fbpx
March 5, 2021
  • Home
  • /
  • Blog
  • /
  • Difference Between Azure Information Protection (AIP) and Information Rights Management (IRM)?

Difference Between Azure Information Protection (AIP) and Information Rights Management (IRM)?

Azure RMS (AIP vs IRM)

Azure Right Management Service is basically cloud based version of Right Management Service which Microsoft first introduced in Office 2003. Using Azure RMS, you can protect your document and emails on different devices including tablets, phones and PCs. Azure RMS uses encryption to secure all the documents and emails, only user get access to these documents after authentication and authorization. Azure RMS helps organization to protect their corporate data even out of the organization’s boundaries. 

Azure RMS use different techniques to protect your data, previously Azure RMS was using the IRM (Information Rights Management) technique but now IRM become a component of AIP (Azure Information Protection), AIP vs IRM are both based on Azure RMS, See the diagram below to understand the RMS concept:

Azure-RMS-Architecture

I hope the above diagram will clear most of your question regarding Azure Rights Management Service.


AIP vs IRM

Now the second most confusing question which comes into the mind of the support person is where to use IRM and where AIP. Before answering this question, I just want to let you know in my opinion please do not use both techniques and applications in your production environment. If a document is already protected using the AIP component and you placed it on a SharePoint library that is using IRM, two policies will apply on that document which may conflict with each other.

Both types of technology, SharePoint IRM and Azure AIP encrypt the document so that unauthorized or accidental share of files do not result in a data breach.

However, SharePoint IRM does not restrict SharePoint capabilities like Document preview, Open in browser and SharePoint search and the document is encrypted the moment user downloads the file on a local machine.

With Azure AIP, using conditions like sensitive types, the document can get encrypted and protected and if such documents get uploaded in SharePoint. SharePoint online will not be able to access document contents within the file so search for file content is not possible, document previews and Open in browser for such files will not work.

Also, SharePoint IRM gets applied to the document library level, where Azure AIP or Office 365 encryption can work based on Smart rules and can identify “Keyword Match” or Sensitive information types like Financial OR PII data and auto label and also encrypt the files.


Common Usage Scenarios of AIP vs IRM

Scenarios

AIP

IRM

Microsoft Office Document

Yes

Yes

Non-Microsoft Office Document

Yes

No

Protected File Types

.Txt .jpg .png .bmp .pdf .xps .xsn .dwfx .psd .dng .mpp .mpt .pub .tif .tiff .jif

 Microsoft Office Files

.xsn .xps

 Microsoft Office Files

Document Tracking

Yes

No

Propagation to user

5 Mins

2 Hours

Supports Mobile

Yes

No

Automation Actions

A lot

Very Less

Revoke access on document

Yes

No

Activation

Auto

Manual

Labeling

Yes

No

Automatic keyword labelling

Yes

No

Classification

Yes

No


Ways of Protection using AIP


Protecting Documents Using Microsoft AIP Labels

Four types of labels can be used to classify the nature of documents:

Name of Label

Level of Security Protection

Automate Protection upon Label Assignment

View

Edit (for Office documents)

Reply

Copy (for MS Office documents)

Print

Save

Restricted

Confidential

Highest

Owner access only

X

X

X

X

X

X

Internal

Public

Nil

Nil

✔

✔

✔

✔

✔

✔

You can also create custom permissions in AIP i.e. Highest, High, Moderate, Lowest, Nil etc.


Protecting Email Message and Attachments

The “Do Not Forward” feature allows you to protect an email message which the recipients can view, edit, reply and save the email, but not copy, forward and print it.

NOTE: You can attach any files or confidential documents protected by AIP in your email. If you are attaching a Microsoft Office file without protection, the “Do Not Forward” restriction will automatically be applied to the attached file.


Key Steps of AIP implementation

To successfully implement AIP, Microsoft and Microsoft partners involved in Azure solutions’ implementation and management follow the four key phases of Microsoft Information Protection Lifecycle:

  • Identifying sensitive data across all the locations, based on the predefined rules.
  • Classifying sensitive data and setting up (automatically or manually) labels to documents and emails.
  • Applying protection and control actions (encryption, access restrictions, etc.).
  • Tracking what’s happening with the sensitive data and providing proactive/reactive solutions to arising problems.

Template

View

Edit (for MS Office attachment without protection)

Reply

Copy (for MS Office documents without protection)

Forward (in email)

Print

Save

Do Not Forward

✔

✔

✔

X

X

X

✔

Microsoft has created AD RMS (Active Directory Rights Management Service) to secure email messages. This technique adds permission directly to the Email, hence allow sender to protect his message online, offline, on network and off network. Sender apply restrictions which limits the ability of receiver to save forward or print the information in email.

IRM predefined group

Description

Do Not Forward

In Outlook, Do Not Forward to an email grants users on the To:, Cc:, and Bcc: lines the View, Edit, Reply, and Reply All rights.

Protecting Files using IRM

Global admin can activate the cloud-based solution from admin center which permits the SharePoint site owner to apply permissions on different libraries and lists. Whenever someone uploads a document to a certain library the file will remain secure as per IRM rules.

IRM predefined group

Description

Read

Users who have Read permission have View rights.

Change

Users who have Change permission have rights to View, Edit, Extract, and Save.

  • Windows  -   7, 8, 8.1, 10
  • MacOS - 10.8 and above 
  • Android - Android 6.0 and Above
  • iOS / IPADOS - iOS 11.0 and above
  • Windows Phones - Windows 10 Mobile 

Required Licenses for AIP vs IRM

As we discussed earlier that IRM is component of AIP so you should only require license for AIP to use either AIP vs IRM. Information Rights Management is component of Azure Rights Management services which comes with Azure Information Protection. IRM also comes with Enterprise plan’s.


What happen if we don’t have EMS license?

Information Rights Management is component of Azure Rights Management services which comes with Azure Information Protection. IRM also comes with Enterprise plan’s.

AIP-VS-RMS

You can get the AIP vs IRM licenses in a bundle or also standalone.


AIP License Requirement

  • Azure Information protection Plan 1 - Price $2                                                                       
  • Azure Information protection Plan 2 - Price $5


AIP Bundle

  • Basic Plan on all Office 365 E3 and above
  • Azure Information protection Plan 1 - Microsoft Enterprise Mobility + Security E3, Microsoft 365 E3 and Microsoft 365 Business.
  • Azure Information protection Plan 2 - Enterprise Mobility + Security E5 and Microsoft 365 E5.


AIP Plan 1 Vs AIP Plan 2

  • You can find difference below between Free, basic, Azure Information Protection P1 and P2.

For more details on how to integrate these solutions effectively, you can check out our guide on integrating Microsoft Purview with Azure.

FEATURE

AZURE INFORMATION PROTECTION FOR OFFICE 365

AZURE INFORMATION PROTECTION PREMIUM P1

AZURE INFORMATION PROTECTION PREMIUM P2

Azure Information Protection content consumption by using work or school accounts from AIP policy-aware apps and services - AIP vs IRM

Available

Available

Available

Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content

Available

Available

Available

Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle

Available

Available

Available

Custom templates, including departmental templates

Available

Available

Available

Protection for on-premises Exchange and SharePoint content via Rights Management connector

Available

Available

Available

Azure Information Protection content creation by using work or school accounts

Available

Available

Available

Office 365 Message Encryption

Available

Available

Available

Administrative control

Available

Available

Available

Azure Information Protection software developer kit for protection for all platforms – Windows, Windows Mobile, iOS, Mac OSX, and Android

Not available

Available

Available

Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection)

Not available

Available

Available

Manual, default, and mandatory document classification

Not available

Available

Available

Azure Information Protection scanner for content discovery of on-premises files matching any of the sensitive information types

Not available

Available

Available

Azure Information Protection scanner to apply a label to all files in an on-premises file server or repository - AIP vs IRM

Not available

Available

Available

Rights Management connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector

Not available

Available

Available

Document tracking and revocation

Not available

Available

Available

Microsoft Information Protection software developer kit (SDK) to apply labels and protection to emails and files for all platforms – Windows, iOS, Mac OSX, Android, and Linux

Not available

Available

Available

Configure conditions for automatic and recommended classification

Not available

Not available

Available

Set labels to automatically apply pre-configured S/MIME protection in Outlook

Not available

Not available

Available

Control oversharing of information when using Outlook (warn, justify or block emails).

Not available

Not available

Available

Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios

Not available

Not available

Available

Azure Information Protection scanner for automated classification, labeling, and protection of supported on-premises files - AIP vs IRM

Not available

Not available



Last Updated 6 months ago

About the Author

With a Master’s degree in Information System’s from Griffith University, Awais took up technology to explore his passion for cloud computing and IT security. He has a love for challenges and is fervent about his work.

Awais Khalid

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>