Compliance and supporting information for Azure Information Protection

Note

Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?

The Azure Information Protection add-in is retired and replaced with labels that are built in to your Microsoft 365 apps and services. Learn more about the support status of other Azure Information Protection components.

The Microsoft Purview Information Protection client (without the add-in) is generally available.

Azure Information Protection supports other services and also relies on other services. If you’re looking for information that is related to Azure Information Protection but not about how to use the Azure Information Protection service, check the following resources:

Suitability for different countries

Given the variability between laws and regulations in different countries, different use cases and scenarios, and the varying requirements between different business sectors, you will need to consult your legal adviser to help you answer whether Azure Information Protection is suitable for your country.

However, some relevant information that can help your legal adviser make a determination:

• Azure Information Protection uses AES 256 and AES 128 to encrypt documents. More information

• All encryption keys used by Azure Information Protection are protected with a customer-specific root key that uses RSA 2048 bits. RSA 1024 bits is also supported for backwards compatibility. More information

• Customer-specific root keys are either managed by Microsoft or provisioned by the customer in a nCipher HSM by using "bring your own key" (BYOK). Azure Information Protection also supports features for on-premises protection, for content that cannot be protected with a cloud-based key. For more information, see Planning and implementing your Azure Information Protection tenant key.

• The Azure Information Protection service is hosted in regional data centers across the globe. Azure Information Protection keys always remain within the region in which is originally deployed.

• Azure Information Protection does not transmit document contents from clients to the Azure Information Protection service. Content encryption and decryption operations are performed in-place in the client device. Or, for service-based rendering, these operations are performed within the service that’s rendering the content. More information

Legal and privacy

• For Microsoft Azure agreement information: Microsoft Azure Agreement

• For Microsoft Azure privacy information: Microsoft Azure Privacy Statement

Security, compliance, and auditing

See the Security, compliance, and regulatory requirements section in the What is Azure RMS? article, for information about specific certifications for the Azure Rights Management service. In addition:

• For external certifications for Azure Information Protection: Microsoft Azure Trust Center

• For FIPS 140 information: FIPS 140 Validation

For in-depth technical information about how the protection technology works, see How does Azure RMS work?

Service level agreements

• SLA for Azure Information Protection

• SLA for Microsoft Entra ID

• SLA for Azure Key Vault

Documentation

• Microsoft Entra documentation: Microsoft Entra ID

• Microsoft 365 documentation: Microsoft 365 for enterprise documentation and resources