Azure RMS (AIP vs IRM)
Azure Right Management Service is basically cloud based version of Right Management Service which Microsoft first introduced in Office 2003. Using Azure RMS, you can protect your document and emails on different devices including tablets, phones and PCs. Azure RMS uses encryption to secure all the documents and emails, only user get access to these documents after authentication and authorization. Azure RMS helps organization to protect their corporate data even out of the organization’s boundaries.
Azure RMS use different techniques to protect your data, previously Azure RMS was using the IRM (Information Rights Management) technique but now IRM become a component of AIP (Azure Information Protection), AIP vs IRM are both based on Azure RMS, See the diagram below to understand the RMS concept:
I hope the above diagram will clear most of your question regarding Azure Rights Management Service.
Do you know?43% of breaches take place at small business
Go Passwordless! The future is here for your Microsoft account, and it no longer requires a password! No more worrying about a breach happening to your business. This Free Inforgraphic will list everything that is potentially at risk and how to protect it.
AIP vs IRM
Now the second most confusing question which comes into the mind of the support person is where to use IRM and where AIP. Before answering this question, I just want to let you know in my opinion please do not use both techniques andapplicationsin yourproduction environment.If a document is already protected using the AIP component and you placed it on aSharePointlibrary that is using IRM, two policies will apply on that document which may conflict with each other.
Both types of technology,SharePointIRM and Azure AIP encrypt the document so that unauthorized or accidental share offilesdo not result in a data breach.
However, SharePoint IRM does not restrict SharePoint capabilities like Document preview, Open in browser and SharePoint search and the document is encrypted the moment user downloads the file on a local machine.
With Azure AIP, using conditions like sensitive types, the document can get encrypted and protected and if such documents get uploaded in SharePoint. SharePoint online will not be able to access document contents within the file so search for file content is not possible, document previews and Open in browser for such files will not work.
Also, SharePoint IRM gets applied to the document library level, where Azure AIP or Office 365 encryption can work based on Smart rules and can identify “Keyword Match” or Sensitive information types like Financial OR PII data and auto label and also encrypt the files.
Common Usage Scenarios of AIP vs IRM
Scenarios | AIP | IRM |
|---|---|---|
Microsoft Office Document | Yes | Yes |
Non-Microsoft Office Document | Yes | No |
Protected File Types | .Txt .jpg .png .bmp .pdf .xps .xsn .dwfx .psd .dng .mpp .mpt .pub .tif .tiff .jif Microsoft Office Files | .xsn .xps Microsoft Office Files |
Document Tracking | Yes | No |
Propagation to user | 5 Mins | 2 Hours |
Supports Mobile | Yes | No |
Automation Actions | A lot | Very Less |
Revoke access on document | Yes | No |
Activation | Auto | Manual |
Labeling | Yes | No |
Automatic keyword labelling | Yes | No |
Classification | Yes | No |
Ways of Protection using AIP
Protecting Documents Using Microsoft AIP Labels
Four types of labels can be used toclassify the nature of documents:
Name of Label | Level of Security Protection | Automate Protection upon Label Assignment | View | Edit (for Office documents) | Reply | Copy (for MS Office documents) | Save | |
|---|---|---|---|---|---|---|---|---|
Restricted Confidential | Highest | Owner access only | X | X | X | X | X | X |
Internal Public | Nil | Nil |
|
|
|
|
|
|
You can also create custom permissions in AIP i.e. Highest, High, Moderate, Lowest, Nil etc.
Protecting Email Message and Attachments
The “Do Not Forward” feature allows you to protect an email message which the recipients can view, edit, reply and save the email, but not copy, forward and print it.
NOTE: You can attach any files or confidential documents protected by AIP in your email. If you are attaching a Microsoft Office file without protection, the “Do Not Forward” restriction will automatically be applied to the attached file.
Key Steps of AIP implementation
To successfully implement AIP, Microsoft and Microsoft partnersinvolved in Azure solutions’ implementation and managementfollow the four key phases of Microsoft Information Protection Lifecycle:
- Identifying sensitive data across all the locations, based on the predefined rules.
- Classifying sensitive data and setting up (automatically or manually) labels to documents and emails.
- Applying protection and control actions (encryption, access restrictions, etc.).
- Tracking what’s happening with the sensitive data and providing proactive/reactive solutions to arising problems.
Template | View | Edit (for MS Office attachment without protection) | Reply | Copy (for MS Office documents without protection) | Forward (in email) | Save | |
|---|---|---|---|---|---|---|---|
Do Not Forward |
|
|
| X | X | X |
|
Microsoft has created AD RMS (Active Directory Rights Management Service) to secure email messages. This technique adds permission directly to the Email, hence allow sender to protect his message online, offline, on network and off network. Sender apply restrictions which limits the ability of receiver to save forward or print the information in email.
IRM predefined group | Description |
|---|---|
Do Not Forward | In Outlook, Do Not Forward to an email grants users on the To:, Cc:, and Bcc: lines the View, Edit, Reply, and Reply All rights. |
Protecting Files using IRM
Global admin can activate thecloud-based solutionfromadmin centerwhich permits theSharePointsite owner to applypermissionson different libraries and lists. Whenever someone uploads a document to a certain library the file will remain secure as per IRM rules.
IRM predefined group | Description |
|---|---|
Read | Users who have Read permission have View rights. |
Change | Users who have Change permission have rights to View, Edit, Extract, and Save. |
- Windows - 7, 8, 8.1, 10
- MacOS - 10.8 and above
- Android - Android 6.0 and Above
- iOS / IPADOS - iOS 11.0 and above
- Windows Phones - Windows 10 Mobile
Required Licenses for AIP vs IRM
As we discussed earlier that IRM is component of AIP so you should only require license for AIP to use either AIP vs IRM. Information Rights Management is component of Azure Rights Management services which comes with Azure Information Protection. IRM also comes with Enterprise plan’s.
What happen if we don’t have EMS license?
Information Rights Management is component of Azure Rights Management services which comes with Azure Information Protection. IRM also comes with Enterprise plan’s.
You can get the AIP vs IRM licenses in a bundle or also standalone.
AIP License Requirement
- Azure Information protection Plan 1 - Price $2
- Azure Information protection Plan 2 - Price $5
AIP Bundle
- Basic Plan on all Office 365 E3 and above
- Azure Information protection Plan 1 - Microsoft Enterprise Mobility + Security E3, Microsoft 365 E3 and Microsoft 365 Business.
- Azure Information protection Plan 2 - Enterprise Mobility + Security E5 and Microsoft 365 E5.
AIP Plan 1 Vs AIP Plan 2
- You can find difference below between Free, basic, Azure Information Protection P1 and P2.
FEATURE | AZURE INFORMATION PROTECTION FOR OFFICE 365 | AZURE INFORMATION PROTECTION PREMIUM P1 | AZURE INFORMATION PROTECTION PREMIUM P2 |
|---|---|---|---|
Azure Information Protection content consumption by using work or school accounts from AIP policy-aware apps and services - AIP vs IRM | Available | Available | Available |
Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content | Available | Available | Available |
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle | Available | Available | Available |
Custom templates, including departmental templates | Available | Available | Available |
Protection for on-premises Exchange and SharePoint content via Rights Management connector | Available | Available | Available |
Azure Information Protection content creation by using work or school accounts | Available | Available | Available |
Office 365 Message Encryption | Available | Available | Available |
Administrative control | Available | Available | Available |
Azure Information Protection software developer kit for protection for all platforms – Windows, Windows Mobile, iOS, Mac OSX, and Android | Not available | Available | Available |
Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection) | Not available | Available | Available |
Manual, default, and mandatory document classification | Not available | Available | Available |
Azure Information Protection scanner for content discovery of on-premises files matching any of the sensitive information types | Not available | Available | Available |
Azure Information Protection scanner to apply a label to all files in an on-premises file server or repository - AIP vs IRM | Not available | Available | Available |
Rights Management connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector | Not available | Available | Available |
Document tracking and revocation | Not available | Available | Available |
Microsoft Information Protection software developer kit (SDK) to apply labels and protection to emails and files for all platforms – Windows, iOS, Mac OSX, Android, and Linux | Not available | Available | Available |
Configure conditions for automatic and recommended classification | Not available | Not available | Available |
Set labels to automatically apply pre-configured S/MIME protection in Outlook | Not available | Not available | Available |
Control oversharing of information when using Outlook (warn, justify or block emails). | Not available | Not available | Available |
Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios | Not available | Not available | Available |
Azure Information Protection scanner for automated classification, labeling, and protection of supported on-premises files - AIP vs IRM | Not available | Not available |
Last Updated 3 months ago