SOLVED

Azure Information Protection License

%3CLINGO-SUB%20id%3D%22lingo-sub-237145%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Information%20Protection%20License%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237145%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20you%20discovered%2C%20the%20Azure%20Information%20Protection%20client%20doesn't%20do%20license%20enforcement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20prevent%20a%20computer%20without%20an%20%3CSPAN%3EAzure%20Information%20Protection%3C%2FSPAN%3E%20license%20from%20displaying%20labels%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy%23subscription-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy%23subscription-support%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20prevent%20a%20%3C%2FSPAN%3E%3CSPAN%3Ecomputer%20%3C%2FSPAN%3E%3CSPAN%3Ewithout%20an%20%3C%2FSPAN%3E%3CSPAN%3EAzure%26nbsp%3BRights%20Management%3C%2FSPAN%3E%3CSPAN%3E%20license%20from%20displaying%20protection%20templates%2C%26nbsp%3Buse%20onboarding%20controls%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Factivate-service%23configuring-onboarding-controls-for-a-phased-deployment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Factivate-service%23configuring-onboarding-controls-for-a-phased-deployment%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-801960%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Information%20Protection%20License%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-801960%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F98839%22%20target%3D%22_blank%22%3E%40Carol%20Bailey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3ETo%20use%20unified%20client%2C%20do%20we%20need%20to%20enable%20unified%20labeling%20in%20AIP%3F%3C%2FDIV%3E%3CDIV%3EIf%20yes%20then%20why%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EBecause%20even%20if%20it%20is%20not%20activated%2C%20we%20can%20still%20the%20UL%20client.%3C%2FDIV%3E%3CDIV%3EThe%20clarification%20would%20be%20helpful%26nbsp%3B%20for%20our%20testing%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802523%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Information%20Protection%20License%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F382225%22%20target%3D%22_blank%22%3E%40thesmilingguru%3C%2FA%3EThe%20unified%20labeling%20client%20get%20its%20configuration%20from%20the%20Office%20365%20portal%20(Security%20%26amp%3B%20Compliance)%20or%20the%20Microsoft%20365%20Security%2FMicrosoft%20365%20Compliance%20portal.%20This%20doesn't%20neccessarily%20mean%20you%20have%20to%20%22activate%22%20unified%20labeling%2C%20but%20it%20means%20the%20configuration%20you%20have%20(if%20any)%20in%20the%20Azure%20Portal%20(under%20Azure%20Information%20Protection)%20will%20not%20be%20available%20for%20your%20UL%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20to%20use%20the%20UL%20client%2C%20you%20need%20to%20have%20labels%20defined%20in%20the%20Office%20365%2FM365%20portal%2C%20either%20because%20you%20have%20created%20them%20there%2C%20or%20because%20you%20have%20activated%20unified%20labeling%2C%20and%20published%20the%20%22synchronised%22%20labels%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-236583%22%20slang%3D%22en-US%22%3EAzure%20Information%20Protection%20License%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-236583%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20Azure%20RMS%20enabled%20in%20my%20environment.%20I%20also%20have%20a%20few%20AIP%20licenses.%20So%20I%20created%20a%20few%20labels%2C%20some%20of%20these%20labels%20have%20protection%20enabled.%20I%20created%20a%20new%20user%2C%20UNLICENSED.%20I%20opened%20Microsoft%20Word%2C%20authenticated%20the%20AIP%20client%20with%20this%20UNLICENSED%20user.%20I%20see%20the%20labels%20and%20I%20am%20able%20to%20apply%20a%20protection%20label%20with%20an%20UNLICENSED%20user.%20I%20would%20like%20to%20know%20why%20is%20it%20that%20an%20UNLICENSED%20user%20is%20able%20to%20apply%20a%20protection%20label%20to%20a%20document%3F%20I%20cannot%20seem%20to%20find%20out%20any%20reason%20why%20is%20it%20that%20an%20unlicensed%20user%20is%20able%20to%20apply%20a%20label.%20I%20am%20hoping%20someone%20will%20be%20able%20to%20clarify%20that.%20Thanks%20in%20advance%20for%20any%20answers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-236583%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20%26amp%3B%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

I have Azure RMS enabled in my environment. I also have a few AIP licenses. So I created a few labels, some of these labels have protection enabled. I created a new user, UNLICENSED. I opened Microsoft Word, authenticated the AIP client with this UNLICENSED user. I see the labels and I am able to apply a protection label with an UNLICENSED user. I would like to know why is it that an UNLICENSED user is able to apply a protection label to a document? I cannot seem to find out any reason why is it that an unlicensed user is able to apply a label. I am hoping someone will be able to clarify that. Thanks in advance for any answers.

3 Replies
best response confirmed by Wayne K (New Contributor)
Solution

As you discovered, the Azure Information Protection client doesn't do license enforcement.

 

To prevent a computer without an Azure Information Protection license from displaying labels, see https://docs.microsoft.com/en-us/azure/information-protection/configure-policy#subscription-support.

 

To prevent a computer without an Azure Rights Management license from displaying protection templates, use onboarding controls: https://docs.microsoft.com/en-us/azure/information-protection/activate-service#configuring-onboardin....

@Carol Bailey 

To use unified client, do we need to enable unified labeling in AIP?
If yes then why?
 
Because even if it is not activated, we can still the UL client.
The clarification would be helpful  for our testing

@thesmilingguruThe unified labeling client get its configuration from the Office 365 portal (Security & Compliance) or the Microsoft 365 Security/Microsoft 365 Compliance portal. This doesn't neccessarily mean you have to "activate" unified labeling, but it means the configuration you have (if any) in the Azure Portal (under Azure Information Protection) will not be available for your UL client.

 

So, to use the UL client, you need to have labels defined in the Office 365/M365 portal, either because you have created them there, or because you have activated unified labeling, and published the "synchronised" labels there.