Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them

Disclaimer: This blog is based on public preview features which are subject to be changed.



As of October 12th, 2018, our Information Protection customers can use Adobe Acrobat Reader on Windows to open-labeled and protected PDFs (public preview). This reflects a fundamental change in the ability to enforce labels and encryption on PDFs – up until this announcement, PDFs protected by Azure Information Protection were renamed with the .pPDF file extension and could only be opened using the Azure Information Protection viewer. For more information about the new PDF protection standard, see section 7.6 Encryption from the document that is derived from ISO 32000-1 and published by Adobe Systems Incorporated.


In this blog we will cover the complete end-to-end configuration and deployment that allows your company to be able to label & protect PDFs in the new format, in addition to be able to consume them easily. We will also discuss how to enforce automatic classification on PDFs using the Azure Information Protection scanner. Lastly, we will provide a short script that will migrate an already labeled file in the pPDF format and will “re-label” it as the new PDF format.



  • Azure Information Protection client installed – version 1.37 and newer (versions 1.xx only).
  • Adobe Acrobat Reader and Azure Information Protection plugin installed, which can be downloaded from here
  • Windows 10 and previous versions through Windows 7 Service Pack 1

Service Configuration

With the current Azure Information Protection client version (1.37 and newer) by default, PDFs are protected in the Pfile format and the extension is renamed to pPDF. As the new PDF format feature is in private preview, the Information Protection admin needs to opt-in his company to be able to protect in the new format.

1. If you haven't already done so, in a new browser window, sign in to the Azure portal, and then navigate to the Azure Information Protection blade.


2. From the Classifications > Labels menu option: Select Policies.


3. On the Azure Information Protection - Policies blade, select the context menu (...) next to the policy, then select Advanced settings. You can configure advanced settings for the Global policy, as well as for scoped policies.


4. On the Advanced settings blade, type the following advanced setting name and value, and then select Save and close.


Key: EnablePDFv2Protection

Value: True



Client configuration

Disclaimer: The Adobe binaries are a preview build for showcasing Adobe Acrobat Reader integration with Microsoft Information Protection solutions and is not intended for deployment in production scenarios.

Adobe Acrobat Reader and the Azure Information Protection plugin that goes with it can be downloaded from here. The downloaded zip file contains 2 files which should be installed in this order:

  1. AcroRdrDC1900820120_en_US.exe – the Adobe Acrobat Reader application
  2. AIPPlugin1900820120_Rdr_DC.msi – The AIP plugin that allows the consumption of labeled and protected PDF’s

The installation procedure is straight-forward; no special configuration is required


Initial labeling & protection of a PDF file

1. Select a PDF file that you would like to label with protection

2. Right-click the file and select “Classify and protect”


3. Select a label that applies for protection on the PDF file


4. Click “Apply” and notice that once the process completes, the PDF file extension remain the same and doesn’t change.


Initial open and view of protected PDF file

1. Double click on the protected PDF file to open it in Adobe Acrobat Reader

2. Initially, when you open the protected PDF file you will be prompted for your Microsoft account credentials. After successful authentication you will be prompt if you to stay “sign in” to avoid re-authentication process when the next file is opened:


3. Once the protected file is consumed you will be able to see the small “lock” icon on the left pane, this indicate the file is protected.


4. Clicking on this Icon will show the protection information on the current consumed PDF.


5. Clicking on “Permission Detail” will open the “Document Properties” window that will show more information on the protection rights.



Configure Azure Information Protection scanner to enable protection of PDF files

By default, the Azure Information Protection scanner applies protection on Office files only. In order to enable the scanner to protect PDF files as well, you need to set a registry change for the Scanner File API.


Create the following registry:


Type: String

Name: Encryption

Data: Native



Apply automatic labels and protection on PDF files

Now, once your policy and your scanner is configured to properly protect PDFs using the new native Adobe format, all that you need to do is to apply your policy labels to your files. You can do that either manually or automatically. Yes, PDFs (which contain text that is not an image) can be inspected and labeled automatically based on the conditions that are configured in your policy.


You can perform the inspection manually by using the Set-AIPFileClassification cmdlet or by running the Azure Information Protection scanner with -enforce on parameter. The PDF extension will remain the same and will be available in the new format.


How to convert existing pPDF files to protected PDF files

When the Azure Information Protection client has downloaded the client policy with the new setting, you can use PowerShell commands to convert existing .ppdf files to protected .pdf files that use the ISO standard for PDF encryption.


To use the following instructions for files that you didn't protect yourself, you must have a Rights Management usage right to remove protection from files or be a super user. To enable the super user feature and configure your account to be a super user, see Configuring super users for Azure Rights Management and Discovery Services or Data Recovery.


In addition, when you use these instructions for files that you didn't protect yourself, you become the RMS Issuer. In this scenario, the user who originally protected the document can no longer track and revoke it. If users need to track and revoke their protected PDF documents, ask them to manually remove and then reapply the label by using File Explorer, right-click.

Please note that this solution can’t be used with files that have been protected with “Custom Permissions”.


$filename = "filename.ppdf"
$FileStatus = Get-AIPFileStatus -Path $filename
if ($FileStatus.IsRMSProtected) ##Check if file is protected
        if ($FileStatus.IsLabeled) ##Check if file is labeled
                Set-AIPFileLabel -path $filename -RemoveLabel -JustificationMessage 'Removing .ppdf protection to replace with .pdf ISO standard'
                if ($FileStatus.SubLabelId -eq "") {Set-AIPFileLabel $filename -LabelId $FileStatus.MainLabelId}
                else {Set-AIPFileLabel -path $filename -LabelId $FileStatus.SubLabelId}
                #reprotect if file is not labeled
                Unprotect-RMSFile -File $filename
                Protect-RMSFile -File $filename -TemplateID $FileStatus.RMSTemplateId -InPlace
        #File is not labeled or protected
        Write-Output ("File is not labeled or protected")


Additional Information


Leave a comment with any thoughts or feedback!




Frequent Visitor

thanks for this post I have a question 

some users when I try to open protected PDF with the new plugin it isn't asking them for any credential so the document will not be opened 

I m using Azure information protection 

please advice 


 @Karim Zaki - Please raise a support ticket from Azure Portal to get this one investigated