On-Prem AIP for DLP

Occasional Contributor

I am looking into introducing DLP policies and during the learning process i have come to learn about AIP.

The AIP integration with Office is really slick and love the labeling feature. I'm looking to progress down this route and use Exchange DLP rules to trigger based on the attachment's custom properties "Sensitivity: Confidential" etc etc etc, but i'm getting a little lost in the documentation as far as what's possible within a fully on-prem environment.

at first glance, i read "Azure" and assumed it's not possible, but after reading through a few posts, there are many hint that it's possible to utilize certain features such as the labeling of document and mail. But you won't have the ability to revoke federated access which in our scenario is fine, because we are looking to block it ever leaving the business via our DLP rules in exchange.


Do i need to configure ADRMS, Azure connector or both?

I've read that i need the connector so all of our on-prem servers have the required connectivity among themselves for AIP. and have also read that it requires an ADRMS server? i'm confused because i thought AIP was replacing ADRMS? and that the connector is a gateway for Azure(cloud)


What do i need to do to utilize the AIP labeling feature without the "You need to sign in to the Azure Information Protection service" warning pop up when opening office applications?


We are fully on-prem for all servers and cannot entertain the idea of any cloud services.


Many thanks guys.


5 Replies

"We are fully on-prem for all servers and cannot entertain the idea of any cloud services"


That means you can't use Azure Information Protection because it's this service that delivers labels for classification (and protection).  You can use Azure Information Protection with Exchange on-premises, by using the Rights Management connector (no need for AD RMS). For encryption, if you have to use a key that's isolated from the cloud (usually for regulatory requirements), there's the HYOK (bring your own key) option, which does require you to install and configure AD RMS - but you still need Azure Information Protection for the labels.


More information about these:

Thanks Carol,

If i look here

it states that "it can classify, label, and protect documents and emails that are stored on-premises"


Not to add to my confusion there but you have said "you can't use Azure Information Protection because it's this service that delivers labels for classification"? which contradicts the above MS link? you then go on to say i can use AIP with RMC?

I am super confused at the moment! :)


My ultimate goal here is purely DLP and utilizing the labeling feature within outlook, word and sharepoint etc to label our documents and data accordingly. with this metadata, i can then configure exchange to catch and action data leaving the company.


Out of the box, the AIP client works perfectly except it complains about the user not being connected to the mothership. is it possible to have this configured so we don't get the "you need to sign into the azure information protection service" error in office apps?


Will installing either AD-RMS or the RMC help?


Many thanks,




Why do you think the FAQ link contradicts what I said?  The labels are stored in Azure, you configure them in Azure and they download to clients.  But the documents and emails that you label don't have to be in Azure (is this the confusion?) and you can use the protection service with on-premises servers (Exchange, SharePoint, and file servers).


How have you configured your labels at the moment if you can't use a cloud service?  Are you using the demo policy that installs by default?

ahhh, ok. that's a little more clearer.

Yes. i am using the default test policy and thought that the labels were all distributed via GPO.


So, hypothetically speaking we'd be looking at configuring this with AD Connect along with the rights management connector?


best response confirmed by James Vink (Occasional Contributor)

Yes, for users to be authenticated so they can then download the labels that you configure, install and configure AD Connect.  You configure the labels from the Azure portal, using any number of labels (create scoped policies if you want users to have specific labels), using your choice of classification names, any color, specifying whatever header/footer/watermark you want etc.


You can configure clients to be offline, but it's not a sustainable solution and won't offer the best user experience:


Only if you need documents and emails to be protected (as well as classified) do you need the RMS connector for your on-premises servers - for example so users can apply a label in Outlook that classifies and protects right from the client.  You can always add the protection piece later.