AIP deployment roadmap for classification, labeling, and protection


Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?

The Azure Information Protection add-in for Office is now in maintenance mode and will be retired April 2024. Instead, we recommend you use labels that are built in to your Office 365 apps and services. Learn more about the support status of other Azure Information Protection components.

Use the following steps as recommendations to help you prepare for, implement, and manage Azure Information Protection for your organization, when you want to classify, label, and protect your data.

This roadmap is recommended for any customers with a supporting subscription. Additional capabilities include both discovering sensitive information and labeling documents and emails for classification.

Labels can also apply protection, simplifying this step for your users.

Deployment process

Perform the following steps:

  1. Confirm your subscription and assign user licenses
  2. Prepare your tenant to use Azure Information Protection
  3. Configure and deploy classification and labeling
  4. Prepare for data protection
  5. Configure labels and settings, applications, and services for data protection
  6. Use and monitor your data protection solutions
  7. Administer the protection service for your tenant account as needed


Already using the protection functionality from Azure Information Protection? You can skip many of these steps and focus on steps 3 and 5.1.

Confirm your subscription and assign user licenses

Confirm that your organization has a subscription that includes the functionality and features you expect. For more information, see the Microsoft 365 licensing guidance for security & compliance page.

Then, assign licenses from this subscription to each user in your organization who will classify, label, and protect documents and emails.


Do not manually assign user licenses from the free RMS for individuals subscription, and do not use this license to administer the Azure Rights Management service for your organization.

These licenses display as Rights Management Adhoc in the Microsoft 365 admin center, and RIGHTSMANAGEMENT_ADHOC when you run the Azure AD PowerShell cmdlet, Get-MsolAccountSku.

For more information, see RMS for individuals and Azure Information Protection.

Prepare your tenant to use Azure Information Protection

Before you begin using Azure Information Protection, make sure that you have user accounts and groups in Microsoft 365 or Azure Active Directory that AIP can use to authenticate and authorize your users.

If necessary, create these accounts and groups, or synchronize them from your on-premises directory.

For more information, see Preparing users and groups for Azure Information Protection.

Configure and deploy classification and labeling

Perform the following steps:

  1. Scan your files (optional but recommended)

    Deploy the Azure Information Protection client, and then install and run the scanner to discover the sensitive information you have on your local data stores.

    The information that the scanner finds can help you with your classification taxonomy, provide valuable information about what labels you need, and which files need protecting.

    The scanner discovery mode doesn't require any label configuration or taxonomy, and is therefore suitable at this early stage of your deployment. You can also use this scanner configuration in parallel with the following deployment steps, until you configure recommended or automatic labeling.

  2. Customize the default AIP policy.

    If you don't have a classification strategy yet, use a default policy as a basis for determining which labels you'll need for your data. Customize these labels as needed to meet your needs.

    For example, you may want to reconfigure your labels with the following details:

    • Make sure that your labels support your classification decisions.
    • Configure policies for manual labeling by users
    • Write user guidance to help explain which label should be applied in each scenario.
    • If your default policy was created with labels that automatically apply protection, you may want to temporarily remove the protection settings or disable the label while you test your settings.

    Sensitivity labels and labeling policies for the unified labeling client are configured in the Microsoft Purview compliance portal. For more information, see Learn about sensitivity labels.

  3. Deploy your client for your users

    Once you have a policy configured, deploy the Azure Information Protection client for your users. Provide user training and specific instructions when to select the labels.

    For more information, see the unified labeling client administrator guide.

  4. Introduce more advanced configurations

    Wait for your users to become more comfortable with labels on their documents and emails. When you're ready, introduce advanced configurations, such as:

    • Applying default labels
    • Prompting users for justification if they chose a label with a lower classification level or remove a label
    • Mandating that all documents and emails have a label
    • Customizing headers, footers, or watermarks
    • Recommended and automatic labeling

    For more information, see Admin Guide: Custom configurations.


    If you've configured labels for automatic labeling, run the Azure Information Protection scanner again on your local data stores in discovery mode and to match your policy.

    Running the scanner in discovery mode tells you which labels would be applied to files, which helps you fine-tune your label configuration and prepares you for classifying and protecting files in bulk.

Prepare for data protection

Introduce data protection for your most sensitive data once users become comfortable labeling documents and emails.

Perform the following steps to prepare for data protection:

  1. Determine how you want to manage your tenant key.

    Decide whether you want Microsoft to manage your tenant key (the default), or generate and manage your tenant key yourself (known as bring your own key, or BYOK).

    For more information and options for additional, on-premises protection, see Planning and implementing your Azure Information Protection tenant key.

  2. Install PowerShell for AIP.

    Install the PowerShell module for AIPService on at least one computer that has internet access. You can do this step now, or later.

    For more information, see Installing the AIPService PowerShell module.

  3. AD RMS only: Migrate your keys, templates, and URLs to the cloud.

    If you are currently using AD RMS, perform a migration to move the keys, templates, and URLs to the cloud.

    For more information, see Migrating from AD RMS to Information Protection.

  4. Activate protection.

    Make sure that the protection service is activated so that you can begin to protect documents and emails. If you're deploying in multiple phases, configure user onboarding controls to restrict users' ability to apply protection.

    For more information, see Activating the protection service from Azure Information Protection.

  5. Consider usage logging (optional).

    Consider logging usage to monitor how your organization is using the protection service. You can do this step now, or later.

    For more information, see Logging and analyzing the protection usage from Azure Information Protection.

Configure labels and settings, applications, and services for data protection

Perform the following steps:

  1. Update your labels to apply protection

    For more information, see Restrict access to content by using encryption in sensitivity labels.


    Users can apply labels in Outlook that apply Rights Management protection even if Exchange is not configured for information rights management (IRM).

    However, until Exchange is configured for IRM or Microsoft 365 Message Encryption with new capabilities, your organization will not get the full functionality of using Azure Rights Management protection with Exchange. This additional configuration is included in the following list (2 for Exchange Online, and 5 for Exchange on-premises).

  2. Configure Office applications and services

    Configure Office applications and services for the information rights management (IRM) features in Microsoft SharePoint or Exchange Online.

    For more information, see Configuring applications for Azure Rights Management.

  3. Configure the super user feature for data recovery

    If you have existing IT services that need to inspect files that Azure Information Protection will protect—such as data leak prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products—configure the service accounts to be super users for Azure Rights Management.

    For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

  4. Classify and protect existing files in bulk

    For your on-premises data stores, now run the Azure Information Protection scanner in enforcement mode so that files are automatically labeled.

    For files on PCs, use PowerShell cmdlets to classify and protect files. For more information, see Using PowerShell with the Azure Information Protection unified labeling client.

    For cloud-based data stores, use Microsoft Defender for Cloud Apps.


    While classifying and protecting existing files in bulk is not one of the main use cases for Defender for Cloud Apps, documented workarounds can help you get your files classified and protected.

  5. Deploy the connector for IRM-protected libraries on SharePoint Server, and IRM-protected emails for Exchange on-premises

    If you have SharePoint and Exchange on-premises and want to use their information rights management (IRM) features, install and configure the Rights Management connector.

    For more information, see Deploying the Microsoft Rights Management connector.

Use and monitor your data protection solutions

You're now ready to monitor how your organization is using the labels that you've configured and confirm that you're protecting sensitive information.

For more information, see the following pages:

Administer the protection service for your tenant account as needed

As you begin to use the protection service, you might find PowerShell useful to help script or automate administrative changes. PowerShell might also be needed for some of the advanced configurations.

For more information, see Administering protection from Azure Information Protection by using PowerShell.

Next steps

As you deploy Azure Information Protection, you might find it helpful to check the frequently asked questions, known issues, and the information and support page for additional resources.