Azure Information Protection unified administration now in Preview
First published on CloudBlogs on Apr 26, 2017
Hi everyone, and welcome to an important post for those of you who work with the configuration of Azure Information Protection (AIP). As you may already be familiar with, for historical reasons we are currently spanned across both the
Azure management portals. This is due to the protection part of AIP (the encryption, formerly known as Azure RMS) being in the classic, and the Classification and Labelling part being in the new.
Well, today that all changes! We are excited to release into Preview the new unified administrative experience which brings the Protection configuration (you will know this as Azure RMS templates) into the AIP configuration. This is the first step in our move to a label centric model.
So what does this mean to you?
From an admin perspective, we have
unified access to all configuration
into a single location to define your classification taxonomy, labels and any specific actions including protection.
When you log into the portal and open a label, you will see that we have added an option to set Protection permissions on the label (which also means sub-labels, for brevity we will just say “labels”):
Once you choose the option
you can define the same settings that were previously in the classic portal, including content expiration, offline access policy, users/groups and their rights. In the example below, we are giving the Big Wigs group and Bonnie as a specific user the Co-Owner rights.
You can also optionally provide “
” within your organization rights:
If you wish to collaborate on protected content with people outside your organization, you can use the
custom or external
option to add users (i.e. firstname.lastname@example.org), groups (i.e. email@example.com) or entire organizations (@contoso.com):
Once the settings are configured and saved, the AIP service creates Protection templates in the background. We still create these templates to preserve backward compatibility for applications that use RMS templates without requiring any updates to adopt labels.
A note on templates: The AIP client refreshes templates that are associated with labels, and this refresh happens whenever you relaunch the client. For users without the AIP client (i.e. just using RMS) these templates refresh on a regular basis, the default is 7 days but you can tune this.
A few questions you may have
I don’t see all the options that are available on the classic portal, where are they?
In this Preview we enable only creation of new templates as settings on the label. Management of existing templates via the Azure portal will come with the next Preview release expected late May.
Can I continue to manage templates created via the Azure portal using the classic portal?
Yes, but we don’t recommend that you archive or delete these templates through classic portal or using PowerShell. If you want to remove them, you should first disable protection on the relevant label and then remove the templates.
How can I create scoped templates?
You should create scoped policies and create a label scoped to the relevant group. Any template created as a configuration on a label will be scoped to the same audience. Note: Only e-mail enabled groups and users can be used for scoped templates.
We know this can be a lot to absorb, and we are here to help! Engage with us on
or send us an e-mail to
Dan Plastina on behalf of our enthusiastic Azure IP team.
It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail.
What are you waiting for? Get to it!