New support for PDF encryption with Microsoft Information Protection
Published Sep 26 2018 06:53 AM 19.6K Views


As Microsoft’s Information Protection ecosystem expands, you’ve given us feedback to expand our support for more standard file types outside of Office document formats for labeling and protection scenarios. Today we’re announcing support for the ISO specification for PDF v1.7 for encryption needs. By conforming to the ISO specification, we now support a more robust native integration with PDF documents.


What is this new PDF encryption standard?

PDF documents have always had an encryption standard since the initial specification of PDF documents. In 2008 ISO released a PDF document specification called PDF v1.7, which included several optimizations of the PDF document format.  The PDF v1.7 specification focused on the following optimizations:

  • Preservation of PDF document fidelity across devices
  • Merging content from diverse sources (web sites, Office documents, photos, scanned documents and graphics) while maintaining the integrity of the original formats
  • Support for digital signatures
  • Security permissions
  • Accessibility
  • Electronic forms
  • Extraction and reuse of content to use with other file formats

PDF v1.7 was a significant overhaul of the PDF document standard. Contained within the standard PDF encryption standards were new specifications on how to implement rights management and support for encryption algorithms.  This section of the PDF v1.7 specification is referred to as PDF IRM v2.


What are the some of the capabilities that PDF IRM v2 support enables?

The PDF IRM v2 specification covers encryption support in two key contexts:

  • Password protected encryption
  • General encryption support for rights management capabilities

Note: Password Protected encrypted documents cannot be re-encrypted with rights management functions

The focus of this blog is the general protection for rights management. This is technology agnostic; the specification provides guidelines for security vendors who wish to encrypt content for rights management and how to correctly encrypt PDF documents.

Some of the main features of this PDF IRM v2 specification include:

  • Native integration of rights management capabilities within the PDF document
  • Ability to encrypt just the content payload and not the meta-data associated with the document
  • The extension of the PDF document does not change – only PDF Readers and composing applications that are enlightened to enforce the rights are aware of how to open the document
  • Support for advanced encryption algorithms such AES -256

With these benefits, customers can have a similar experience as they have with Office applications from a document protection context.


What about data sensitivity labels?

The PDF IRM v2 specification covers encryption capabilities and does not call out labeling standards. But PDF documents can be classified and labeled, and the label meta-data gets embedded within the PDF document, whether it’s encrypted or not.  The additional benefit of conforming to the encryption standard is that the label meta-data is not encrypted even when the actual content payload is encrypted. This allows for solutions like Data Loss Prevention (DLP) to be able to read the label classification and not have the need to decrypt the content. We’ve added controls to protect against label tampering by embedding the LabelID within the document Publishing License. The benefit of this is that when a document’s label properties change to a malformed value, the original label information is still retained.

 Example of an enlightened application opening a PDF document protected with Microsoft Information Protection solutionsExample of an enlightened application opening a PDF document protected with Microsoft Information Protection solutions


What is happening to the older PDF protection format supported by Azure Information Protection capabilities (formerly Azure RMS)?

Given the capabilities of the new standard and the fidelity of the user experience, the older protected PDF format (*.PPDF) will be deprecated. We will have older PDF readers that will support the older format, but we will also provide migration tools to help customers migrate to the new PDF format.


How to convert to the new PDF format

Before starting the conversion process, administrators need to  enable PDF IRM v2 support in the Azure Information Protection administration portal - follow the instructions provided  here.


Now that you’ve enabled the default protection to be PDF IRMv2, now let’s look at the client side. The Azure Information Protection client comes bundled with PowerShell cmdlets. We have augmented the existing labeling cmdlets to be PDF IRMv2 aware.  To run these commands on all the files in a file share, we recommend that you create a PowerShell script that envelopes these commands. 


 The commands that enable labeling and protection for the new PDF format include:

  • Using the command below, the user can get information about the PDF document and the label and protection applied


Get-AIPFileStatus -Path \\Finance\Projectx\hello.ppdf

FileName        : \\Finance\Projectx\hello.ppdf

IsLabeled       : True

MainLabelId     : 074e257c-1234-1234-1234-34a182080e71

MainLabelName   : Confidential

SubLabelId      : d9f23ae3-1234-1234-1234-f515f824c57b

SubLabelName    : Finance group

LabelingSiteId  : 72f988bf-1234-1234-1234-2d7cd011db47

Owner           :

LabelingMethod  : Manual

LabelDate       : 12/12/2016 12:24:36 PM

IsRMSProtected  : True

RMSTemplateId   : e6ee2481-1234-1234-1234-f744eacd53b0

RMSTemplateName : Contoso - Confidential Finance

RMSIssuedTime   : 5/6/2018 9:15:03 AM

RMSOwner        :

RMSIssuer       :

  • Then proceed to remove the label on the hello.ppdf file. Since the Remove label operation also removed protection the resulting file should be hello.pdf


Set-AIPFileLabel \\Finance\Projectx\hello.ppdf -RemoveLabel


  • Issue the following command on the file with the relevant LabelID and the resulting file still has a .pdf extension except now it is protected with PDF IRMv2


Set-AIPFileLabel \\Finance\Projectx\hello.pdf -LabelId d9f23ae3-1234-1234-1234-f515f824c57b


Recommendation: Execute the operation on a sample set of files before exercising the commands on a larger file share.


How about other Microsoft Products? Do they support new PDF IRM v2 format?

We are working with many product teams to enable this capability. The Microsoft Information Protection SDK fully supports PDF IRMv2 format and we make it really easy.  Expect more details soon.


What about support from other PDF reader vendors?

The supported readers for PDF documents will be provided early October and will continue to get updated as more vendors adopt the Microsoft Information Protection SDK.


Version history
Last update:
‎May 11 2021 02:00 PM
Updated by: