Azure Information Protection Documentation Update for February 2018


Tags:- , ,

The Documentation for Azure Information Protection has been updated on the web and the latest content has a February 2018 (or later) date at the top of the article.

Despite the fewer number of days in this month, we’re not short on doc updates to support new releases or requests for clarifications.  So this is the place to check for anything you might have missed. For example, these doc updates include:

  • New preview release of the Azure Information Protection client.
  • GA release of the Azure Information Protection scanner, with new configuration options.
  • The AADRM module for managing the Azure Rights Management service has moved to the PowerShell Gallery.
  • New admin role, Information Protection Administrator.
  • The protection service, Azure Rights Management, is now activated by default for new tenants.
  • The new Office 365 Message Encryption capabilities are enabled by default for new tenants.
  • Rollout of the new Exchange Online option, Encrypt-Only.

Help bot update: After announcing the introduction of the help bot for Azure Information Protection last month, we’ve had a good uptake on people turning to this resource for fast help. If your question isn’t answered, the bot gives you the option of searching the docs or opening a support case. But the bot is also learning with each question. If your question is scoped to Azure Information Protection, the help bot learns that this is a new question and it might be answered another day you ask it. Your questions help us understand what you need help with, so keep those legitimate questions coming even if they aren’t answered immediately. And take advantage of typing #feedback in the bot, to send us your free-form comments.

We listen to your feedback and try to incorporate it whenever possible. Let me know if you have feedback about the documentation and I also encourage you to head over to our Yammer site to see what others are discussing.

What’s new in the documentation for Azure Information Protection, February 2018

Requirements for Azure Information Protection

– Updated the Subscription for Azure Information Protection section with a tip for people looking to confirm whether their Office 365 plan or Exchange Online plan includes support for the new capabilities with Office 365 Message Encryption.

Frequently asked questions for Azure Information Protection

– New entries:

  • Do you need to be a global admin to configure Azure Information Protection, or can I delegate to oth…
  • What types of data can Azure Information Protection classify and protect?
  • Is Azure Information Protection suitable for my country?
  • How can Azure Information Protection help with GDPR?


Frequently asked questions about classification and labeling in Azure Information Protection

– New entry:

  • How do I prevent somebody from removing or changing a label?

Activating Azure Rights Management

– The main article that contains information about new tenants that have the protection service automatically activated for them. This change started to roll out to tenants towards the end of February and is expected to be complete by the beginning of March.  If your subscription was purchased during February, use the documented instructions to confirm the status. Other articles that previously stated you must manually activate the service are also updated for this change.

Preparing the environment for Azure Rights Management when you also have Active Directory Rights Man…

– New section specifically for customers with new tenants who must deactivate the Azure Rights Management service if they also have AD RMS. This article is linked to from the Azure portal and the Deployment planning checklist for Office 365.

Configuring usage rights for Azure Rights Management

– Updated the description for Save As, Export (common name) to clarify that this right is required to change or remove an Azure Information Protection label from a protected document or email. If you want to prevent people from changing an applied label, do not grant them this usage right. This article is also updated for a new section, Encrypt-Only for emails, which provides more information about this new option that is starting to roll out for Exchange Online.

Configuring super users for Azure Rights Management and discovery services or data recovery

– Updated to clarify that there is no timing dependency for when you enable or disable this feature, or when you add or remove super users.

Office 365: Configuration for clients and online services to use the Azure Rights Management service

– Updated the section for Exchange Online, with step-by-step instructions how to check if your tenant is already configured to use the new capabilities from Office 365 Message Encryption. This configuration is automatically rolling out to new tenants, so you might not have to do any configuration before you can use BYOK with Exchange Online, and send protected emails to personal email accounts such as Gmail.  The migration instructions are also updated for this change.

Configuring the Azure Information Protection policy

– Updated for a new section that explains the different admin roles you can use to edit the Azure Information protection policy. The policy instructions are also updated throughout for a minor change to the Azure hub menu.

How to create a new label for Azure Information Protection

– Updated to clarify the effect on a parent label when you create the first sublabel. If you want users in the same policy (global or scoped) to select a label that has the same settings as the parent label, create a new sublabel with the same settings.

How to configure a label for Rights Management protection

– Updated for the following:

  • The domain name option can now be used for domains that aren’t in Azure AD, which includes domains from social providers such as “” and “”.
  • Added clarifications to the Not configured and Remove Protection options, to explain that in the background, the associated protection settings are saved as an archived template.
  • For the Example configuration section, example 4 (Label for protected email that supports less restrictive permissions than Do Not Forward) is updated with a note that the new Encrypt-Only option is not available for label configuration.

How to configure a label for visual markings for Azure Information Protection

– New section, Setting different visual markings for Word, Excel, PowerPoint, and Outlook.  This new configuration is available only with the latest preview client.

How to configure conditions for automatic and recommended classification for Azure Information Prote…

– Updated with a useful link to help you define custom expressions: Perl Regular Expression Syntax from Boost.

Configuring and managing templates for Azure Information Protection

– Updated to reflect the recent change of location for the Protection templates, which used to be on the Azure Information Protection – Global policyblade, and is now located on the All – cross policy view blade.

Deploying the Azure Information Protection scanner to automatically classify and protect files

– Updated for the following:

  • The preview disclaimer is removed now that the scanner is generally available.
  • The prerequisites section is updated for information about the SQL roles and how to create the database manually, if needed. In addition, the separate download executable is listed until the current preview client becomes generally available.
  • Information about when the Azure Information Protection policy is refreshed is updated to clarify that when the scanner service starts. an updated policy is downloaded only if the local policy is older than one hour. If you are testing and need to update the policy more frequently than this one hour, delete the policy file and restart the service.
  • New section, How files are scanned by the Azure Information Protection scanner. This information steps through what happens to each file type in the data repository that you ask the scanner to inspect.

Installing the AADRM PowerShell module

– Previously titled “Installing Windows PowerShell for Azure Rights Management”, this article is updated with the new instructions how to install the module from the PowerShell Gallery. Previously, the only way to install the module was by installing the Azure Rights Management Administration Tool from the Microsoft Download Center. This tool will remain on the Download Center for a limited time. Note that the version on the PowerShell Gallery is a minor version later than the version in the tool, but there is no customer-impacting change. The minor change was to support publication on the PowerShell Gallery. The listed minimum version of PowerShell required is now version 3.0.

Azure Information Protection client: Version release history and support policy

– Updated for changes in the new preview version,

Admin Guide: Install the Azure Information Protection client for users

Updated the prerequisites section for information that the new preview client addresses the problem with the Azure Information Protection bar sometimes displaying outside Office apps.

Admin Guide: Custom configurations for the Azure Information Protection client

– New entry: Suppress the initial “Congratulations!” welcome page.

Admin Guide: File types supported by the Azure Information Protection client

– Updated the list of file types supported for classification only, for the full list of Office file types. In addition, the File sizes supported for protection section is updated with the information that the current preview client no longer has a 20 MB maximum for text-based files.

Admin Guide: Using PowerShell with the Azure Information Protection client

– New information in the section How to label files non-interactively for Azure Information Protection, which explains how to use the new Token parameter with Set-AIPAuthentication, for a completely non-interactive experience for an account. You will most likely use this parameter when you run the scanner in a production environment because it uses a service account, which might not be allowed to log in interactively.

User Guide: View and use files that have been protected by Rights Management

– Updated step 4 in the procedure with a change of behavior to Save As for the current preview client, which addresses a problem if you try to reprotect the saved file.

User Guide: Protection-only mode for the Azure Information Protection client

– Updated to include the new scenario that might be part of a controlled rollout of Azure Information Protection: “Your organization has a subscription for Azure Information Protection but you do not have any labels configured for you”.

PowerShell reference: Azure Information Protection

– This overview page for the PowerShell modules for Azure Information Protection no longer references the RMSProtection module now that this older module is out of support. Support for RMSProtection stopped February 10. Other references to this module are also removed from the documentation and any links automatically redirect to the equivalent cmdlet in the AzureInformationProtection module.


– Updated to identify the latest technical version of the module,


– The output from the example is updated to reflect the latest parameters that are typically returned.


– Updated the description for EnableInLegacyApps to clarify that this parameter has no effect for Outlook on the web that uses Exchange Online rather than Exchange on-premises. For this scenario, departmental templates (and protection settings in scoped policies for Azure Information Protection) are never displayed to users.


– Updated the list of cmdlets on the page to include all the cmdlets for the scanner, which were previously in preview.


– To reflect the latest preview client and the general availability version of the Azure Information Protection scanner, the output of this cmdlet in the example now includes Type. This parameter is set with Set-AIPScannerConfiguration, and determines whether the scanner inspects only new or modified files since the service started, or all files.



– Updated for the new Token parameter, to be used with the new preview client or the Azure Information Protection scanner. This parameter eliminates the initial sign-in prompt for Azure Information Protection.


– New cmdlet that installs with the current preview client or the Azure Information Protection.  This cmdlet lets you set configuration settings for each data repository, which includes a default label and whether to override an existing label.  In conjunction with this change, these parameters are no longer available in Set-AIPScannerConfiguration and the help for this cmdlet is updated accordingly.

Source :