Additional Microsoft Entra requirements for Azure Information Protection
Note
Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?
The Azure Information Protection add-in is retired and replaced with labels that are built in to your Microsoft 365 apps and services. Learn more about the support status of other Azure Information Protection components.
The Microsoft Purview Information Protection client (without the add-in) is generally available.
A Microsoft Entra directory is a requirement for using Azure Information protection. Use an account from a Microsoft Entra directory to sign in to the Microsoft Purview compliance portal or Microsoft Purview portal.
If you have a subscription that includes Microsoft Purview Information Protection or Azure Rights Management, your Microsoft Entra directory is automatically created for you if needed.
The following sections list additional AIP and Microsoft Entra requirements for specific scenarios.
Support for certificate-based authentication (CBA)
The information protection apps for iOS and Android support certificate-based authentication.
For more information, see Get started with certificate-based authentication in Microsoft Entra ID.
Multi-factor authentication (MFA) and Azure Information Protection
To use multi-factor authentication (MFA) with Azure Information Protection, you must have at least one of the following installed:
Microsoft-managed tenants, with Microsoft Entra ID or Microsoft 365. Configure Azure MFA to enforce MFA for users.
For more information, see:
Federated tenants, where federation servers operate on-premises. Configure your federation servers for Microsoft Entra ID or Microsoft 365. For example, if you are using AD FS, see Configure Additional Authentication Methods for AD FS.
Rights Management connector requirements
The Rights Management connector and the Microsoft Purview Information Protection scanner do not support MFA.
If you deploy the connector or scanner, the following accounts must not require MFA:
- The account that installs and configures the connector.
- The service principal account in Microsoft Entra ID, Aadrm_S-1-7-0, that the connector creates.
- The service account that runs the scanner.
User UPN values don't match their email addresses
Configurations where users' UPN values don't match their email addresses is not a recommended configuration, and does not support single-sign on for Azure Information Protection.
If you cannot change the UPN value, configure alternate IDs for the relevant users, and instruct them how to sign in to Office by using this alternate ID.
For more information, see:
- Configuring Alternate Login ID
- Office applications periodically prompt for credentials to SharePoint, OneDrive, and Lync Online.
Tip
If the domain name in the UPN value is a domain that is verified for your tenant, add the user's UPN value as another email address to the Microsoft Entra ID proxyAddresses attribute. This allows the user to be authorized for Azure Rights Management if their UPN value is specified at the time the usage rights are granted.
For more information, see Preparing users and groups for Azure Information Protection.
Authenticating on-premises using AD FS or another authentication provider
If you're using a mobile device or Mac computer that authenticates on-premises using AD FS, or an equivalent authentication provider, you must use AD FS on one of the following configurations:
- A minimum server version of Windows Server 2016
- An alternative authentication provider that supports the OAuth 2.0 protocol
Next steps
To check for other requirements, see Requirements for Azure Information Protection.