Requirements to use Information Protection (AIP, MIP, RMS) in your organization

Sometimes, when you work with something over time, and then want to explain some of the functionality to others, it is easy to jump some steps. I have gotten some feedback from readers that has made me realize that there are a few things that should be added to many of my posts. 

When I am asked things like: I get a message saying: “Rights management isn’t activated”, or “I get an error message activating RMS”, I see that I sometimes forget to add the requirements to some of my articles. I will therefore add this post, showing most of the relevant prerequisites.

There's always something ...

Activating RMS in Office 365

First of all, and this will be logical to most of you, but you will need Azure AD, and to use any form of MIP protection (AIP, Office 365 Message Encryption) the Rights Management service needs to be activated. If you have recently gotten your Office 365 license/portal, this should be done already, but it is easy to check:

Enter the Office 365 admin center via the admin app icon.
In the left pane, expand the service settings.

Your office 365 portal

Click on Rights Management or Microsoft Azure Information Protection to enter the Rights Management dashboard. You may see different things here depending on the version your portal is. This should bring you into the rights management settings. In my case it is already activated, but you may see the activate option here instead.
RMS service settings

Click on Activate to active Rights Management.



For classification, labeling, and protection: You must have an Azure Information Protection plan.
You can get this in the following ways:

1.    Microsoft 365 F1/E3/E5 (Note that F1 and E3 includes the AIP P1 plan, and not P2)
2.    Information Protection & Compliance license (includes AIP P2 plan)
3.    Microsoft 365 Business (Includes AIP P1 plan)
4.    Enterprise Mobility + Security E3 (Includes AIP P1 plan)
5.    Enterprise Mobility + Security E5 (Includes AIP P2 plan)
6.    Office 365 Enterprise E3 (Includes AIP P1 plan)
7.    Office 365 Enterprise E5 (Includes AIP P2 plan)
8.    Azure Information Protection Premium P1 (AIP P1 plan)
9.    Azure Information Protection Premium P2 (AIP P2 plan)

Azure Information Protection is also available as user subscription license. It's available for direct purchase online or through the following programs:

1.    Microsoft Enterprise Agreement Volume Licensing program   
2.    Microsoft CSP (Cloud Solution Provider)

Operating systems (when you want to use the AIP client)

1. Windows Client:  7 (x86, x64) Service Pack 1 or higher (Windows 8, 8.1, 10)
2. Windows Server: 2008 R2 or later. (Server Core and Nano Server are not supported for any Azure Information Protection feature. For example, for the scanner, for the RMS connector, and for the PowerShell modules)

Operating systems that support the rights management service:

1. Windows 7 (x86, x64)
2. Windows 8 (x86, x64)
3. Windows 8.1 (x86, x64)
4. Windows 10 (x86, x64)
5. macOS: Minimum version of macOS 10.8 (Mountain Lion)

The following mobile device operating systems support the Azure Rights Management service:
1. Android phones and tablets: Minimum version of Android 4.4
2. iPhone and iPad: Minimum version of iOS 11.0
3. Windows phones and tablets: Windows 10 Mobile

Office client

Office apps minimum version 1805, build 9330.2078 from Office 365 Business or Microsoft 365 Business when the user is assigned a license for Azure Rights Management (also known as Azure Information Protection for Office 365)

  1. Office 365 ProPlus
  2. Office Professional Plus 2019
  3. Office Professional Plus 2016
  4. Office Professional Plus 2013 with Service Pack 1
  5. Office Professional Plus 2010 with Service Pack 2

AIP client

To be able to classify and label information you also need the Azure Information Protection client.

These can be downloaded here:

Download AIP clients

There are two clients available for Windows:

AzInfoProtection.exe is the classic client. This is used when you have your configuration in the AIP portal (Azure)

AzInfoProtection_UL.exe is the Unified Labeling client. This is used when you have your configuration in the Office 365 portal.

If you want to read more about the two clients, you can find some info here: AIP clients and portal

Additional prerequisites for the AIP Unified Labeling Client:
1. Microsoft .NET Framework 4.6.2 (if this is missing the installer will try to download it)
2. Microsoft .NET Framework 4.5.2 (if the viewer is installed separately)
3. Windows PowerShell 4.0 or higher (the installer does not check for this)
4. Screen resolution will need to be higher than 800x600 to fully display the Classify and protect dialog box. (when you right click)
5. KB 448287 and KB 2533623 (these could be superseeded).
6. Visual C++ Redistributable for Visual Studio 2015 (32-bit)

Note: If you have the correct license, have activated Unified labeling and you are using the latest version of Office you should have the functionality built-in to Office and will not need to download the client. It will then look something like this (in New email - Outlook as an example):

Sensitivity button as default

Other stuff

You also need to make sure that your firewall isn’t blocking the communication to the Azure RMS service.  Example: Allow the URL * over HTTPS.

If you are using a Web Proxy, make sure it is using integrated Windows authentication with the user's Active Directory logon credentials.

And here, as in many other cases (like Exchange Hybrid) Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection) to the URL. Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.

Did I forget anything? Please don’t hesitate to tell me about it.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label