Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure information protection custom policies not working

Brass Contributor

Hello,
I'm playing around with an Enterprise Mobility + E3 license and security and I was following the next tutorial/document from Microsoft: https://docs.microsoft.com/en-gb/information-protection/get-started/infoprotect-quick-start-tutorial


However, after completing every step the following error will pop up when trying to select a custom policy. I have tried creating different policies with different setups in vain:

 error example.JPG
 

I wonder what else is needed?

 

Thank you. 

27 Replies
Please try uninstalling the client and installing again from this Url
https://www.microsoft.com/en-us/download/details.aspx?id=53018
Select and run AzInfoProtection.exe

Hello Ortiz,

I'm afraid that didn't work, I originally used this installer by the way.

Looking at Microsoft's documentation, and as far as I know, it should be working as it is but I can't get it to work. Any ideas? Could something in the computer set-up be affecting the client?

Thank you for the help :)

Please try the following to completely remove AIP client:

 

1. Uninstall AzIP client either in control panel or by running AzInfoProtection.exe /uninstall

2. Access Registry (RegEdit.exe) and delete: HKEY_CURRENT_USER\Software\Microsoft\MSIP

3. Clear IE cookies

4. Delete folder: C:\Users\<user name>\AppData\Local\Microsoft\MSIP

5. Clear Windows credentials and sign-out of Office account

6. Restart and run AzInfoProtection.exe again

Thank you for that, unfortunately it still displays that error with custom policies.

I have had access to another device today and the very same error pops up there, so I'm assuming the problem must be in the setup.

 

EDIT: By the looks of it adding protection is causing the issue. The predefine policies which do not have protection activated (therefor are merely a visual thing) do work,  however modifying them and adding protection "Azure (cloud key)" will cause this error to pop up.

 

Again, everything that is needed for this to work (according to the Microsoft documentation) has been done.

Ok then, please check requirements, mainly Office version required:

 

https://docs.microsoft.com/en-us/information-protection/get-started/requirements

Do you have AD RMS enabled in your environment?

I just double checked it and we do meet the requirements, however we do not manage the firewall.

I'll get in touch with the provider and get it checked, I'll get back with an update regardless.

Regards,

Ion

My apologies I did not see this post before, answering your question: No we don't, in fact, our Domain users are not linked in any way to those in Azure and 365.

Great. Are you able to right click a file in File Explorer and apply AIP protection (Classify and protect)?

Hi,

If I try to apply the custom policy the following error will be displayed:

Failed: Rights management template not found

If I try to create a custom permission from the file explorer the following will be displayed:

Failed: Azure information Protection cannot apply this label because it encountered a problem trying to apply protection. If the problem persists, contact your help desk or administrator.

The predefined policies with no protection do work of course. I'll have a look at the first error which does look promising, if you have any thoughts about it however they're most welcome :)

Thank you for your help so far!

Good, I would check that Azure RMS Service and Templates in Azure portal, just to make sure everything is OK there. After that you can refresh templates on your machine following these steps:

 

https://docs.microsoft.com/en-us/information-protection/deploy-use/refresh-templates

Hi!

Unfortunately I see nothing wrong with the templates. I wonder, is there anything within Office 365 setup that could be interfering with Azure RMS?

Only the firewall left to be check.

I assume your Office 365 license supports Azure RMS, right?

 

If so, then most likely it's firewall or proxy blocking IPs or URLs like azurerms.com

 

https://support.office.com/en-US/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

 

 

 
Unfortunately the firewall is outside of my control and I'm awaiting for our vendor's response still.

Answering your question: Yes, we do have the needed licenses. I have also gone thru all of the requirements and setup again to make sure I haven´t missed something previously. I'll come back with an update (and hopefully a solution) to this post once the Firewall is sorted.

Again, thanks for the help!

Regards,

Ion
best response confirmed by Ion Zubia (Brass Contributor)
Solution

In addition to checking the firewall isn't blocking IP addresses and URLs, check it's not terminating your TLS connection, which breaks certificate pinning.  I've added a tip how to check for this client-side, if you don't manage the firewall yourself.  See https://docs.microsoft.com/en-us/information-protection/get-started/requirements#firewalls-and-netwo...

Hi Carol,

Spot on, the Microsoft certificate isn't displayed and in fact I can view a Fortinet message instead.

I also got a message from our vendor stating that they think something in the list might be performing packet inspections.

Once this is sorted I'll get back with more information to leave a record of it in case someone in the future runs into this post with a similar problem.

My most sincere thanks for all the assistance.

EDIT: The firewall was simply intercepting the SSL stream and replacing the certificate with its own.

Thanks for the update - really appreciate that, and also knowing that the newly added tip in the documentation worked for you. Hopefully, it will help the next person as well! 

 

Firewall issues are always tricky to pin down, with unpredictable symptoms. Then the problem is compounded when you don't manage the firewall yourself and have to rely on others to check the requirements for you and make changes. This tip that was passed on to me (by Tom Moser in our Customer Success team) is a great way to either help eliminate this possible cause, or provide specific information to whoever manages your firewall.

Thanks, this worked for me. I had gone trough all the log files, but could only find logs about a file not found, would still be interesting to understand what is going wrong here. After uninstall and re-install "same version" of the AIP Client all worked.

Thanks for the info, this pointed me to my problem

1 best response

Accepted Solutions
best response confirmed by Ion Zubia (Brass Contributor)
Solution

In addition to checking the firewall isn't blocking IP addresses and URLs, check it's not terminating your TLS connection, which breaks certificate pinning.  I've added a tip how to check for this client-side, if you don't manage the firewall yourself.  See https://docs.microsoft.com/en-us/information-protection/get-started/requirements#firewalls-and-netwo...

View solution in original post