This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?
The Azure Information Protection add-in is retired and replaced with labels that are built in to your Microsoft 365 apps and services. Learn more about the support status of other Azure Information Protection components.
The Microsoft Purview Information Protection client (without the add-in) is generally available.
Depending on your tenant key topology for Azure Information Protection, you have different levels of control and responsibility for your Azure Information Protection tenant key. The two key topologies are Microsoft-managed and customer-managed.
When you manage your own tenant key in Azure Key Vault, this is often referred to as bring your own key (BYOK). For more information about this scenario and how to choose between the two tenant key topologies, see Planning and implementing your Azure Information Protection tenant key.
The following table identifies the operations that you can do, depending on the topology that you’ve chosen for your Azure Information Protection tenant key.
| Life cycle operation | Microsoft-managed (default) | Customer-managed (BYOK) |
|---|---|---|
| Revoke your tenant key | No (automatic) | Yes |
| Rekey your tenant key | Yes | Yes |
| Backup and recover your tenant key | No | Yes |
| Export your tenant key | Yes | No |
| Respond to a breach | Yes | Yes |
After you have identified which topology you have implemented, select one of the following links for more information about these operations for your Azure Information Protection tenant key:
However, if you want to create an Azure Information Protection tenant key by importing a trusted publishing domain (TPD) from Active Directory Rights Management Services, this import operation is part of the migration from AD RMS to Azure Information Protection. As part of the design, an AD RMS TPD can only be imported to one tenant.
Training
Module
Azure Key and Certificate Management - Training
In this module, you learn about essential concepts for using encryption keys and digital certificates in Azure to help secure cloud workloads and ensure data sovereignty.
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.