Frequently asked questions for Azure Information Protection
Applies to: Azure Information Protection, Office 365
Have a question about Azure Information Protection, or about the Azure Rights Management service (Azure RMS)? See if it's answered here.
These FAQ pages are updated regularly, with new additions listed in the monthly documentation update announcements on the Enterprise Mobility and Security Blog.
What's the difference between Azure Information Protection and Azure Rights Management?
Azure Information Protection provides classification, labeling, and protection for an organization's documents and emails. The protection technology uses the Azure Rights Management service; now a component of Azure Information Protection.
What is the role of identity management for Azure Information Protection?
A user must have a valid user name and password to access content that is protected by Azure Information Protection. To read more about how Azure Information Protection helps to secure your data, see The role of Azure Information Protection in securing data.
What subscription do I need for Azure Information Protection and what features are included?
If you have an Office 365 subscription that includes Rights Management, download the Azure Information Protection licensing datasheet from the Features page.
Is the Azure Information Protection client only for subscriptions that include classification and labeling?
No. Although most of the presentations and demos you've seen of the Azure Information Protection client show how it supports classification and labeling, it can also be used with subscriptions that include just the Azure Rights Management service to protect data.
When the Azure Information Protection client for Windows is installed and it doesn't have an Azure Information Protection policy, the client automatically operates in protection-only mode. In this mode, users can easily apply Rights Management templates and custom permissions. If you later purchase a subscription that does include classification and labeling, the client automatically switches to standard mode when it downloads the Azure Information Protection policy.
If you currently use the Rights Management sharing application for Windows, we recommend that you replace this application with the Azure Information Protection client. Support for the sharing application will end January 31, 2019. To help with the transition, see Tasks that you used to do with the RMS sharing application.
Do you need to be a global admin to configure Azure Information Protection, or can I delegate to other administrators?
Global administrators for an Office 365 tenant or Azure AD tenant can obviously run all administrative tasks for Azure Information Protection. However, if you want to assign administrative permissions to other users, you have the following options:
Information Protection Administrator (currently in preview): This Azure Active Directory administrator role lets an administrator configure all aspects of Azure Information Protection but not other services. An administrator with this role can activate and deactivate the Azure Rights Management protection service, configure protection settings and labels, and configure the Azure Information Protection policy. In addition, an administrator with this role can run all the PowerShell cmdlets from the AADRM module.
To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.
Security Administrator: This Azure Active Directory administrator role lets an administrator configure all aspects of Azure Information Protection in the Azure portal, in addition to configuring some aspects of other Azure services. An administrator with this role cannot run any of the PowerShell cmdlets from the AADRM module.
To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory. To see what other permissions a user with this role has, see the Available roles section from the Azure Active Directory documentation.
Azure Rights Management Global Administrator and Connector Administrator: For these Azure Rights Management administrator roles, the first grants users permissions to run all PowerShell cmdlets from the AADRM module without making them a global administrator for other cloud services, and the second role grants permissions to run only the Rights Management (RMS) connector. Neither of these administrative roles grant permissions to management consoles.
To assign either of these administrative roles, use the AADRM PowerShell cmdlet, Add-AadrmRoleBasedAdministrator.
Some things to note:
If you have configured onboarding controls, this configuration does not affect the ability to administer Azure Information Protection, except the RMS connector. For example, if you have configured onboarding controls such that the ability to protect content is restricted to the “IT department” group, the account that you use to install and configure the RMS connector must be a member of that group.
Users who are assigned an administrative role cannot automatically remove protection from documents or emails that were protected by Azure Information Protection. Only users who are assigned super users can do this, and when the super user feature is enabled. However, any user that you assign administrative permissions to Azure Information Protection can assign users as super users, including their own account. They can also enable the super user feature. These actions are recorded in an administrator log. For more information, see the security best practices section in Configuring super users for Azure Rights Management and discovery services or data recovery.
Does Azure Information Protection support on-premises and hybrid scenarios?
Yes. Although Azure Information Protection is a cloud-based solution, it can classify, label, and protect documents and emails that are stored on-premises, as well as in the cloud.
If you have Exchange Server, SharePoint Server, and Windows file servers, you can deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents. You can also synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users, for example, by using Azure AD Connect.
The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn’t use an on-premises PKI. For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption section in the How does Azure RMS work? article.
What types of data can Azure Information Protection classify and protect?
Azure Information Protection can classify and protect email messages and documents, whether they are located on-premises or in the cloud. These documents include Word documents, Excel spreadsheets, PowerPoint presentations, PDF documents, text-based files, and image files. For a list of the document types supported, see the list of file types supported in the admin guide.
Azure Information Protection cannot classify and protect structured data such as database files, calendar items, PowerBI reports, Yammer posts, Sway content, and OneNote notebooks.
I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?
Yes, as a public preview offering, you can now configure Azure AD conditional access for Azure Information Protection.
When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. Requiring multi-factor authentication (MFA) is one of the most commonly requested conditions. Another one is that devices must be compliant with your Intune policies so that for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.
For more information and some walk-through examples, see the following blog post: Conditional Access policies for Azure Information Protection.
For Windows computers: For the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.
You might want to fine-tune how often your conditional access policies get evaluated. You can do this by configuring the token lifetime. For more information, see Configurable token lifetimes in Azure Active Directory.
We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection blade in the Azure portal.
If you use many cloud apps for conditional access, you might not see Microsoft Azure Information Protection displayed in the list to select. In this case, use the search box at the top of the list. Start typing "Microsoft Azure Information Protection" to filter the available apps. Providing you have a supported subscription, you'll then see Microsoft Azure Information Protection to select.
What’s the difference between labels in Azure Information Protection and labels in Office 365?
Labels in Azure Information Protection let you apply a consistent classification and protection policy for documents and emails whether they are on-premises or in the cloud. This classification and protection is independent of where the content is stored or how it is moved. Labels in Office 365 Security & Compliance let you classify documents and emails for auditing and retention when that content is in Office 365 services.
Today, you apply and manage these labels separately but Microsoft is working towards a comprehensive and unified labeling strategy for multiple services that include Azure Information Protection, Office 365, Microsoft Cloud App Security, and Windows Information Protection. This same labeling schema and store will also be available for software vendors. For more information, see the Microsoft Ignite 2017 session, Protecting complete data lifecycle using Microsoft information protection capabilities.
What’s the difference between Windows Server FCI and the Azure Information Protection scanner?
For a while, you've been able to use Windows Server File Classification Infrastructure to classify documents and then protect them by using the Rights Management connector (Office documents only) or a PowerShell script (all file types).
You can now use the Azure Information Protection scanner. The scanner uses the Azure Information Protection client and your Azure Information Protection policy to label documents (all file types) so that these documents are then classified and optionally, protected.
The main differences between these two solutions:
|Windows Server FCI||Azure Information Protection scanner|
|Supported data stores:
- Local folders on Windows Server
|Supported data stores:
- Local folders on Windows Server
- Windows file shares and network-attached storage
- SharePoint Server 2016 and SharePoint Server 2013
- Real time
- Systematically crawls the data stores and this cycle can run once, or repeatedly
Currently, there is a difference in setting the Rights Management owner for files that are protected on a local folder or network share. By default, for both solutions, the Rights Management owner is set to the account that protects the file but you can override this setting:
For Windows Server FCI: You can set the Rights Management owner to be a single account for all files, or dynamically set the Rights Management owner for each file. To dynamically set the Rights Management owner, use the -OwnerMail [Source File Owner Email] parameter and value. This configuration retrieves the user's email address from Active Directory by using the user account name in the file's Owner property.
For the Azure Information Protection scanner: You can set the Rights Management owner to be a single account for all files on a specified data store, but you cannot dynamically set the Rights Management owner for each file. To set the account, specify the -DefaultOwner parameter for the data repository profile.
When the scanner protects files on SharePoint sites and libraries, the Rights Management owner is dynamically set for each file by using the SharePoint author value.
I’ve heard a new release is going to be available soon, for Azure Information Protection—when will it be released?
The technical documentation does not contain information about upcoming releases. For this type of information and for release announcements, check the Enterprise Mobility and Security Blog and get the latest updates from Microsoft Mobility@MSFTMobility on Twitter. If it’s an Office release that you’re interested in, be sure to also check the Office blog.
Where can I find supporting information for Azure Information Protection—such as legal, compliance, and SLAs?
How can I report a problem or send feedback for Azure Information Protection?
For technical support, use your standard support channels or contact Microsoft Support.
For feedback such as suggestions for improvements or new features: In your Office application, on the Home tab, in the Protection group, click Protect, and then click Help and Feedback. In the Microsoft Azure Information Protection dialog box, click Send Us Feedback. This option opens an email message to be sent to the Information Protection team.
We also invite you to engage with our engineering team, on their Azure Information Protection Yammer site.
What do I do if my question isn’t here?
First, review the following frequently asked questions that are specific to classification and labeling, or specific to data protection. The Azure Rights Management service (Azure RMS) provides the data protection technology for Azure Information Protection. Azure RMS can be used with classification and labeling, or by itself.
If you question isn't answered, use the links and resources listed in Information and support for Azure Information Protection.
In addition, there are FAQs designed for end users:
Before commenting, we ask that you review our House rules.