Table of Contents
- Most important facts about Azure Information Protection licensing
- Azure Information Protection license plans
- Azure Information Protection for Office365 in Office365 plans
- Azure Information Protection in Microsoft365 plans
- Azure Information Protection in Enterprise Mobility + Security plans
- Related Articles
I will introduce issues on how to license Azure Information Protection itself. I will explain which Office365 plans include Azure Information Protection and which AiP licenses are required for each AiP functionality.
Most important facts about Azure Information Protection licensing
Access to information protected by AiP does not require any license.
Reading AiP secure messages and documents DOES NOT REQUIRE Azure Information Protection License.
Opening the file and reading the content does not require a license. The license requires modifying (removing, changing, assigning) AiP labels and configuring AiP’s operating principles. Any classification, label or protection change requires an Azure Information Protection P1 (if you manually change the label) or P2 (if you automatically apply the classification and label rules).
Explanation: For example, when the recipient of a message tries to access its content, AiP mechanisms verify that it is authorized to do so. This action does not require him to have an AiP license, he receives AiP processes support as a gift from the sender.
Displaying the label attached to the file requires an AiP license
File usage and security verification does not require a license, but if you want to display the label attached to the file, you must have the appropriate license.
Using the Azure Information Protection scanner
Generating a report only – requires Azure Information Protection P1 license
Collecting sensitive information and applying labels automatically – requires Azure Information Protection P1 license
Consider an example. All users use the same shared file repositories. They use a scanner for automatic classification. Therefore, all users need AiP P2 licenses. When the scanner finds sensitive information and automatically applies a label, the file owner should have a license. We do not know what information will be found in the repository and on which files the scanner will apply labels, so the owners of all files included in the scan should have P2 licenses
A license is required from the owner of the document on which the label is automatically applied, not just from the person launching the scanner. Users who created content in the scanned repository must be licensed with Azure Information Protection P2.
Using AiP Client requires P1 or P2 license, using only native labeling environments (in Office applications) requires Office 365 E3 / E5 license
To manually apply labels using the native labeling environment built into Office applications (Word, Excel, PowerPoint, Outlook), users must have Azure Information Protection P1 / P2 or Office 365 E3 / E5 licenses (both licenses are not needed).
To apply labels using mechanisms embedded in Word, Excel, PowerPoint and Outlook, all you need is an Office 365 E3 license for manual classification or Office 365 E5 for automatic and recommended classification.
Instead of the Office 365 license, the user can have an Azure Information Protection P1 or P2 license, then no Office 365 license is required.
Azure Information Protection license plans
AiP for Office 365
Microsoft Azure Information Protection is included in the Office 365 Enterprise E3 plan and higher-level plans.
- Content Protection Exchange Online, SharePoint Online, OneDrive
- No AiP client (only native functions of O365 application)
AiP Premium P1 (Included in EMS E3)
Provides additional rights to use local connectors, track and revoke shared documents, and allow users to manually classify and label documents.
- Manual classification and labeling
- Protection of file formats other than Microsoft Office, including PTXT, PJPG and PFILE (general protection) – due to the need to have an AiP client
AiP Premium P2 (Included in EMS E5)
It is based on the Azure Information Protection Premium P1 service with automated and recommended classification, labeling and protection, and with rules-based rules.
- Automatic classification
- Recommended classification – the function of recommending the use of the label
Azure Information Protection for Office365 in Office365 plans
|Office365 Subscription||Includes Azure Information|
Protection for Office 365
|Office 365 Business Essentials||No|
|Office 365 Business Premium||No|
|Office 365 Enterprise||No|
|Office 365 Education||Yes|
|Office 365 Enterprise E3||Yes|
|Office 365 Education A3||Yes|
|Office 365 Government G3||Yes|
|Office 365 Developer||No|
|Office 365 Enterprise E4||Yes|
|Office 365 Education A4||Yes|
|Office 365 Government G4||Yes|
|Office 365 Enterprise E5||Yes|
|Office 365 Education A5||Yes|
|Office 365 Enterprise F1||No|
|SharePoint Plan 1||No|
|SharePoint Plan 2||No|
|Exchange Online Plan 1||No|
|Exchange Online Plan 2||No|
Azure Information Protection in Microsoft365 plans
|Microsoft 365 F1||P1|
|Microsoft 365 E3||P1|
|Microsoft 365 E5||P1||P2|
Azure Information Protection in Enterprise Mobility + Security plans
|Enterprise Mobility + Security E3||Azure Information Protection P1|
|Enterprise Mobility + Security E5||Azure Information Protection P2|