If you have firewalls or similar intervening network devices that are configured to allow specific connections, the network connectivity requirements are listed in this Office article: Microsoft 365 Common and Office Online.
Azure Information Protection has the following additional requirements:
Microsoft Purview Informaiton Protection client. To download labels and label policies, allow the following URL over HTTPS: *.protection.outlook.com
Web proxies. If you use a web proxy that requires authentication, you must configure the proxy to use integrated Windows authentication with the user's Active Directory sign in credentials.
To support Proxy.pac files when using a proxy to acquire a token, add the following new registry key:
TLS client-to-service connections. Don't terminate any TLS client-to-service connections, for example to perform packet-level inspection, to the aadrm.com URL. Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.
To determine whether your client connection is terminated before it reaches the Azure Rights Management service, use the following PowerShell commands:
The result should show that the issuing CA is from a Microsoft CA, for example: CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.
If you see an issuing CA name that isn't from Microsoft, it's likely that your secure client-to-service connection is being terminated and needs reconfiguration on your firewall.
TLS version 1.2 or higher (unified labeling client only). The unified labeling client requires a TLS version of 1.2 or higher to ensure the use of cryptographically secure protocols and align with Microsoft security guidelines.
Microsoft 365 Enhanced Configuration Service (ECS). AIP must have access to the config.edge.skype.com URL, which is a Microsoft 365 Enhanced Configuration Service (ECS).
ECS provides Microsoft the ability to reconfigure AIP installations without the need for you to redeploy AIP. It’s used to control the gradual rollout of features or updates, while the impact of the rollout is monitored from diagnostic data being collected.
ECS is also used to mitigate security or performance issues with a feature or update. ECS also supports configuration changes related to diagnostic data, to help ensure that the appropriate events are being collected.
Limiting the config.edge.skype.com URL may affect Microsoft’s ability to mitigate errors and may affect your ability to test preview features.
Using AD RMS and Azure RMS side by side, in the same organization, to protect content by the same user in the same organization, is only supported in AD RMS for HYOK (hold your own key) protection with Azure Information Protection.
This scenario is not supported during migration.
Supported migration paths include:
For other, non-migration scenarios, where both services are active in the same organization, both services must be configured so that only one of them allows any given user to protect content. Configure such scenarios as follows:
If both services must be active for different users at the same time, use service-side configurations to enforce exclusivity. Use the Azure RMS onboarding controls in the cloud service, and an ACL on the Publish URL to set Read-Only mode for AD RMS.
Service Tags
If you're using an Azure endpoint and an NSG, make sure to allow access to all ports for the following Service Tags:
AzureInformationProtection
AzureActiveDirectory
AzureFrontDoor.Frontend
Additionally, in this case, the Azure Information Protection service also depends on the following IP addresses and port:
13.107.9.198
13.107.6.198
2620:1ec:4::198
2620:1ec:a92::198
13.107.6.181
13.107.9.181
Port 443, for HTTPS traffic
Make sure to create rules that allow outbound access to these specific IP addresses, and via this port.
Supported on-premises servers for Azure Rights Management data protection
The following on-premises servers are supported with Azure Information Protection when you use the Microsoft Rights Management connector.
This connector acts as a communications interface, and relays between on-premises servers and the Azure Rights Management service, which is used by Azure Information Protection to protect Office documents and emails.
To use this connector, you must configure directory synchronization between your Active Directory forests and Microsoft Entra ID.
Supported servers include:
Server type
Supported versions
Exchange Server
- Exchange Server 2019 - Exchange Server 2016 - Exchange Server 2013
Office SharePoint Server
- Office SharePoint Server 2019 - Office SharePoint Server 2016 - Office SharePoint Server 2013
File servers that run Windows Server and use File Classification Infrastructure (FCI)
- Windows Server 2016 - Windows Server 2012 R2 - Windows Server 2012
Understand additional Microsoft Entra prerequisites for Azure Information Protection in specific scenarios, such as multi-factor or certificate-based authentication and more.
Azure Information Protection (AIP) extends the Microsoft Purview Information Protection framework to extend the labeling and classification functionality provided by Microsoft 365.
Confused by a word, phrase, or acronym that's related to Microsoft Azure Information Protection (AIP)? Find the definition here for terms and abbreviations that are either specific to AIP or have a specific meaning when used in the context of this service.