Applies to: Azure Information Protection, Office 365
Before you deploy Azure Information Protection for your organization, make sure that you have the following prerequisites.
|A subscription for Azure Information Protection||For classification, labeling, and protection, you must have an Azure Information Protection plan. For protection-only, you must have an Office 365 plan that includes Rights Management.
Review the subscription information and feature list from the Azure Information Protection site to make sure that your organization's subscription includes the Azure Information Protection features that you want to use.
Note: If you have questions about subscriptions or licensing, do not post them on this page but instead, contact your Microsoft Account Manager or Microsoft Support.
|Azure Active Directory||Your organization must have an Azure Active Directory (Azure AD) to support user authentication and authorization for Azure Information Protection. In addition, if you want to use your user accounts from your on-premises directory (AD DS), you must also configure directory integration.
Multi-factor authentication (MFA) is supported with Azure Information Protection when you have the required client software and correctly configured MFA supporting infrastructure.
For more information about authentication requirements, see Azure Active Directory requirements for Azure Information Protection.
For more information about the requirements for user and group accounts for authorization, see Preparing users and groups for Azure Information Protection.
|Client devices||Users must have client devices (computer or mobile device) that run an operating system that supports Azure Information Protection.
The following devices support the Azure Information Protection client, which lets users classify and label their Office documents and emails:
- Windows 10 (x86, x64)
- Windows 8.1 (x86, x64)
- Windows 8 (x86, x64)
- Windows 7 Service Pack 1 (x86, x64)
When this client protects the data by using the Azure Rights Management service, the data can be consumed by the same devices (Windows, Mac, iOS, Android), that support the Azure Rights Management service.
For details about the devices that support the Azure Rights Management service, see Client devices that support Azure Rights Management data protection.
|Applications||The Azure Information Protection client can label and protect files and emails by using the Office applications Word, Excel, PowerPoint, and Outlook from any of the following Office suites:
- Office 365 ProPlus with 2016 apps or 2013 apps (Click-to-Run or Windows Installer-based installation)
- Office Professional Plus 2016
- Office Professional Plus 2013 with Service Pack 1
- Office Professional Plus 2010
For information about which Office editions support the data protection service, see Applications that support Azure Rights Management data protection.
|Infrastructure that supports connectivity to the Internet and dependent cloud services||If you have a firewall or similar intervening network devices that must be configured to allow specific connections, see the information for Azure Rights Management (RMS) in the Office 365 portal and shared section from the following Office article: Office 365 URLs and IP address ranges.
Use the instructions in this Office article to keep up-to-date with changes to this information, by subscribing to an RSS feed.
In addition to the information in the Office article, specific to Azure Information Protection:
- Allow HTTPS traffic on TCP 443 to api.informationprotection.azure.com.
- Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS.
- If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.
If you want to use the Azure Rights Management service from Azure Information Protection with on-premises servers, the following products are supported:
Windows Server file servers that support File Classification Infrastructure
For information about the additional requirements for this scenario, see On-premises servers that support Azure Rights Management data protection.
The following deployment scenario is not supported unless you are using AD RMS protection with Azure Information Protection (the "hold your own key" or HYOK configuration):
- Running AD RMS and Azure RMS side-by-side in the same organization, except during migration, as described in Migrating from AD RMS to Azure Information Protection.
There is a supported migration path from AD RMS to Azure Information Protection, and from Azure Information Protection to AD RMS. If you deploy Azure Information Protection and then decide that you no longer want to use this cloud service, see Decommissioning and deactivating Azure Information Protection.
Before commenting, we ask that you review our House rules.