This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated for GCC, GCC-H, and DoD customers as of September 31, 2021.
The classic client will be officially retired, and will stop functioning, on March 31, 2022.
All current Azure Information Protection classic client customers must migrate to the Microsoft Purview Information Protection unified labeling platform and upgrade to the unified labeling client. Learn more in our migration blog.
Azure Information Protection unified labeling is available for GCC, GCC High, and DoD customers.
The Azure Information Protection Premium Government Service Description is designed to serve as an overview of our offering in the GCC High and DoD environments, and will cover feature variations compared to Azure Information Protection Premium commercial offerings.
Some Azure Information Protection Premium services provide the ability to work seamlessly with third-party applications and services.
These third-party applications and services may involve storing, transmitting, and processing your organization's customer content on third-party systems that are outside of the Azure Information Protection Premium infrastructure, and therefore not covered by our compliance and data protection commitments.
Make sure you review the privacy and compliance statements provided by the third parties when assessing the appropriate use of these services for your organization.
For infomration about known existing gaps between Azure Information Protection Premium GCC High/DoD and the commercial offering, see the Cloud feature availability for US Government customers for Azure Information Protection.
The following configuration details are relevant for all Azure Information Protection solutions for GCC High and DoD customers, including unified labeling solutions.
Important
As of the July 2020 update, all new GCC High customers of the Azure Information Protection unified labeling solution, can make use of both General menu and Scanner menu features only.
For the encryption to work correctly, the Rights Management Service must be enabled for the tenant.
Install-Module aadrm if the AADRM module is not installedConnect-aadrmservice -environmentname azureusgovernment(Get-AadrmConfiguration).FunctionalState and check if the state is EnabledDisabled, run Enable-AadrmFor encryption to work correctly, Office client applications must connect to the GCC, GCC High/DoD instance of the service and bootstrap from there. To redirect client applications to the right service instance, the tenant admin must configure a DNS SRV record with information about the Azure RMS URL. Without the DNS SRV record, the client application will attempt connect to the public cloud instance by default, and fail.
Also, the assumption is that users will log in with the username based off the tenant-owned-domain (for example: joe@contoso.us), and not the onmicrosoft username (for example: joe@contoso.onmicrosoft.us). The domain name from the username is used for DNS redirection to the right service instance.
Install-Module aadrmConnect-aadrmservice -environmentname azureusgovernment(Get-aadrmconfiguration).RightsManagementServiceId to get the Rights Management Service ID_rmsredir_http_tcp[GUID].rms.aadrm.us (where GUID is the Rights Management Service ID)80_rmsdisco_http_tcpapi.aadrm.us80GCC High and DoD customers need to migrate all existing labels using PowerShell. Traditional AIP migration methods are not applicable for GCC High and DoD customers.
Use the New-Label cmdlet to migrate your existing sensitivity labels. Make sure to follow the instructions for connecting and running the cmdlet using Security & Compliance Center before getting started with your migration.
Migration example when an existing sensitivity label has encryption:
New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId 'a32027d7-ea77-4ba8-b2a9-7101a4e44d89' -EncryptionAipTemplateScopes "['allcompany@labelaction.onmicrosoft.com','admin@labelaction.onmicrosoft.com']"
When working with the Azure Information Protection client, you must configure one of the following registry keys to point your AIP apps on Windows to the correct sovereign cloud. Make sure to use the correct values for your setup.
Relevant for: The AIP unified labeling client only
| Registry Node | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP |
|---|---|
| Name | CloudEnvType |
| Value | 0 = Commercial (default) 1 = GCC 2 = GCC High 3 = DoD |
| Type | REG_DWORD |
Note
Relevant for: The AIP classic client only
| Registry Node | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP |
|---|---|
| Name | WebServiceUrl |
| Value | https://api.informationprotection.azure.us |
| Type | REG_SZ (String) |
If you have a firewall or similar intervening network devices that are configured to allow specific connections, use the following settings to ensure smooth communication for Azure Information Protection.
TLS client-to-service connection: Do not terminate the TLS client-to-service connection to the rms.aadrm.us URL (for example, to perform packet-level inspection).
You can use the following PowerShell commands to help you determine whether your client connection is terminated before it reaches the Azure Rights Management service:
$request = [System.Net.HttpWebRequest]::Create("https://admin.aadrm.us/admin/admin.svc")
$request.GetResponse()
$request.ServicePoint.Certificate.Issuer
The result should show that the issuing CA is from a Microsoft CA, for example: CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US. If you see an issuing CA name that is not from Microsoft, it is likely that your secure client-to-service connection is being terminated and needs to be reconfigured on your firewall.
Downloading labels and label policies (AIP classic client only): To enable the Azure Information Protection classic client to download labels and label policies, allow the URL api.informationprotection.azure.us over HTTPS.
For more information, see:
Make sure to allow access to all ports for the following Service Tags:
Training
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.
Documentation
Extend sensitivity labeling on Windows
Extend sensitivity labels to more file types on Windows, using the Microsoft Purview Information Protection client.
Apply encryption using sensitivity labels
Configure sensitivity labels for encryption that protects your data by restricting access and usage.
Get started with sensitivity labels
Prescriptive steps for admins, licensing requirements, and common scenarios that use sensitivity labels to help protect your organization's data.