How to classify your documents with Azure Information Protection Part 1

Azure Information Protection (referred as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. To ensure the protection of sensitive information, it needs to start by identifying which data is sensitive, what kind of protection it requires, how to apply for protection, and how to track usage of travelling data.

The first step is to classify the information’s need for protection and implement policies and labels. The Microsoft Azure Information Protection ensures persistent classification and protection of sensitive data no matter where it’s stored or who it’s shared with. 

Default classifications and policies are defined at the organization level by the IT team and are enforced by Azure Information Protection client. Azure Information Protection client checks for any changes whenever a supported Microsoft Office application starts and downloads the changes as its latest Azure Information Protection policy. Users must have an Azure Information Protection client installed on their machines to define classifications and open protected documents. The client can be pushed centrally by the IT team to all employees with SCCM or GPO. 


Before you deploy Azure Information Protection in your organization, make sure that you have follow the prerequisites: 

Client Side requirements 

Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1 

The Fully installed version of the Azure Information Protection client requires the following  

  • Screen resolution greater than 800×600 
  • Microsoft Online Service Sign-in Assistant 7.250.4303.0 
  • KB2533623 (Windows 7 SP1 requires) 
  • Visual C++ Redistributable for Visual Studio 2015 (32-bit version) 
  • GPO to prevent the Azure Information Protection add-in from being enabled in Outlook 
  • Microsoft .NET Framework 4.6.2 
  • Windows PowerShell version 4.0 

Subscription minimum requirements 

  • Microsoft Azure Information Protection is included in the Office 365 Enterprise E3 and above plans 
  • Azure Information Protection Premium P1 (Also part of Microsoft Enterprise Mobility + Security E3 and Microsoft 365 E3 plans) 

Permission requirements

Global administrators for an Office 365 tenant or Azure AD tenant can run all administrative task for Azure Information Protection. However, there are different administrative permissions to assign for users. The following options applies: 

  • Information Protection Administrator: This Azure Active Directory administrator lets an administrator configure all aspects of Azure Information Protection but not other services. An Administrator with this role can activate and deactivate the Azure Rights Management protection service, configure protection settings and labels, and configure the Azure Information Protection policy. In addition, an administrator with this role can run all the PowerShell cmdlets for the Azure Information Protection client and from the AADRM module. 
  • Security Reader: This role for Azure Information Protection Analytics only. This Azure Active Directory administrator role lets an administrator view how your labels are being used, monitor user access to labeled documents and emails, and any changes to their classification, and can identify documents that contain sensitive information that must be protected. Because this feature uses Azure Log Analytics, you must also have a supporting RBAC role
  • Security Administrator: This Azure Active Directory administrator role lets an administrator configure all aspects of Azure Information Protection in the Azure portal, in addition to configuring some aspects of other Azure services. An administrator with this role cannot run any of the PowerShell cmdlets from the AADRM module

Leave a Reply

Your email address will not be published. Required fields are marked *