Protection features in Azure Information Protection rolling out to existing Office 365 tenants

To help with the initial step in protecting your information, starting July 2018 all Azure Information Protection eligible tenants will have the protection features in Azure Information Protection turned on by default. The protection features in Azure Information Protection were formerly known in Office 365 as Rights Management or Azure RMS. If your organization has an Office E3 service plan or a higher service plan you will now get a head start protecting information through Azure Information Protection when we roll out these features.

Changes beginning July 1, 2018

Starting July 1, 2018, Microsoft will enable the protection capability in Azure Information Protection for all Office 365 tenants who have one of the following subscription plans:

  • Office 365 Message Encryption is offered as part of Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3, and A5, and Office 365 G3 and G5. You do not need additional licenses to receive the new protection capabilities powered by Azure Information Protection.

  • You can also add Azure Information Protection Plan 1 to the following plans to receive the new Office 365 Message Encryption capabilities: Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Office 365 Business Essentials, Office 365 Business Premium, or Office 365 Enterprise E1.

  • Each user benefiting from Office 365 Message Encryption needs to be licensed to be covered by the feature.

  • For the full list see the Exchange Online service descriptions for Office 365 Message Encryption.

Tenant administrators can check the protection status in the Office 365 administrator portal.

Screenshot that shows that rights management in Office 365 is activated.

Why are we making this change?

Office 365 Message Encryption leverages the protection capabilities in Azure Information Protection. At the heart of the recent improvements to Office 365 Message Encryption and our broader investments to information protection in Microsoft 365, we are making it easier for organizations to turn on and use our protection capabilities, as historically, encryption technologies have been difficult to set up. By turning on the protection features in Azure Information Protection by default, you can quickly get started to protect your sensitive data.

Does this impact me?

If your Office 365 organization has purchased an eligible Office 365 license, then your tenant will be impacted by this change.

IMPORTANT! If you're using Active Directory Rights Management Services (AD RMS) in your on-premises environment, you must either opt-out of this change immediately or migrate to Azure Information Protection before we roll out this change within the next 30 days. For information on how to opt-out, see "I use AD RMS, how do I opt out?" later in this article. If you prefer to migrate, see Migrating from AD RMS to Azure Information Protection.

Can I use Azure Information Protection with Active Directory Rights Management Services (AD RMS)?

No. This is not a supported deployment scenario. Without taking the additional opt-out steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. This scenario isn't supported and has unreliable results, so it's important that you opt out of this change within the next 30 days before we roll out these new features. For information on how to opt-out, see "I use AD RMS, how do I opt out?" later in this article. If you prefer to migrate, see Migrating from AD RMS to Azure Information Protection.

How do I know if I'm using AD RMS?

Use these instructions from Preparing the environment for Azure Rights Management when you also have Active Directory Rights Management Services (AD RMS) to check if you have deployed AD RMS:

  1. Although optional, most AD RMS deployments publish the service connection point (SCP) to Active Directory so that domain computers can discover the AD RMS cluster.

Use ADSI Edit to see whether you have an SCP published in Active Directory: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP

  1. If you are not using an SCP, Windows computers that connect to an AD RMS cluster must be configured for client-side service discovery or licensing redirection by using the Windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServiceLocation

For more information about these registry configurations, see Enabling client-side service discovery by using the Windows registry and Redirecting licensing server traffic.

I use AD RMS, how do I opt out?

To opt out of the upcoming change, complete these steps:

  1. Using a work or school account that has global administrator permissions in your Office 365 organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see Connect to Exchange Online PowerShell.

  2. Run the Set-IRMConfiguration cmdlet using the following syntax:

Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false 

What can I expect after this change has been made?

Once this is enabled, provided you haven't opted out, you can start using the new version of Office 365 Message Encryption which was announced at Microsoft Ignite 2017 and leverages the encryption and protection capabilities of Azure Information Protection.

Screenshot that shows an OME protected message in Outlook on the web.

For more information about the new enhancements, see Office 365 Message Encryption.