Forum Discussion
On-Prem AIP for DLP
Yes, for users to be authenticated so they can then download the labels that you configure, install and configure AD Connect. You configure the labels from the Azure portal, using any number of labels (create scoped policies if you want users to have specific labels), using your choice of classification names, any color, specifying whatever header/footer/watermark you want etc.
You can configure clients to be offline, but it's not a sustainable solution and won't offer the best user experience: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations#support-for-disconnected-computers
Only if you need documents and emails to be protected (as well as classified) do you need the RMS connector for your on-premises servers - for example so users can apply a label in Outlook that classifies and protects right from the client. You can always add the protection piece later.
Microsoft"We are fully on-prem for all servers and cannot entertain the idea of any cloud services"
That means you can't use Azure Information Protection because it's this service that delivers labels for classification (and protection). You can use Azure Information Protection with Exchange on-premises, by using the Rights Management connector (no need for AD RMS). For encryption, if you have to use a key that's isolated from the cloud (usually for regulatory requirements), there's the HYOK (bring your own key) option, which does require you to install and configure AD RMS - but you still need Azure Information Protection for the labels.
More information about these:
Thanks Carol,
If i look here https://docs.microsoft.com/en-us/azure/information-protection/get-started/faqs#does-azure-information-protection-support-on-premises-and-hybrid-scenarios.
it states that "it can classify, label, and protect documents and emails that are stored on-premises"
Not to add to my confusion there but you have said "you can't use Azure Information Protection because it's this service that delivers labels for classification"? which contradicts the above MS link? you then go on to say i can use AIP with RMC?
I am super confused at the moment! :)
My ultimate goal here is purely DLP and utilizing the labeling feature within outlook, word and sharepoint etc to label our documents and data accordingly. with this metadata, i can then configure exchange to catch and action data leaving the company.
Out of the box, the AIP client works perfectly except it complains about the user not being connected to the mothership. is it possible to have this configured so we don't get the "you need to sign into the azure information protection service" error in office apps?
Will installing either AD-RMS or the RMC help?
Many thanks,
J
- Carol Bailey
Why do you think the FAQ link contradicts what I said? The labels are stored in Azure, you configure them in Azure and they download to clients. But the documents and emails that you label don't have to be in Azure (is this the confusion?) and you can use the protection service with on-premises servers (Exchange, SharePoint, and file servers).
How have you configured your labels at the moment if you can't use a cloud service? Are you using the demo policy that installs by default?
ahhh, ok. that's a little more clearer.
Yes. i am using the default test policy and thought that the labels were all distributed via GPO.
So, hypothetically speaking we'd be looking at configuring this with AD Connect along with the rights management connector?
- Carol Bailey
Yes, for users to be authenticated so they can then download the labels that you configure, install and configure AD Connect. You configure the labels from the Azure portal, using any number of labels (create scoped policies if you want users to have specific labels), using your choice of classification names, any color, specifying whatever header/footer/watermark you want etc.
You can configure clients to be offline, but it's not a sustainable solution and won't offer the best user experience: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations#support-for-disconnected-computers
Only if you need documents and emails to be protected (as well as classified) do you need the RMS connector for your on-premises servers - for example so users can apply a label in Outlook that classifies and protects right from the client. You can always add the protection piece later.