Real-time synchronization between external permission and AIP policies/labels

Question

Hello,

I am currently working on incorporating DRM capabilities into our document management platform and part of this effort is to assess the feasibility of integrating AIP/MIP solution to provide protection for the files stored on our premises.

To provide some context, we want to dynamically control who can access the protected documents and also restrict the permissions they have (e.g. read only, no print)
If my findings are correct, this can be partially achieved by using the MIP SDK (reference https://learn.microsoft.com/en-us/information-protection/develop/) but I still have some open questions.

I am wondering if there is any API that we can use to achieve real-time synchronisation between the permissions users have on our side and the policies/labels on the Azure side. For example, when a user is removed from our data room we want to immediately revoke access at Azure RMS level so that they no longer have access to files that were previously protected with AIP. However, access should be preserved for users who are still active in our data room. Also, if edit or print permission is revoked for a particular user on our premises we need to make sure that this change will be reflected at Azure side also.

1. Will it pe possible to have dynamic policies/labels on the Azure side that we can easily update when needed (through an API call maybe) to restrict access for specific users?
   or
2. Is there any mechanism that could potentially allow us to integrate with Azure RMS so that when a user attempts to open an AIP protected document, Azure RMS will call our service to retrieve the updated permissions they have on that particular file?

Thank you,
Sergiu Craciun