell commands, the user must be connected to the Internet to protect files.
HYOK support: Yes No

Labels that you migrate from the Azure portal and that are configured for HYOK protection are displayed by the Azure Information Protection unified labeling client, but do not apply protection.
Usage logging to Event Viewer: Yes No
Label inheritance from email attachments: Yes No
Display the Do Not Forward button in Outlook Yes No
Customizations that include:
- Default label for email
- Enable custom permissions
- S/MIME support
- Report an Issue option
Yes No
Scanner for on-premises data stores: Yes No
Track and revoke: Yes No
Protection-only mode (no labels): Yes No
Do Not Forward button in Outlook: Yes No
Multilanguage support: Yes No
Support for AD RMS: Yes The following action only is supported:

- The viewer can open protected documents

Functional comparison for the clients

When both clients support the same feature, use the following table to help identify some functional differences between the two current preview versions.

Functionality Azure Information Protection client Azure Information Protection
unified labeling client
Setup: Option to install local demo policy No local demo policy
Label selection and display when applied in Office apps: From the Protect button on the ribbon

From the Information Protection bar (horizontal bar under the ribbon)
From the Sensitivity button on the ribbon

From the Information Protection bar (horizontal bar under the ribbon)
Manage the Information Protection bar in Office apps: For users:

- Option to show or hide the bar from the Protect button on the ribbon

- When a user selects to hide the bar, by default, the bar is hidden in that app, but continues to automatically display in newly opened apps

For admins:

- Policy settings to automatically show or hide the bar when an app first opens, and control whether the bar automatically remains hidden for newly opened apps after a user selects to hide the bar
For users:

- Option to show or hide the bar from the Sensitivity button on the ribbon

- When a user selects to hide the bar, the bar is hidden in that app and also in newly opened apps

For admins:

- No policy settings to manage the bar
Label color: Configure in the Azure portal Retained after label migration to Office 365

New labels created in the Security & Compliance Center do not have a color
Policy update: When an Office app opens

When you right-click to classify and protect a file or folder

When you run the PowerShell cmdlets for labeling and protection

Every 24 hours
When an Office app opens

When you right-click to classify and protect a file or folder

When you run the PowerShell cmdlets for labeling and protection

Every 4 hours
Supported formats for PDF: Protection:

- ISO standard for PDF encryption (default)

- .ppdf

Consumption:

- ISO standard for PDF encryption

- .ppdf

- SharePoint IRM protection
Protection:

- ISO standard for PDF encryption



Consumption:

- ISO standard for PDF encryption

- .ppdf

- SharePoint IRM protection
Supported cmdlets: All the cmdlets documented for AzureInformatioProtection Set-AIPFileClassification and Set-AIPFileLabel don't support the Owner parameter or SharePoint Server libraries

In addition, there is a single comment of "No label to apply" for all scenarios where a label isn't applied

Set-AIPFileLabel doesn't support the EnableTracking parameter

Get-AIPFileStatus doesn't return label information from other tenants and doesn't display the RMSIssuedTime parameter

In addition, the LabelingMethod parameter for Get-AIPFileStatus displays Privileged, Standard, or Auto instead of Manual or Automatic. For more information, see the online documentation.
Justification prompts (if configured) per action in Office: Frequency: Per file

Lowering the sensitivity level

Removing a label

Removing protection
Frequency: Per session

Lowering the sensitivity level

Removing a label
Remove applied label actions: User is prompted to confirm

Default label or automatic label (if configured) isn't automatically applied next time the Office app opens the file

User isn't prompted to confirm

Default label or automatic label (if configured) is automatically applied next time the Office app opens the file
Automatic and recommended classification: Configured as label conditions in the Azure portal with built-in information types and custom conditions that use phrases or regular expressions

Configuration options include:

- Unique / Not unique count

- Minimum count
Configured in the Security & Compliance Center with built-in sensitive information types and custom information types

Configuration options include:

- Unique count only

- Minimum and maximum count

- AND and OR support with information types

- Keyword dictionary

- Customizable confidence level and character proximity

For a more detailed comparison of behavior differences for specific protection settings, see Comparing the behavior of protection settings for a label.

Features that will not be in the Azure Information Protection unified labeling client

Although the Azure Information Protection unified labeling client is still under development, the following features and behavior differences from the Azure Information Protection client will not be available in future releases for the Azure Information Protection unified labeling client:

  • Custom permissions in Office apps: Word, Excel, and PowerPoint

  • Track and revoke from Office apps and File Explorer

  • Information Protection bar title and tooltip

  • Offline support for protection actions in PowerShell and File Explorer

  • Protection-only mode (no labels)

  • Protect PDF document as .ppdf format

  • Display the Do Not Forward button in Outlook

  • Demo policy

  • Justification for removing protection

  • Confirmation prompt before deleting an applied label

  • Report an Issue link in the Help and Feedback dialog box

  • Label an Office document by using an existing custom property (SyncPropertyName and SyncPropertyState advanced client settings)

  • Separate PowerShell cmdlets to connect to a Rights Management service

  • AD RMS only protection

Parent labels and their sublabels

The Azure Information Protection client doesn't support configurations that specify a parent label that has sublabels. These configurations include specifying a default label, and a label for recommended or automatic classification. When a label has sublabels, you can specify one of the sublabels but not the parent label.

For parity, the Azure Information Protection unified labeling client also doesn't support applying parent labels that have sublabels, even though you can select these labels in the Office 365 Security & Compliance Center. In this scenario, the Azure Information Protection unified labeling client will not apply the parent label.

See also

Use the following documentation when you need more information about how to deploy and use these clients:

Although the Azure Information Protection client can be used with AD RMS, the Azure Information Protection client is best suited to work with its Azure services; Azure Information Protection and its data protection service, Azure Rights Management. For a comparison of the service side for Azure Information Protection, see Comparing Azure Information Protection and AD RMS.