Azure Information Protection pricing

Pricing details

Microsoft Azure Information Protection can be purchased either standalone or through one of the following Microsoft licensing suites:

Azure Information Protection is offered as a user subscription license. It's available for direct purchase online or through the following programs:

Feature Free Azure Information Protection for Office 365 Azure Information Protection Premium P1 Azure Information Protection Premium P2
Azure Information Protection content consumption by using work or school accounts from AIP policy-aware apps and services Available Available Available Available
Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content Not available Available Available Available
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle2 Not available Available Available Available
Custom templates, including departmental templates Not available Available Available Available
Protection for on-premises Exchange and SharePoint content via Rights Management connector Not available Available Available Available
Azure Information Protection content creation by using work or school accounts Not available Available Available Available
Office 365 Message Encryption Not available Available Available Available
Administrative control3 Not available Available Available Available
Azure Information Protection software developer kit for protection for all platforms – Windows, Windows Mobile, iOS, Mac OSX, and Android Not available Not available Available Available
Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection) Not available Not available Available Available
Manual, default, and mandatory document classification Not available Not available Available Available
Azure Information Protection scanner for content discovery of on-premises files matching any of the sensitive information types Not available Not available Available Available
Azure Information Protection scanner to apply a label to all files in an on-premises file server or repository Not available Not available Available Available
Rights Management connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector Not available Not available Available Available
Document tracking and revocation Not available Not available Available Available
Microsoft Information Protection software developer kit (SDK) to apply labels and protection to emails and files for all platforms – Windows, iOS, Mac OSX, Android, and Linux Not available Not available Available Available
Configure conditions for automatic and recommended classification Not available Not available Not available Available
Set labels to automatically apply pre-configured S/MIME protection in Outlook Not available Not available Not available Available
Control oversharing of information when using Outlook (warn, justify or block emails). Not available Not available Not available Available
Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios Not available Not available Not available Available
Azure Information Protection scanner for automated classification, labeling, and protection of supported on-premises files Not available Not available Not available Available

1Some Office 365 subscriptions also include data protection using Microsoft Azure Information Protection. For information on those Office 365 subscriptions and the data protection capabilities they include, refer to Azure Information Protection licensing datasheet.

2Azure subscription required to use configured key for Bring Your Own Key (BYOK).

3Includes activating/deactivating the service, onboarding controls for a phased deployment, usage logging, super user capability for eDiscovery and data recovery, bulk protect/unprotect of files.

Free

Self-service subscription for users in an organization who have been sent sensitive files that have been protected by Azure Information Protection, but that can't be authenticated because the users' IT department does not manage an account for them in Azure—for example, the IT department doesn't have Office 365 or use Azure services.

Price: Free

Azure Information Protection for Office 365

Microsoft Azure Information Protection is included in the Office 365 Enterprise E3 and above plans.

Azure Information Protection Premium P1

Provides additional rights to use the on-premises connectors, track and revoke shared documents, and enable users to manually classify and label documents.

Price: $2

Note: Also part of Microsoft Enterprise Mobility + Security E3, Microsoft 365 E3 and Microsoft 365 Business.

Azure Information Protection Premium P2

Builds on Azure Information Protection Premium P1 with automated and recommended classification, labeling, and protection, with policy-based rules and Hold Your Own Key (HYOK) configurations that span Azure Rights Management and Active Directory Rights Management.

Price: $5

Note: Also part of Enterprise Mobility + Security E5 and Microsoft 365 E5.

Licensing FAQs

Consuming protected content – opening, viewing and modifying protected files

  • No. The worker doesn't need an Azure Information Protection license to open and view a file that’s been labeled and/or protected.

  • Yes, in order to view the label, the user needs the Azure Information Protection client for Office apps installed, which requires an Azure Information Protection license.

  • Yes. Any change to the classification, label or protection requires an Azure Information Protection P1 (if manually changing the label) or P2 license (if automatically applying classification rules and applying the label).

  • While users will still see label information even if they don’t have a license, you should ensure that these users get a license assigned to them – any user that has the Azure Information Protection client for Office apps installed in order to see or apply labels should have an Azure Information Protection license. Users do not need a license in order to see visual markings, such as watermarks, headers and footers that are applied to the document. Users do not need a license if their Azure Information Protection client (classic) is running in protection-only mode.

Azure Information Protection scanner

  • An Azure Information Protection license (either P1 or P2) is required for all internal users that have created content that resides in scanned file repositories. As is standard with Azure Information Protection licensing, additional licensing is not required for external users who are accessing protected files or for users who previously protected files but are no longer users in the tenant, such as users who have left your organization.

  • Running the Azure Information Protection scanner in this type of "discover” mode requires users that have created content that resides in the scanned repository to have at least an Azure Information Protection P1 license.

  • Users that have created content that resides in the scanned repository must have at least an Azure Information Protection P1 license.

  • Users who have created content that resides in the scanned repository must have an Azure Information Protection P2 license.

  • An Azure Information Protection license is required for all internal users who have created content that resides in scanned file repositories. As is standard with Azure Information Protection licensing, additional licensing is not required for external users who are accessing protected files or for users who previously protected files but are no longer users in the tenant, such as users who have left your organization.

    In the example above, to use the Azure Information Protection scanner in “discover” mode would not require any additional licensing, as all users are licensed with at least Azure Information Protection P1. Using the scanner to apply classification, labeling and/or protection would require that all 50,000 internal users have an Azure Information Protection P2 licenses.

  • A license is required for each user that has created content that resides in the scanned repositories (in this scenario, deleted user accounts do not require a license).

Microsoft Information Protection SDK

  • Each user must have at least an Azure Information Protection P1 license.

Unified labeling and Security & Compliance Center

  • Users need to have at least an Azure Information Protection P1 license if the company is migrating labels for use in Azure Information Protection, or at least an Office 365 E3 license if they are migrating labels for use in Office 365.

  • You still need Azure Information Protection P1/P2 for all the capabilities included in Azure Information Protection before the unified labeling experience was released (such as using the Azure Information Protection client, the Azure Information Protection scanner, etc.)To be able to configure sensitivity labels in the Security & Compliance center, you need either Azure Information Protection P1/P2 licenses OR Office 365 E3/E5 licenses (you don’t need both). Users do not need a license if their Azure Information Protection client (classic) is running in protection-only mode.

  • To apply labels manually using the native labeling experience built into Office apps, users need either Azure Information Protection P1/P2 licenses OR Office 365 E3/E5 licenses (users don’t need both) AND the Office 365 version of Office apps installed. As of March 2019, native labeling is available in the Office 365 version of:
    Office for Mac: Word, PowerPoint, Excel, Outlook
    Office mobile apps for iOS: Word, PowerPoint, Excel
    Office mobile apps for Android: Word, PowerPoint, Excel

  • The Azure Information Protection client plugin for Windows enables users to classify and protect their documents and emails. You need an Azure Information Protection license to use the Azure Information Protection client, either Azure Information Protection P1 (for manual labeling and protection) or Azure Information Protection P2 (for automatic or recommended labeling and protection). You do not get the entitlement to use the Azure Information Protection client to label and protect documents and emails if you have Office 365 E3 or E5.

Resources

Estimate your monthly costs for Azure services

Review Azure pricing frequently asked questions

Learn more about Azure Information Protection

Review technical tutorials, videos, and more resources

Added to estimate. Press 'v' to view on calculator

View the quick start tutorial