Is Azure Information Protection plan 1 enough and could you mix plan 1 and 2?

Leo Johnson 151 Reputation points

Hi all,

We are looking to implement Azure Information Protection.
But I need a second opinion!

Our MSP told us we only need to have Azure Information Protection Plan 1 and train our users.
But we are a healthcare organization and have very sensitive data.

Even if you train your using extensively, would you take the risk they could select, by accident, a wrong label?

So our first question:

Do we need to upgrade to Azure Information Protection plan 2 so we could use automatic labeling?
Or is our MSP right, and Azure Information Protection plan 1 enough and it's only important to train your users?

Second question:

Is it possible to mix the the Azure Information Protection plans, so we could use AIP plan 1 for 90 percent of our users and AIP plan 2 for the 10 percent users which are using very sensitive data?

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
470 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,609 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
3,706 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 29,856 Reputation points Microsoft Employee

    Hi @Leo Johnson ,

    You have highlighted the risks and benefits well. The full plan comparison is listed on the pricing page.


    You can assign licenses per user so you can have mixed licenses. However, if you wanted to keep users in the same repository, using the AIP scanner in "discover" mode would require just the P1 license, but using the AIP scanner to apply classification, labeling, or protection would require the P2 license.

    From the pricing page FAQ:

    How would licensing requirements work in this example scenario: A company has 50,000 users with 25,000 on Azure Information Protection P1 (and/or EMS E3) and 25,000 on Azure Information Protection P2 (and/or EMS E5) licenses. They want to leverage the Azure Information Protection scanner but have one repository for all users. Which license(s) are required?

    An Azure Information Protection license is required for all internal users who have created content that resides in scanned file repositories. As is standard with Azure Information Protection licensing, additional licensing is not required for external users who are accessing protected files or for users who previously protected files but are no longer users in the tenant, such as users who have left your organization.

    In the example above, to use the Azure Information Protection scanner in “discover” mode would not require any additional licensing, as all users are licensed with at least Azure Information Protection P1. Using the scanner to apply classification, labeling and/or protection would require that all 50,000 internal users have an Azure Information Protection P2 licenses.

    1: [3]:

    0 comments No comments