In a new message center notice, Microsoft is advising customers of upcoming changes to Azure Information Protection.
We are making some changes to your Azure Information Protection (AIP) configuration. Starting July 1, 2018, we will be enabling the protection features in Azure Information Protection to customers with the eligible Office 365 licenses.
This follows the announcement in February that AIP will be enabled by default for eligible new Office 365 tenants.
Azure Information Protection (AIP) is available as a standalone license subscription, and is also included with several licensing bundles. Office 365 Enterprise E3 or later, and EM+S E3 or higher, and Microsoft 365 E3 or higher all include AIP, AIP Premium 1, or AIP Premium 2. Importantly, all licenses that include AIP entitle users to use Office 365 Message Encryption (OME), which is the justification provided by Microsoft for enabling AIP automatically for eligible customers.
With this update your organization can start using Office 365 Message Encryption capabilities.
The main cause for concern here will be any user or admin training required for the use of Office 365 Message Encryption and other AIP features. Customers who have purchased AIP-included licenses, but are not yet using AIP, may well be doing so for good reasons. AIP is not a feature that you simply turn on. Information protection is largely a business-driven initiative, requiring the classification of information and the construction of appropriate policies to allow labels and protections to be applied to files and emails. You can find details of the default AIP policy here.
However the ability for users to encrypt an email or apply “Do Not Forward” protection to a message, is fairly low hanging fruit that can be used with little friction. Protecting confidential information in emails is a high priority these days, so this is a positive change for customers who might be unaware of their entitlement to activate and use AIP.
Customers using on-premises Active Directory Rights Management Services (AD RMS) need to take action. In the message center notification, Microsoft notes:
If you are using Active Directory Rights Management Services (AD RMS) in your on-premises environment, you should opt-out of this change immediately. Without additional steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. This scenario isn’t supported and has unreliable results, so it’s important that you opt-out of this change within the next 30 days, when we roll out these new features.
Presumably Microsoft has some idea of how many AD RMS customers would be impacted by this change, and consider it low enough risk that it is safe to proceed with the advice above. If you are an on-premises AD RMS customer, the command to run in Exchange Online PowerShell to opt-out is:
PS C:\> Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false
If you’d prefer to migrate from AD RMS to AIP instead, Microsoft has provided guidance here.