Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them
Published Nov 07 2018 01:50 AM 71.2K Views
Microsoft

 

Overview

As of October 12th, 2018, our Information Protection customers can use Adobe Acrobat Reader on Windows to open-labeled and protected PDFs. This reflects a fundamental change in the ability to enforce labels and encryption on PDFs – up until this announcement, PDFs protected by Azure Information Protection were renamed with the .pPDF file extension and could only be opened using the Azure Information Protection viewer. For more information about the new PDF protection standard, see section 7.6 Encryption from the document that is derived from ISO 32000-1 and published by Adobe Systems Incorporated.

 

In this blog we will cover the complete end-to-end configuration and deployment that allows your company to be able to label & protect PDFs in the new format, in addition to be able to consume them easily. We will also discuss how to enforce automatic classification on PDFs using the Azure Information Protection scanner. Lastly, we will provide a short script that will migrate an already labeled file in the pPDF format and will “re-label” it as the new PDF format.

 image018.jpg

Prerequisites

  • Azure Information Protection client installed – version 1.37 and newer (versions 1.xx only).
  • Adobe Acrobat Reader and Azure Information Protection plugin installed, which can be downloaded from here
  • Windows 10 and previous versions through Windows 7 Service Pack 1

Service Configuration

With the current Azure Information Protection client version 1.41 and newer, by default AIP is configured to protect PDF's with the new format. In case you use version 1.37 then by default, PDFs are protected in the Pfile format and the extension is renamed to pPDF. As the new PDF format feature is in private preview, the Information Protection admin needs to opt-in his company to be able to protect in the new format.

1. If you haven't already done so, in a new browser window, sign in to the Azure portal, and then navigate to the Azure Information Protection blade.

 

2. From the Classifications > Labels menu option: Select Policies.

image002.jpg

3. On the Azure Information Protection - Policies blade, select the context menu (...) next to the policy, then select Advanced settings. You can configure advanced settings for the Global policy, as well as for scoped policies.

image004.png

4. On the Advanced settings blade, type the following advanced setting name and value, and then select Save and close.

 

Key: EnablePDFv2Protection

Value: True

 

image006.jpg

Client configuration

Adobe Acrobat Reader and the Azure Information Protection plugin that goes with it can be downloaded from here

The installation procedure is straight-forward; no special configuration is required

 

Initial labeling & protection of a PDF file

1. Select a PDF file that you would like to label with protection

2. Right-click the file and select “Classify and protect”

image008.jpg

3. Select a label that applies for protection on the PDF file

image010.jpg

4. Click “Apply” and notice that once the process completes, the PDF file extension remain the same and doesn’t change.

 

Initial open and view of protected PDF file

1. Double click on the protected PDF file to open it in Adobe Acrobat Reader

2. Initially, when you open the protected PDF file you will be prompted for your Microsoft account credentials. After successful authentication you will be prompt if you to stay “sign in” to avoid re-authentication process when the next file is opened:

image012.jpgimage014.jpg

3. Once the protected file is consumed you will be able to see the small “lock” icon on the left pane, this indicate the file is protected.

image016.jpg

4. Clicking on this Icon will show the protection information on the current consumed PDF.

image018.jpg

5. Clicking on “Permission Detail” will open the “Document Properties” window that will show more information on the protection rights.
image020.jpg

 

Viewing the label ribbon when PDF is labeled or labeled and protected

To view the label ribbon in Acrobat reader interface please update or create the following registry entry on your computer

 

Computer\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP

Create a DWORD value name called : bShowDMB with a Hexadecimal value of 1 

 Figure 3: Label Banner in the Adobe Reader after the Registry updateFigure 3: Label Banner in the Adobe Reader after the Registry update

 

 That will allow the ability to view the label ribbon within the Acrobat interface

 

 

Apply automatic labels and protection on PDF files

Now, once your policy and your scanner is configured to properly protect PDFs using the new native Adobe format, all that you need to do is to apply your policy labels to your files. You can do that either manually or automatically. Yes, PDFs (which contain text that is not an image) can be inspected and labeled automatically based on the conditions that are configured in your policy.

 

You can perform the inspection manually by using the Set-AIPFileClassification cmdlet or by running the Azure Information Protection scanner with -enforce on parameter. The PDF extension will remain the same and will be available in the new format.

 

 

Additional Information

 

Leave a comment with any thoughts or feedback!

 

 

 

39 Comments
Copper Contributor

thanks for this post I have a question 

some users when I try to open protected PDF with the new plugin it isn't asking them for any credential so the document will not be opened 

I m using Azure information protection 

please advice 

Microsoft

 @Karim Zaki - Please raise a support ticket from Azure Portal to get this one investigated

Brass Contributor

I've set EnablePDFv2Protection to True in the Global Policy, and I have confirmed the setting is being used according to the following log file:

C:\Users\[Username]\AppData\Local\Microsoft\MSIP\Logs\MSIPApp.iplog

 

When I use the GUI to "Classify and Protect" a PDF file the .pdf extension is retained - good!

However, when I use the Protect-RMSFile command to protect a file the v2 protection is not used and the extension is changed to .ppdf (bad):

PS C:\Temp> Protect-RMSFile -File "C:\Temp\test.pdf" -TemplateID "[GUID of Template]" -InPlace

InputFile EncryptedFile 
--------- ------------- 
C:\Temp\test.pdf C:\Temp\test.ppdf

 

Have I missed something?

 

Microsoft

@Stephen Crowther - This functionality is available today using AIP cmdlets like - "Set-AIPFileLabel"

Brass Contributor

@Nir Hendler- So the section in the script included in the article above, commented with "#reprotect if file is not labeled" does not remove .ppdf protection to replace it with .pdf ISO standard? Rather, it just uses the same protection? That script section is using Protect-RMSFile not Set-AIPFileLabel.

Microsoft

@Stephen Crowther - thank you for the comment. After re-verifying the script it is required for the file to be labeled and doing this using the "Set-AIPFileLabel" cmdlet. therefor, I had decided to remove this section as there is only one way to perform this which is to remove the label and re-apply it.

Brass Contributor

@Nir Hendler- thank you for the confirmation, I'm now re-working my scripting to use labels instead of protection templates.

Brass Contributor

@Nir Hendler- thank you for your responses, unfortunately I'm not able to get custom labels which use protection to work reliably, and I will have to keep using protection templates and the Protect-RMSFile cmdlet without support for Adobe Acrobat Reader. The error "Protection template not found" occurs consistently when protection is used with labels, either via PowerShell or using the AIP client directly. Applying custom labels without protection works flawlessly. I hope I can use this option in the future, our users would much prefer to use Adobe Acrobat Reader to view our encrypted files.

 

Cheers.

Copper Contributor

Hello,

 

I'm having same issue as Stephen.  I'm using client 1.45.51.0, EnablePDFv2Protection is set to True in the global policy.  When I right click > classify and protect > click the label this keeps the file as .pdf and works in Adobe Reader.  If I try to protect using PowerShell cmdlet Protect-RMSFile or Set-AIPFileLabel they both result in the file being converted to a .ppdf file which can't be opened by Adobe.

 

Unfortunately we need it work in Adobe Reader because we are trying to create a file share that users can drop files into that will automatically protect the document.

 

Any ideas what could be causing this issue?

 

Thanks,

 

 

Microsoft

@Tim_Lehman - Set-AIPFileLabel by default work with the new PDFv2. no need to enable "EnablePDFv2Protection =true" for this one. Please verify you don't have any scoped policy for the user that has "EnablePDFv2Protection=false" configured. if not then this is an unexpected behavior and I recommend you to raise a support ticket to get this investigated.

Copper Contributor

@Nir Hendler 

 

Edit: So works fine in regular PowerShell.  When ran in ISE it converts it to a .ppdf.  I think it will be fine when the script actual runs it will call  PowerShell.  Any idea what would cause this behavior though?

 

We only have the global policy at the moment.  It appears to be working today?   I removed the EnablePDFv2Protection = True setting, tried the command again and is working as intended now.  Not sure what happened, EnablePDFv2Protection wasn't there to begin with and didn't work so I don't know if adding then removing caused some sort of sync?  Anyway working now appreciate the help.

 

Thanks,

Copper Contributor

@Nir Hendler - The label ribbon within the Acrobat DC Reader interface is not being displayed after setting the bShowDMB registry key. Adobe is reporting that the document is being protected with Microsoft AIP however. Thoughts?

 

 

 

 

Microsoft

@montgomeryplattner If this doesn't work for you I recommend you to open a support ticket with Adobe or check you implementation. I just verified this on my end and it's working as expected with the documented registry.

Brass Contributor

@Nir Hendler 

What does this look like with the Unified Labeling client and O365 compliance center? 

Microsoft

@AndrePKI  - When using Unified Labeling client this is enabled by default and no additional configuration is needed

Copper Contributor

@Nir Hendler Any ideia when the options "Export" or "Save as" from word document will generate an pdf with the label selected from the bar in Word and the Watermark?

I have a costumer with another label solution (ICT) and that solution have a office plug-in. When a user "save as" to pdf automatic prompt user to insert an label and add the watermark and generate an pdf with the label and watermark

 

With AIP its not possible...

Microsoft

@Rubenreis - this is a feature that will consider in the future as part of the built-in labeling capability in Office 365. No addin will be needed.

Copper Contributor

Can this be used to encrypt PDFs with DRM that allows only specific external users to view the file, e.g. for distributing licensed training materials?

Microsoft

@Joe Carroll - Yes. They need a client that is able to consume the protected file and authenticate them.

As described here: https://docs.microsoft.com/bs-cyrl-ba/azure/information-protection/rms-client/protected-pdf-readers

Copper Contributor

Thanks for the swift response, @Nir Hendler. That's what I thought, and I have already downloaded and installed the readers and plugins for testing. What's a little unclear is how an end user (as opposed to an admin) can manage the rights for a given PDF. How do I specify the restricted external audience on a per-file basis? Is there an easy way to manually add that protection to a PDF in a web browser, say, from within SharePoint? Some of the users who would need that functionality use Macs, so a Windows-only tool won't work for them.

Microsoft

@Joe Carroll At the moment this functionality to apply labels and protection to PDF's is Windows based only.

You can suggest this feature at aka.ms/mip/uservoice 

Copper Contributor

Ah, that's a pity, @Nir Hendler . Thanks for confirming. I was hoping that since this article was published over 1.5 years ago that this functionality would have become available for more than just Windows. I'll certainly add or up-vote that feature request.
Is it currently possible that a label can be applied via Power Automate and/or SharePoint in O365, which could achieve the same thing, but with less control by the end user, requiring an admin to manage labels and groups with B2B guest users in Azure AD?

Microsoft

@Joe Carroll We are working to add PDF support for SPO auto-label feature but that's not supported yet.

Copper Contributor

@Nir Hendler  Is there a way to do this via a logic app? Or via putting it on azure files share (or o365 onedrive / sharepoint).. then configuring the Azure Scanner in Office 365 to do this ? (ie protect a document thats in the cloud without an on prem machine ?)

Microsoft

@GlennDPC - We are working to support auto-labeling in SPO/OD with PDF files as well. This is a roadmap item with no specific ETA

Copper Contributor

@Nir Hendler  Do just to be clear because i need to deliver a solution ASAP, there is NO way to do this .. other than via the Client application ? Theres no logic app connector.. or have it done by the Azure scanner? 

 

I do understand that it is under development. 

Microsoft

@GlennDPC you are correct

Copper Contributor

Hi guys,

 

I've attempted to implement the same Adobe registry change as indicated above, which hasn't worked for me either.

 

I'm using Windows 10, with the Unified Labelling Client and Adobe Reader DC version 2020.009.20063

 

Does anyone have any ideas for what I can try or has anyone managed to implement this change successfully?

 

Many thanks.

Microsoft

@CaptainChaos - Please open a ticket with Adobe for further troubleshooting.

Copper Contributor

Hi all,

 

Just wanted to post back on here to confirm that this issue is now resolved.  It appears to have been related to incorrect cached user credentials, which were cleared from Adobe Reader as follows:

  1. Open Adobe Reader DC
  2. Click 'Edit'
  3. Select 'Preferences'
  4. In the 'Categories' list, locate 'Security'
  5. Under Microsoft Azure Information Protection, click 'Clear remembered account information...'

This then allowed me to re-enter my Microsoft account details for the tenancy relevant to the one used for applying the label in the first instance.

 

Some other information:

Adobe Reader DC version: 2020.009.20065

Adobe Microsoft AIP plug-in: 20.9.20063.381938

Microsoft Unified Labelling Client: 2.6.111.0

 

Registry entries:

Computer\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP

eEnableLogging: DWORD HEX value 1

bSaveCredentials: DWORD HEX value 1

bShowDMB: DWORD HEX value 1

 

Also to add, all Classification labels were created using Microsoft Security & Compliance Centre and not migrated/imported from Azure Information Protection (blade).

 

The Adobe blue ribbon bar appears when opening AIP labelled (only) documents and shows the assigned classification.

The Adobe blue ribbon bar appears when opening AIP labelled and protected documents, shows the assigned classification along with a padlock symbol that displays the rights applied to the specific file.

 

Hopefully this is of use to others.

Brass Contributor

In a PDF labeled / protected file, do I have, similar to the Office files, a PDF file property available that indicates the label of the PDF?

I would like to use this label für DLP (warnings, blocking, ….).

Or ist there anything else in the files meta data that i can use for filtering?

Thanks,
Franck

Microsoft

@Franck Marteaux - PDF's are labeled with customer properties as well. This is visible when you open the document from Adobe Acrobat Reader.

 

2020-06-05_14-23-57.jpg

Brass Contributor

thanks @Nir Hendler I do not see this in my document. Could this be a locatiozation problem?no AIP propertiesno AIP propertiesshows the PDF is AIP protectedshows the PDF is AIP protected

Brass Contributor

I just did some tests,

When I use a label without protection, I can see the AIP properties in the PDF.

When i initially use a label with protection, i can not see the AIP properties in the PDF.

When i change the label from a label without protection to a label with protection, the AIP properties for the label without protection remain in the PDF. However the PDF has the new label, which i can see in the Windows Explorer right click.

 

Could you please chech this behaviour on your site.


Thanks,

Franck

 

 

 

Microsoft

Hey @Franck Marteaux  - Please open a support ticket with Adobe to address this concern as they are the vendor of the app you are using to ready these properties.

Copper Contributor

i cannot open protected PDF files from teams 

Silver Contributor

@Nir Hendler this article is over 2 years old, have there been any substantial changes to the options for labeling PDFs?

Copper Contributor

@Nir Hendler  Can you please share step by step document to have complete AIP in place for scanning and labeling for documents (pdf/docx/png,jpg/xlsx/pptx/etc..) stored on Azure Blob

Microsoft

@Manoj_Patil - AIP allows for scanning and labeling documents on your local desktop. If you want to scan and label files in Azure Blob storage, I recommend that you use our new data governance solution, Azure Purview. Azure Purview allows you to discover and classify structured and unstructured data in Azure and third-party clouds such as AWS and GCP. For more information about Azure Purview, please visit this link --> Introduction to Azure Purview (preview) - Azure Purview | Microsoft Docs

Version history
Last update:
‎May 11 2021 01:58 PM
Updated by: