AIP Label Policies

Shim Kwan 281 Reputation points


So AIP ships with a default 'Global' Policy.

What is the recommended best practice around AIP Policies?

  • Do we leave at 'Global' Policy as is out of the box?
  • Do we clean up the 'Global' Policy to do nothing? and create new AIP Policies?
  • Do we clean up the 'Global' Policy and perhaps leave just the 'General' label to tag every document?
  • What are some of the scenarios why we might land up with multiple AIP Policies? Why might someone land up with multiple AIP Policies

Look forward to hearing some recommendations and experiences.

Thank you,


Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
525 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 35,806 Reputation points Microsoft Employee

    Hi @Shim Kwan ,

    As you correctly mentioned, by default, Azure Information Protection comes with a Global policy that is applied to all users in the tenant. You can edit this policy, but you can't delete it. You can also create new policies and configure them however you would like, but the Global policy will always be there.

    We don't have a specific best practices guide around the Global policy, but we do have a deployment guide with best practices for business decision makers and IT implementers. The specific edits you might want to make will depend on your individual compliance standards. For example, you might decide that you want to add a "Top Secret" label to the Global policy. Then you can create a protected document labeled "Top Secret" and assign access rights to document viewers. Custom configuration options are listed here.

    There are many scenarios where a user may want to have multiple AIP policies. For example, you might want to create a policy that states that "All documents and emails must have a label" and apply this policy only to Office documents and not to Outlook messages, but you may still want to have a separate policy that applies labels to emails with attachments.

    With unified labeling a single label can be associated with multiple policies. This means that publication policies for each user set includes all of the relevant labels required rather than having to be constructed by adding labels to global and scoped policies.

    Let me know if this helps answer your question.


    If this answer helps resolve your question, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    0 comments No comments