Azure Information Protection


Azure Information Protection

Thanks to Office 365, the strapline “work from anywhere, at any time and on any device” has been made possible.

Though there have been many advantages to the user, this new technology has been a great challenge for IT administrators and security officers that have seen how corporate data are stored in personal mobile devices such as the new slogan, “protect the data”, rather than “protect your network”, or “protect your infrastructure”. Data is what matters the most here. While the security of your network remains important, the trend for data being held increasingly in SaaS services (such as Office 365) and that data being accessed on mobile devices from diverse locations means that simply securing the on-premises infrastructure is no longer sufficient.

Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels that can be applied as following:

  • Automatically by administrators using rules and conditions
  • Manually by users
  • By a combination where administrators define the recommendations to users

A little bit of history

Azure Information Protection has evolved from a long history of established technologies from Microsoft that implement rights management protection. Because of this evolution, you may have heard this software before being called by one of its previous names:

  • Azure Rights Management Services (Azure RMS)
  • Azure Active Directory Rights Management
  • Windows Azure Active Directory Rights Management
  • Active Directory Rights Management Services (AD RMS)
  • Windows Rights Management Services (Windows RMS or WRMS)

Collectively, these technologies implement Information Rights Management (IRM) or Digital Rights Management (DRM). Most DRM solutions, however, typically protect against illegal distribution of digital content, which is very different from this enterprise information protection solution.

What can Azure Information Protection do for you? 

As mentioned before, Azure Information Protection helps organizations classify, and optionally protect their documents and emails by applying labels. Those labels can be applied either automatically by administrators who can define rules and conditions, manually by users, or by users who are given recommendations.

A several number of technologies are behind Azure Information Protection and the classification is achieved through the use of labels, which are now unified across Office 365. In order to apply protection, it can be made either by applying a label that has protection, or by an user choosing to protect specific data. For example, an user can choose to protect an email by clicking the “Do Not Forward” option.


Also, here are some of the results that are accomplished for email recipients:

  • Copy and paste is disabled on protected content
  • Screenshots do not work
  • Screen sharing will result in black where the application window would be Printing is disabled
  • The forward button does nothing
  • When replying, you cannot add new recipients to the replies

This kind of protection can be achieved because the encryption technology has been encoded into the Office applications. It is not, like a password-protected Zip file, a wrapper around the files. The actual content is protected. Office files such as Word, Excel, and PowerPoint can all be protected using AIP.

How does it all work? 

It is important to understand that the Azure Information Protection feature does not require the data being protected to be processed by or stored in Azure or Office 365. Although, you can store it there if you want to.

  • Azure RMS (Azure Rights Management Services), a component of Azure Information Protection, simply makes data in a document unreadable to anyone other than authorized users and services
  • Data is encrypted at the application level and includes a policy that defines the authorized use for that document.

When a protected document is used by a legitimate user or it is processed by an authorized service, data in the document is decrypted and the rights that are defined in the policy, are enforced.

At a high level, you can see how this process works in the following picture. A document containing the secret formula is protected, and then successfully opened by an authorized user or service.


The document is protected by a content key (the green key in this picture). It is unique for each document and is placed in the file header where it is protected by your Azure Information Protection tenant root key (the red key in this picture). Note that your tenant key can be generated and managed by Microsoft, or you can generate and manage your own as well.

Due to the way AIP works, when Azure RMS is encrypting and decrypting, authorizing, and enforcing restrictions, the document’s content is never sent to Azure.

I hope you found useful all the information I’ve shared in today’s blog post about Azure Information Protection.

In the meantime if there is any other question you may have, or you’d like to connect with our specialists, you can reach by filling out this form here.


More Posts


Connect with us