In a new message center notice, Microsoft is advising customers of upcoming changes to Azure Information Protection.

We are making some changes to your Azure Information Protection (AIP) configuration. Starting July 1, 2018, we will be enabling the protection features in Azure Information Protection to customers with the eligible Office 365 licenses.

This follows the announcement in February that AIP will be enabled by default for eligible new Office 365 tenants.

Azure Information Protection (AIP) is available as a standalone license subscription, and is also included with several licensing bundles. Office 365 Enterprise E3 or later, and EM+S E3 or higher, and Microsoft 365 E3 or higher all include AIP, AIP Premium 1, or AIP Premium 2. Importantly, all licenses that include AIP entitle users to use Office 365 Message Encryption (OME), which is the justification provided by Microsoft for enabling AIP automatically for eligible customers.

With this update your organization can start using Office 365 Message Encryption capabilities.

The main cause for concern here will be any user or admin training required for the use of Office 365 Message Encryption and other AIP features. Customers who have purchased AIP-included licenses, but are not yet using AIP, may well be doing so for good reasons. AIP is not a feature that you simply turn on. Information protection is largely a business-driven initiative, requiring the classification of information and the construction of appropriate policies to allow labels and protections to be applied to files and emails. You can find details of the default AIP policy here.

However the ability for users to encrypt an email or apply “Do Not Forward” protection to a message, is fairly low hanging fruit that can be used with little friction. Protecting confidential information in emails is a high priority these days, so this is a positive change for customers who might be unaware of their entitlement to activate and use AIP.

Customers using on-premises Active Directory Rights Management Services (AD RMS) need to take action. In the message center notification, Microsoft notes:

If you are using Active Directory Rights Management Services (AD RMS) in your on-premises environment, you should opt-out of this change immediately. Without additional steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. This scenario isn’t supported and has unreliable results, so it’s important that you opt-out of this change within the next 30 days, when we roll out these new features.

Presumably Microsoft has some idea of how many AD RMS customers would be impacted by this change, and consider it low enough risk that it is safe to proceed with the advice above. If you are an on-premises AD RMS customer, the command to run in Exchange Online PowerShell to opt-out is:

PS C:\> Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false

If you’d prefer to migrate from AD RMS to AIP instead, Microsoft has provided guidance here.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Ramon

    Hi Stefan,

    Have you ever got an anwer? We have exactly the same question.

  2. Stefan

    Hi everybody,

    we have Office 365 Business Premium licenses across the board, and I have now booked a test license of AIP Plan 1 to encrypt our emails. However, it seems like my Outlook App does still not offer this feature. How come? I read above that it does not work with Office 365 Business Edition, but how about Office 365 Business Premium?

  3. Cool AIP

    Hi Pedro,

    Yes you are right, Azure Information Protection or AIP is not yet compatible with Office 365 Business Edition.

    What you can do to test out the AIP is try a trial of M365 E3 or E5. E3 has manual classification AIP and E5 has automatic classification AIP.

    If you will use this M365 trial, uninstall all Office 365 in your PC first, then install this M365 e3 or E5. This way, you will be able to use the full potential of Office 365 E3 and E5 plus the AIP Plan 1 (E3 only) and Plan 2 (E5). E5 also includes AIP Plan 1 and 2.

    Let me know how it goes

  4. Rick Cook

    Yes the user has the ability to encrypt, but unless they have Office Pro, the labels used for encrypting an email are not in the client application. They can use Outlook on line to encrypt. However, this is a cumbersome if they normally use the desktop client. To me this a MS bait and switch, in that you can pay for the AIP encryption but you can’t actually use in on the desktop unless you pay for the premium package. Additionally this is not well documented.

    1. Pedro


      I have Business Premium licenses deployed to everyone, recently we are stepping up our Office 365 game and looking into Identity Protection.

      I trialed Enterprise + Mobility E5 assigned it to myself alongside Business Premium, used an Azure guide to setup policies and download the client, I was excited to see the ‘Protect’ options in my Word but low and behold I cannot use my Azure policies because my Office is 365 Business not Pro…

      Confusing I then trialed Microsoft 365 which has all the features and assigned that to myself but I still get Office 365 Business desktop app’s not Pro so how in the hell does all the identity protection stuff work with this license…

      Not documented

Leave a Reply