Azure Information Protection classic client for Windows
The Azure Information Protection classic client is the original downloadable client for organizations that use Azure Information Protection to classify and protect documents and emails, or use a Rights Management service to protect their data.
This client also has a viewer for organizations that don't have their own information protection infrastructure but want to consume content that has been protected by other organizations that use a Rights Management Service from Microsoft.
AIP labels managed in the Azure portal are not supported by the unified labeling platform, are limited to working with the Azure Information Protection client and scanner, and Microsoft Defender for Cloud Apps.
We recommend migrating to unified labeling and the built-in sensitivity labeling for Office apps to support these features, as well as SharePoint, Microsoft 365 apps, Outlook for the web and mobile devices, PowerBI data protection, and more. For more information, see MIP built-in labeling and the AIP add-in for Office apps.
Note
This documentation includes archived information that is relevant for the AIP classic client only.
Descriptions of the Rights Management Service and other services supported for both the classic and unified labeling client, are documented together with the Azure Information Protection documentation.
Supported features
The this section lists the features supported by the classic client, in parallel with the comparison section for the unified labeling client and built-in labeling solution in Learn about about built-in labeling and the AIP unified labeling client.
This section also provides a more detailed comparison of supported features between the classic and unified labeling clients.
Classic client features for Office applications
| Feature area | Supported by the classic client |
|---|---|
| User experience | - Multi-language support - Information Protection bar in Office apps |
| Enforcement | - Manual labeling - Mandatory labeling - PowerShell labeling cmdlets - Customizations, such as default labels for emails, pop-up messages in Outlook, S/MIME support, and a Report an Issue option Note: Customization settings are supported as advanced client settings that you configure in the Azure portal |
| Automation | - Default labeling - Label inheritance from email attachments |
| Encryption and protection | - Recommended or automatic labeling - User-defined permissions for a label: Do Not Forward for emails and custom permissions for Word, Excel, PowerPoint - Display the Do Not Forward button in Outlook - Custom permissions set independently from a label - Protection-only mode (no labels) - Support for AD RMS - Track and revoke protected documents: Admin docs / User docs |
| Logging and analytics | - Central reporting - Usage logging in Event Viewer |
| Visual markings | - Visual markings as a label action (header, footer, watermark) - Per-app visual markings - Dynamic visual markings with variables - Remove external content marking in apps |
| Identity | - HYOK support |
| Workload environment | - Support for Microsoft Office 97-2003 formats - Government Community Cloud - Offline support for protection actions - Manual policy file management for disconnected computers - Support for Remote Desktop services |
Classic client features for outside Office applications
The following features are supported by the classic client outside of Office applications:
- Scanner for on-premises data stores
- Label with File Explorer
- A viewer for protected files (text, image, PDF, .pfile)
- PPDF support for applying labels
Detailed comparisons for the AIP clients
When the Azure Information Protection classic client and the Azure Information Protection unified labeling client both support the same feature, use the following lists to help identify some functional differences between the two clients:
AIP client feature comparisons in Office applications
User experience features
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Remove applied label actions | User is prompted to confirm The default label or an automatic label (if configured) is not automatically applied next time the Office app opens the file |
User is not prompted to confirm The default label or an automatic label (if configured) is automatically applied next time the Office app opens the file |
| Label selection and display when applied in Office apps | From the Protect button on the ribbon From the Information Protection bar (horizontal bar under the ribbon) |
From the Sensitivity button on the ribbon From the Information Protection bar (horizontal bar under the ribbon) |
| Manage the Information Protection bar in Office apps | For users: Option to show or hide the bar from the Protect button on the ribbon When a user selects to hide the bar, by default, the bar is hidden in that app, but continues to automatically display in newly opened apps For admins: Policy settings to automatically show or hide the bar when an app first opens, and control whether the bar automatically remains hidden for newly opened apps after a user selects to hide the bar |
For users: Option to show or hide the bar from the Sensitivity button on the ribbon. When a user selects to hide the bar, the bar is hidden in that app and also in newly opened apps For admins: PowerShell setting to manage the bar |
| Label color | Configure in the Azure portal | Retained after label migration and configurable with PowerShell |
| Labels support different languages | Configure in the Azure portal | Configure by using Office 365 Security & Compliance PowerShell |
| Justification prompts (if configured) per action in Office | - Frequency: Per file - Lowering the sensitivity level - Removing a label - Removing protection |
- Frequency: Per session - Lowering the sensitivity level - Removing a label |
Enforcement features
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Setup | Option to install local demo policy | No local demo policy |
| Policy update | - When an Office app opens - When you right-click to classify and protect a file or folder - When you run the PowerShell cmdlets for labeling and protection - Every 24 hours - For the scanner: Every hour and when the service starts and the policy is older than one hour |
- When an Office app opens - When you right-click to classify and protect a file or folder - When you run the PowerShell cmdlets for labeling and protection - Every 4 hours - For the scanner: Every 4 hours |
| Order support for sublabels on attachments | Enabled with an advanced client setting | Enabled by default, no configuration required |
Automation features
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Automatic and recommended labels | Configured as label conditions in the Azure portal with built-in information types and custom conditions that use phrases or regular expressions Configuration options include: - Unique / Not unique count - Minimum count |
Configured in the Microsoft 365 compliance center with built-in sensitive information types and custom information types Configuration options include: - Unique count only - Minimum and maximum count - AND and OR support with information types - Keyword dictionary - Customizable confidence level and character proximity |
| Change the default protection behavior for file types | Use registry edits to override the defaults of native and generic protection | Use PowerShell to change which file types get protected |
AIP client feature comparisons outside of Office applications
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Supported formats for PDF | Protection: - ISO standard for PDF encryption (default) - .ppdf Consumption: - ISO standard for PDF encryption - .ppdf - SharePoint IRM protection |
Protection: - ISO standard for PDF encryption Consumption: - ISO standard for PDF encryption - .ppdf - SharePoint IRM protection |
| Generically protected files (.pfile) opened with the viewer | File opens in the original app where it can then be viewed, modified, and saved without protection | File opens in the original app where it can then be viewed and modified, but not saved |
| Supported cmdlets | - Cmdlets for labeling - Cmdlets for protection-only |
Cmdlets for labeling: Set-AIPFileClassification and Set-AIPFileLabel don't support the Owner parameter In addition, there is a single comment of "No label to apply" for all scenarios where a label isn't applied Set-AIPFileClassification supports the WhatIf parameter, so it can be run in discovery mode Set-AIPFileLabel doesn't support the EnableTracking parameter Get-AIPFileStatus doesn't return label information from other tenants and doesn't display the RMSIssuedTime parameter In addition, the LabelingMethod parameter for Get-AIPFileStatus displays Privileged or Standard, instead of Manual or Automatic. |
| Automatic rescans | Full rescans are automatically run every time the scanner detects a change in policy or labeling settings | Starting in version 2.8.85.0, administrators can choose to skip a full rescan after making changes to policy or content scan job settings. |
Identify the client you have installed
If you are a user who wants to understand whether you have the classic or the unified labeling client installed, you can do one of the following:
In your Office apps, check for the Sensitivity or Protect toolbar button. The unified labeling client shows the Sensitivity
button, while the classic client shows the Protect button.Check the version number for the Azure Information Protection application you have installed.
- Versions 1.x indicate that you have the classic client. Example: 1.54.59.0
- Versions 2.x indicate that you have the unified labeling client. Example: 2.8.85.0
For example, in the Windows Settings > Apps and features area, scroll down to the Microsoft Azure Information Protection application, and check the version number.
Next steps
For more information, see: