Microsoft Azure Information Protection can be purchased either standalone or through one of the following Microsoft licensing suites:
- Enterprise Mobility + Security
- Microsoft 365 Enterprise
Azure Information Protection is offered as a user subscription license. It's available for direct purchase online or through the following programs:
|Feature||Free||Azure Information Protection for Office 365||Azure Information Protection Premium P1||Azure Information Protection Premium P2|
|Azure Information Protection content consumption by using work or school accounts from AIP policy-aware apps and services|
|Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content|
|Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle2|
|Custom templates, including departmental templates|
|Protection for on-premises Exchange and SharePoint content via Rights Management connector|
|Azure Information Protection software developer kit for protection for all platforms – Windows, Windows Mobile, iOS, Mac OSX, and Android|
|Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection)|
|Azure Information Protection content creation by using work or school accounts|
|Office 365 Message Encryption|
|Manual, default, and mandatory document classification|
|Azure Information Protection scanner for content discovery of on-premises files matching any of the sensitive information types|
|Azure Information Protection scanner to apply a label to all files in an on-premises file server or repository|
|Rights Management connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector|
|Document tracking and revocation|
|Microsoft Information Protection software developer kit (SDK) to apply labels and protection to emails and files for all platforms – Windows, iOS, Mac OSX, Android, and Linux|
|Configure conditions for automatic and recommended classification|
|Set labels to automatically apply pre-configured S/MIME protection in Outlook|
|Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios|
|Azure Information Protection scanner for automated classification, labeling, and protection of supported on-premises files|
Self-service subscription for users in an organization who have been sent sensitive files that have been protected by Azure Information Protection, but that can't be authenticated because the users' IT department does not manage an account for them in Azure—for example, the IT department doesn't have Office 365 or use Azure services.
Azure Information Protection for Office 365
Microsoft Azure Information Protection is included in the Office 365 Enterprise E3 and above plans.
Azure Information Protection Premium P1
Provides additional rights to use the on-premises connectors, track and revoke shared documents, and enable users to manually classify and label documents.
Note: Also part of Microsoft Enterprise Mobility + Security E3, Microsoft 365 E3 and Microsoft 365 Business.
Azure Information Protection Premium P2
Builds on Azure Information Protection Premium P1 with automated and recommended classification, labeling, and protection, with policy-based rules and Hold Your Own Key (HYOK) configurations that span Azure Rights Management and Active Directory Rights Management.
Note: Also part of Enterprise Mobility + Security E5 and Microsoft 365 E5.
Consuming protected content – opening, viewing and modifying protected files
No. The worker doesn't need an Azure Information Protection license to open and view a file that’s been labeled and/or protected.
Yes, in order to view the label, the user needs the Azure Information Protection client for Office apps installed, which requires an Azure Information Protection license.
Yes. Any change to the classification, label or protection requires an Azure Information Protection P1 (if manually changing the label) or P2 license (if automatically applying classification rules and applying the label).
The user won't see the label since that requires the Azure Information Protection client for Office apps and therefore an Azure Information Protection license. The user will see visual markings, such as watermarks, headers and footers that are applied to the document.
Azure Information Protection scanner
An Azure Information Protection license (either P1 or P2) is required for all internal users that have created content that resides in scanned file repositories. As is standard with Azure Information Protection licensing, additional licensing is not required for external users who are accessing protected files or for users who previously protected files but are no longer users in the tenant, such as users who have left your organization.
Running the Azure Information Protection scanner in this type of "discover” mode requires users that have created content that resides in the scanned repository to have at least an Azure Information Protection P1 license.
Users that have created content that resides in the scanned repository must have at least an Azure Information Protection P1 license.
Users who have created content that resides in the scanned repository must have an Azure Information Protection P2 license.
An Azure Information Protection license is required for all internal users who have created content that resides in scanned file repositories. As is standard with Azure Information Protection licensing, additional licensing is not required for external users who are accessing protected files or for users who previously protected files but are no longer users in the tenant, such as users who have left your organization.
In the example above, to use the Azure Information Protection scanner in “discover” mode would not require any additional licensing, as all users are licensed with at least Azure Information Protection P1. Using the scanner to apply classification, labeling and/or protection would require that all 50,000 internal users have an Azure Information Protection P2 licenses.
A license is required for each user that has created content that resides in the scanned repositories (in this scenario, deleted user accounts do not require a license).
Microsoft Information Protection SDK
Each user must have at least an Azure Information Protection P1 license.
Unified labeling and Security & Compliance Center
Users need to have at least an Azure Information Protection P1 license if the company is migrating labels for use in Azure Information Protection, or at least an Office 365 E3 license if they are migrating labels for use in Office 365.
There has been no changes to licensing thus far, meaning that you still need Azure Information Protection P1/P2 for all the capabilities included in Azure Information Protection before the unified experience was released. If you want to classify, label and protect files in Office 365 services (SharePoint Online, OneDrive for Business, Exchange Online), then you need Office 365 E3/E5 licenses.
To apply labels manually using the native labeling experience built into Office apps, users need either Azure Information Protection P1/P2 licenses OR Office 365 E3/E5 licenses (users don’t need both).
Support & SLARead the SLA for Azure Information
Estimate your monthly costs for Azure services
Review Azure pricing frequently asked questions
Learn more about Azure Information Protection
Review technical tutorials, videos, and more resources