Azure Information Protection pricing
- No upfront cost
- No termination fees
- Pay only for what you use
Pricing details
Microsoft Azure Information Protection can be purchased either standalone or through one of the following Microsoft licensing suites:
- Microsoft 365 Enterprise plans
- Microsoft 365 Compliance plan (includes Azure Information Protection P2)
- Microsoft 365 Business (includes Azure Information Protection P1)
- Enterprise Mobility + Security plans
Azure Information Protection is offered as a user subscription license. It's available for direct purchase online or through your Microsoft representative or partner.
| Feature | Free | Azure Information Protection for Office 365 | Azure Information Protection Premium P1 | Azure Information Protection Premium P2 |
|---|---|---|---|---|
| Azure Information Protection content consumption by using work or school accounts from AIP policy-aware apps and services | ||||
| Protection for Microsoft Exchange Online, Microsoft SharePoint Online and Microsoft OneDrive for Business content | ||||
| Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle2 | ||||
| Custom templates, including departmental templates | ||||
| Protection for on-premises Exchange and SharePoint content via Rights Management connector | ||||
| Azure Information Protection content creation by using work or school accounts | ||||
| Office 365 Message Encryption | ||||
| Administrative control3 | ||||
| Azure Information Protection software developer kit for protection for all platforms – Windows, Windows Mobile, iOS, Mac OSX and Android | ||||
| Protection for non-Microsoft Office file formats, including PTXT, PJPG and PFILE (generic protection) | ||||
| Manual, default and mandatory document classification | ||||
| Azure Information Protection scanner for content discovery of on-premises files matching any of the sensitive information types | ||||
| Azure Information Protection scanner to apply a label to all files in an on-premises file server or repository | ||||
| Rights Management connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector | ||||
| Document tracking and revocation | ||||
| Microsoft Information Protection software developer kit (SDK) to apply labels and protection to emails and files for all platforms – Windows, iOS, Mac OSX, Android and Linux | ||||
| Configure conditions for automatic and recommended classification | ||||
| Set labels to automatically apply pre-configured S/MIME protection in Outlook | ||||
| Control oversharing of information when using Outlook (warn, justify or block emails). | ||||
| Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios | ||||
| Azure Information Protection scanner for automated classification, labeling and protection of supported on-premises files |
Free
Self-service subscription for users in an organisation who have been sent sensitive files that have been protected by Azure Information Protection, but that cannot be authenticated because the users' IT department does not manage an account for them in Azure—for example, the IT department does not have Office 365 or use Azure services.
Price: Free
Azure Information Protection for Office 365
Microsoft Azure Information Protection is included in the Office 365 Enterprise E3 and above plans.
Azure Information Protection Premium P1
Provides additional rights to use the on-premises connectors, track and revoke shared documents and enable users to manually classify and label documents.
Price: $2
Note: Also part of Microsoft Enterprise Mobility + Security E3, Microsoft 365 E3 and Microsoft 365 Business.
Azure Information Protection Premium P2
Builds on Azure Information Protection Premium P1 with automated and recommended classification, labeling and protection, with policy-based rules and Hold Your Own Key (HYOK) configurations that span Azure Rights Management and Active Directory Rights Management.
Price: $5
Note: Also part of Enterprise Mobility + Security E5 and Microsoft 365 E5.
Licensing FAQs
Consuming protected content – opening, viewing and modifying protected files
-
No. The worker doesn't need an Azure Information Protection licence to open and view a file that has been labeled and/or protected.
-
Yes, in order to view the label, the user needs the Azure Information Protection client for Office apps installed, which requires an Azure Information Protection licence.
-
Yes. Any change to the classification, label or protection requires an Azure Information Protection P1 (if manually changing the label) or P2 licence (if automatically applying classification rules and applying the label).
-
While users will still see label information even if they do not have a license, you should ensure that these users get a license assigned to them – any user that has the Azure Information Protection client for Office apps installed in order to see or apply labels should have an Azure Information Protection license. Users do not need a licence in order to see visual markings, such as watermarks, headers and footers that are applied to the document. Users do not need a licence if their Azure Information Protection client (classic) is running in protection-only mode.
Azure Information Protection scanner
-
An Azure Information Protection licence (either P1 or P2) is required for all internal users that have created content that resides in scanned file repositories. As is standard with Azure Information Protection licensing, additional licensing is not required for external users who are accessing protected files or for users who previously protected files but are no longer users in the tenant, such as users who have left your organisation.
-
Running the Azure Information Protection scanner in this type of "discover” mode requires users that have created content that resides in the scanned repository to have at least an Azure Information Protection P1 licence.
-
Users that have created content that resides in the scanned repository must have at least an Azure Information Protection P1 licence.
-
Users who have created content that resides in the scanned repository must have an Azure Information Protection P2 licence.
-
An Azure Information Protection licence is required for all internal users who have created content that resides in scanned file repositories. As is standard with Azure Information Protection licensing, additional licensing is not required for external users who are accessing protected files or for users who previously protected files but are no longer users in the tenant, such as users who have left your organisation.
In the example above, to use the Azure Information Protection scanner in “discover” mode would not require any additional licensing, as all users are licensed with at least Azure Information Protection P1. Using the scanner to apply classification, labeling and/or protection would require that all 50,000 internal users have an Azure Information Protection P2 licenses.
-
A licence is required for each user that has created content that resides in the scanned repositories (in this scenario, deleted user accounts do not require a licence).
Microsoft Information Protection SDK
-
Each user must have at least an Azure Information Protection P1 licence.
Unified labeling and Security & Compliance Center
-
Users need to have at least an Azure Information Protection P1 licence if the company is migrating labels for use in Azure Information Protection, or at least an Office 365 E3 licence if they are migrating labels for use in Office 365.
-
You still need Azure Information Protection P1/P2 for all the capabilities included in Azure Information Protection before the unified labeling experience was released (such as using the Azure Information Protection client, the Azure Information Protection scanner, etc.)To be able to configure sensitivity labels in the Security and Compliance center, you need either Azure Information Protection P1/P2 licenses OR Office 365 E3/E5 licenses (you don’t need both). Users do not need a licence if their Azure Information Protection client (classic) is running in protection-only mode.
-
To apply labels manually using the native labeling experience built into Office apps, users need either Azure Information Protection P1/P2 licenses OR Office 365 E3/E5 licenses (users don’t need both) AND the Office 365 version of Office apps installed. As of March 2019, native labeling is available in the Office 365 version of:
Office for Mac: Word, PowerPoint, Excel, Outlook
Office mobile apps for iOS: Word, PowerPoint, Excel
Office mobile apps for Android: Word, PowerPoint, Excel -
The Azure Information Protection client plugin for Windows enables users to classify and protect their documents and emails. You need an Azure Information Protection license to use the Azure Information Protection client, either Azure Information Protection P1 (for manual labeling and protection) or Azure Information Protection P2 (for automatic or recommended labeling and protection). You do not get the entitlement to use the Azure Information Protection client to label and protect documents and emails if you have Office 365 E3 or E5.