Azure Information Protection Documentation Update for March 2018


The Documentation for Azure Information Protection has been updated on the web and the latest content has a March 2018 (or later) date at the top of the article.


A couple of quiet releases that you might have missed includes DNS redirection to help you more easily migrate from AD RMS, and the new Information Protection admin role lost its preview disclaimer because it was declared GA.  We also have a new client customization option to help you migrate from another labeling solution, such as Secure Islands. We’ve had very positive feedback from customers using all these recent additions. 


As the new Encrypt-Only option rolls out to Exchange Online, we’ve been getting more customer questions about this and the attached Office documents that become automatically protected. As a result, we’ve added more information to the description of this option, and how to configure a label for the same set of permissions (although you can’t restrict the label to just Outlook and you must specify the recipients or domain in advance). We’ve also been asked to clarify the inherited permissions for an Office document that’s attached to a Do Not Forward email.


Questions about subscriptions and licensing were also higher than usual this month. The technical documentation doesn’t list specific subscriptions because these are managed by separate teams who are responsible for deciding what gets included or not in the subscriptions. They are also responsible for creating new subscriptions, and retiring older subscriptions. So the technical documentation links to their information, but we heard it wasn’t always clear which features were included in a subscription. We passed that information on and you’re invited to provide your own feedback with this Yammer post: In the meantime, to help you more easily find the subscription information, we’ve added links to the Applies to: section at the top of each page.


We listen to your feedback and try to incorporate it whenever possible. Let me know if you have feedback about the documentation and I also encourage you to head over to our Yammer site to see what others are discussing. 


What’s new in the documentation for Azure Information Protection, March 2018


RMS for individuals and Azure Information Protection

– Updated in line with the new support statement that this subscription is no longer supported for protecting documents and emails. Instead, use it for authentication only if the user’s organization does not have an Azure AD tenant.


Requirements for Azure Information Protection

– Updates for the following sections:

  • The Subscription for Azure Information Protection section has a new link for Office 365 US Government now that this service description is updated to include Office 365 Message Encryption. 

  • The Azure Active Directory section confirms that Azure Information Protection supports single sign-on (SSO) so that users are not repeatedly prompted for their credentials. However, if you use a vendor solution for federation, check with that vendor how to configure it for Azure AD. WS-Trust is a common requirement for these solutions to support single sign-on.

  • The Applications section has more information about how to confirm whether your Office 365 subscription includes Office 365 Pro Plus, which is the Office edition needed to support protection.

  • The Firewalls and network infrastructure section is updated with the TCP port 443 to This URL is required for many Office applications and services but doesn’t specifically list Azure Information Protection in the Office documentation. If this port is blocked, you might experience performance issues so we recommend checking that this endpoint is allowed on firewalls. 

 Migration phase 3 – client-side configuration

– New section, Client reconfiguration by using DNS redirection. DNS redirection is the new and preferred method for client migration because it is simpler than using registry edits. However, this redirection requires Office 2016 click-to-run desktop apps for Windows computers. To configure this redirection method, you must create a new SRV record, and set an NTFS deny permission for users on the AD RMS publishing endpoint.


Migration phase 4 – supporting services configuration

– Updated Step 8. Configure IRM integration for Exchange Online to incorporate DNS redirection for Exchange Online, and a warning that at this stage of the migration, all user accounts must be synchronized to Azure AD.


Office 365: Configuration for clients and online services to use the Azure Rights Management service

– Updated the user instructions to enable IRM-protection for OneDrive for Business, to match the OneDrive UI design change.


Configuring usage rights for Azure Rights Management

– Updated the sections for Do Not Forward option for emails and Encrypt-Only option for emails, to provide more information about these options and how Office attachments inherit the same permissions. Also updated the descriptions for some of the usage rights to explain how these are used with some real-world scenarios:

  • Edit Content, Edit (common name): In Word, this usage right isn’t sufficient to use all the features associated with Track Changes.

  • View, Open, Read (common name): In Excel, this usage right isn’t sufficient to sort and filter data, or create pivot tables.

  • Copy (common name): In Skype for Business and similar screen-sharing applications, the presenter must have this usage right to successfully present a protected document. If the presenter does not have this right, the attendees cannot view the document and it displays as blacked out to them.

Configuring the Azure Information Protection policy

– Updated the Signing in the Azure portal section, to remove the preview disclaimer for the new Information Protection role. The status of this role is now generally available and the Azure Active Directory article, Assigning administrator roles in Azure Active Directory, is similarly updated.


How to create a new label for Azure Information Protection

– Updated to add the warning not to use the character # for a label name, in addition to the other characters that are automatically blocked in the Azure portal. The full list of characters that you should not use for labels because they cannot be used by all services and applications: < > % & / ? ; + \ : # This information is also added to Add-AadrmTemplate and Set-AadrmTemplateProperty.


How to configure a label for Rights Management protection

– Updated with the clarification that you can configure a label for protection without configuring protection settings. This configuration results in a label that applies “Only for me” protection. In other words, only the person who applies the label can open the document or email with no usage restrictions. In some cases, this might be the required outcome, so that a user can save a file to any location and be assured that only they can open it. However, it’s also possible to select this configuration in error, when you really want protection settings that support collaboration.


In addition,  the Example configuration section is updated for Example 4: Label for protected email that supports less restrictive permissions than Do Not Forward. More detail is added how to create a label with the same usage rights as those in the new Encrypt-Only option.


Configuring and managing templates for Azure Information Protection

– Updated for the new location of protection templates in the Azure portal. 


Azure Information Protection client: Version release history and support policy

– Updated to remove information about the version now that it’s out of support.


Admin Guide: Custom configurations for the Azure Information Protection client

– New entry: Migrate labels from Secure Islands and other labeling solutions.


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.