Azure RMS (AIP vs IRM)
Azure Right Management Service is basically cloud based version of Right Management Service which Microsoft first introduced in Office 2003. Using Azure RMS, you can protect your document and emails on different devices including tablets, phones and PCs. Azure RMS uses encryption to secure all the documents and emails, only user get access to these documents after authentication and authorization. Azure RMS helps organization to protect their corporate data even out of the organization’s boundaries.
Azure RMS use different techniques to protect your data, previously Azure RMS was using the IRM (Information Rights Management) technique but now IRM become a component of AIP (Azure Information Protection), AIP vs IRM are both based on Azure RMS, See the diagram below to understand the RMS concept:
I hope the above diagram will clear most of your question regarding Azure Rights Management Service.
AIP vs IRM
Now the second most confusing question which comes into the mind of the support person is where to use IRM and where AIP. Before answering this question, I just want to let you know in my opinion please do not use both techniques and applications in your production environment. If a document is already protected using the AIP component and you placed it on a SharePoint library that is using IRM, two policies will apply on that document which may conflict with each other.
Both types of technology, SharePoint IRM and Azure AIP encrypt the document so that unauthorized or accidental share of files do not result in a data breach.
However, SharePoint IRM does not restrict SharePoint capabilities like Document preview, Open in browser and SharePoint search and the document is encrypted the moment user downloads the file on a local machine.
With Azure AIP, using conditions like sensitive types, the document can get encrypted and protected and if such documents get uploaded in SharePoint. SharePoint online will not be able to access document contents within the file so search for file content is not possible, document previews and Open in browser for such files will not work.
Also, SharePoint IRM gets applied to the document library level, where Azure AIP or Office 365 encryption can work based on Smart rules and can identify “Keyword Match” or Sensitive information types like Financial OR PII data and auto label and also encrypt the files.
Common Usage Scenarios of AIP vs IRM
Scenarios | AIP | IRM |
|---|---|---|
Microsoft Office Document | Yes | Yes |
Non-Microsoft Office Document | Yes | No |
Protected File Types | .Txt .jpg .png .bmp .pdf .xps .xsn .dwfx .psd .dng .mpp .mpt .pub .tif .tiff .jif Microsoft Office Files | .xsn .xps Microsoft Office Files |
Document Tracking | Yes | No |
Propagation to user | 5 Mins | 2 Hours |
Supports Mobile | Yes | No |
Automation Actions | A lot | Very Less |
Revoke access on document | Yes | No |
Activation | Auto | Manual |
Labeling | Yes | No |
Automatic keyword labelling | Yes | No |
Classification | Yes | No |
Ways of Protection using AIP
Protecting Documents Using Microsoft AIP Labels
Four types of labels can be used to classify the nature of documents:
Name of Label | Level of Security Protection | Automate Protection upon Label Assignment | View | Edit (for Office documents) | Reply | Copy (for MS Office documents) | Save | |
|---|---|---|---|---|---|---|---|---|
Restricted Confidential | Highest | Owner access only | X | X | X | X | X | X |
Internal Public | Nil | Nil |
|
|
|
|
|
|
You can also create custom permissions in AIP i.e. Highest, High, Moderate, Lowest, Nil etc.
Protecting Email Message and Attachments
The “Do Not Forward” feature allows you to protect an email message which the recipients can view, edit, reply and save the email, but not copy, forward and print it.
NOTE: You can attach any files or confidential documents protected by AIP in your email. If you are attaching a Microsoft Office file without protection, the “Do Not Forward” restriction will automatically be applied to the attached file.
Key Steps of AIP implementation
To successfully implement AIP, Microsoft and Microsoft partners involved in Azure solutions’ implementation and management follow the four key phases of Microsoft Information Protection Lifecycle:
Template | View | Edit (for MS Office attachment without protection) | Reply | Copy (for MS Office documents without protection) | Forward (in email) | Save | |
|---|---|---|---|---|---|---|---|
Do Not Forward |
|
|
| X | X | X |
|
IRM predefined group | Description |
|---|---|
Do Not Forward | In Outlook, Do Not Forward to an email grants users on the To:, Cc:, and Bcc: lines the View, Edit, Reply, and Reply All rights. |
Protecting Files using IRM
Global admin can activate the cloud-based solution from admin center which permits the SharePoint site owner to apply permissions on different libraries and lists. Whenever someone uploads a document to a certain library the file will remain secure as per IRM rules.
IRM predefined group | Description |
|---|---|
Read | Users who have Read permission have View rights. |
Change | Users who have Change permission have rights to View, Edit, Extract, and Save. |
Required Licenses for AIP vs IRM
As we discussed earlier that IRM is component of AIP so you should only require license for AIP to use either AIP vs IRM. Information Rights Management is component of Azure Rights Management services which comes with Azure Information Protection. IRM also comes with Enterprise plan’s.
What happen if we don’t have EMS license?
Information Rights Management is component of Azure Rights Management services which comes with Azure Information Protection. IRM also comes with Enterprise plan’s.
You can get the AIP vs IRM licenses in a bundle or also standalone.
AIP License Requirement
- Azure Information protection Plan 1 - Price $2
- Azure Information protection Plan 2 - Price $5
AIP Bundle
- Basic Plan on all Office 365 E3 and above
- Azure Information protection Plan 1 - Microsoft Enterprise Mobility + Security E3, Microsoft 365 E3 and Microsoft 365 Business.
- Azure Information protection Plan 2 - Enterprise Mobility + Security E5 and Microsoft 365 E5.
AIP Plan 1 Vs AIP Plan 2
- You can find difference below between Free, basic, Azure Information Protection P1 and P2.
For more details on how to integrate these solutions effectively, you can check out our guide on integrating Microsoft Purview with Azure.
FEATURE | AZURE INFORMATION PROTECTION FOR OFFICE 365 | AZURE INFORMATION PROTECTION PREMIUM P1 | AZURE INFORMATION PROTECTION PREMIUM P2 |
|---|---|---|---|
Azure Information Protection content consumption by using work or school accounts from AIP policy-aware apps and services - AIP vs IRM | Available | Available | Available |
Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content | Available | Available | Available |
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle | Available | Available | Available |
Custom templates, including departmental templates | Available | Available | Available |
Protection for on-premises Exchange and SharePoint content via Rights Management connector | Available | Available | Available |
Azure Information Protection content creation by using work or school accounts | Available | Available | Available |
Office 365 Message Encryption | Available | Available | Available |
Administrative control | Available | Available | Available |
Azure Information Protection software developer kit for protection for all platforms – Windows, Windows Mobile, iOS, Mac OSX, and Android | Not available | Available | Available |
Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection) | Not available | Available | Available |
Manual, default, and mandatory document classification | Not available | Available | Available |
Azure Information Protection scanner for content discovery of on-premises files matching any of the sensitive information types | Not available | Available | Available |
Azure Information Protection scanner to apply a label to all files in an on-premises file server or repository - AIP vs IRM | Not available | Available | Available |
Rights Management connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector | Not available | Available | Available |
Document tracking and revocation | Not available | Available | Available |
Microsoft Information Protection software developer kit (SDK) to apply labels and protection to emails and files for all platforms – Windows, iOS, Mac OSX, Android, and Linux | Not available | Available | Available |
Configure conditions for automatic and recommended classification | Not available | Not available | Available |
Set labels to automatically apply pre-configured S/MIME protection in Outlook | Not available | Not available | Available |
Control oversharing of information when using Outlook (warn, justify or block emails). | Not available | Not available | Available |
Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios | Not available | Not available | Available |
Azure Information Protection scanner for automated classification, labeling, and protection of supported on-premises files - AIP vs IRM | Not available | Not available |
Last Updated 5 months ago
