![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
515 questions
Hello,
Yes, as a preview offering, you can now configure Azure AD conditional access for Azure Information Protection.
When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. Requiring multi-factor authentication (MFA) is one of the most commonly requested conditions. Another one is that devices must be compliant with your Intune policies so that for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.
For more information and some walk-through examples, see the following blog post: Conditional Access policies for Azure Information Protection.
Additional information:
For Windows computers: For the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.
You might want to fine-tune how often your conditional access policies get evaluated. You can do this by configuring the token lifetime. For more information, see Configurable token lifetimes in Azure Active Directory.
We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection blade in the Azure portal.
If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Azure AD B2B collaboration and create guest accounts for the users you want to share with in the other organization.
With the Azure AD December 2018 preview release, you can now prompt users to accept a terms of use before they open a protected document for the first time. For more information, see the following blog post announcement: Updates to Azure AD Terms of Use functionality within conditional access
If you use many cloud apps for conditional access, you might not see Microsoft Azure Information Protection displayed in the list to select. In this case, use the search box at the top of the list. Start typing "Microsoft Azure Information Protection" to filter the available apps. Providing you have a supported subscription, you'll then see Microsoft Azure Information Protection to select.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)