AIP Client Authentication Prompt

Copper Contributor

Hey guys,

 

We just installed Azure Information Protection Client in our environment. We are using onPremise AD with PTA and seamless SSO. Everything is working great except the onetime Authentication prompt to AIP, when starting an Office app. We just have to supply the username and the rest is working automatically.

 

2020-04-23 15_56_52-SHD-MGT-01.shared.oym-its.ch - Remotedesktopverbindung - __Remote.png

 

I have read through the documentation but could not find a hint.

All other services such as portal.office.com are working without any prompts, so seamless SSO is clearly not the problem.

 

Thank you very much for your help!

8 Replies

@Reto Gobat 

 

Are the AIP IP addresses being allowed through your firewall?

 

The Azure Information Protection service also depends on two specific IP addresses:

  • 13.107.6.181
  • 13.107.9.181

 

As per - https://docs.microsoft.com/en-us/azure/information-protection/requirements

 

Seamless SSO it client-dependent, not every application support it. Some apps deliberately provide you with a prompt, to address scenarios where you might be using more than one id/tenant.

 

That said I'm not sure whether this is "expected" with the AIP client, might be a good uservoice suggestion if not 🙂

@PeterRising 

Thanks for the tip. Yeah these IP adresses are allowed.

 

@VasilMichev 

Thanks, any idea where to check if it is an "exptected" behavior :)?

@Reto Gobat 

 

Just to clarify, does this happen every time you open an Office client app such as Word or Excel?  If so, then I don't believe this is expected behaviour.

No it is just happening the first time for every user.

@Reto Gobat 

 

Ah, that would be expected the first time in my opinion. 

@Reto Gobat Few tips on this:

 

- Is the Information Protection app triggered in any Conditional Access rule? Take a look a that. 

- try adding *.Protection.Outlook.com to your list of trusted sites (or intranet zone) 

@JanBakkerOrphaned 

Thank you for you reply.

 

- No AIP ist not part of any Conditional Access Policies

- Unfortunately adding *.protection.outlook.com does not help