Azure Information Protection Custom Labels & Protection

I recently rolled out AIP in one my customer sites and they presented me with an interesting challenge. One of their departments wanted the option to choose whether or not to classify and protect data.

This has been made possible with custom configurations to the AIP client. At the time of writing this post there are 18 items that have custom configurations available.
More info HERE

The next part of this blog is a step by step guide on how to set up a custom label that will recommend that the user apply the label, protection.

  1. Login to the Azure Information Protection portal in Azure and create  a new label as per the image below.
  2. Select Protect and accept defaults and add the users assigned to the label or Security Group, as per image below
  3. Add a keyword condition, as per image below
  4. Select the protect option , accept the defaults and add the users or security group that the label will apply to, as per image below
  5. Save the configuration changes, next we will create a policy.
  6. Create a policy, I always match the name of the label that the policy will apply to, add the users or security group and accept defaults except for one item. Change the selection to recommended as per the image below
  7. Add the new label created in the previous section and ensure default label remains set to none
  8. The final piece is to modify the advanced settings of the policy, as per the image below
  9. Use the values specified in the image below
  10. Attempting to save a word document with the keyword specified, prompts the user as follows, giving the user a recommendation and not enforcing protection or classification
  11. When attempting to send an email which the key word specified, a pop up is presented from the AIP client as per the image below.


  • The Azure Information Protection custom features,  is currently in PREVIEW
  • Always use the latest version of AIP client
  • If the label is not appearing in the Windows client , It may be due to too many Modern Authentication tokens in credential manager. This is something that happened on my laptop due to connecting to multiple Office365 tenants.
  • I will post some new blogs on more custom options,custom sensitive information types & AIP scanner.
  • When data is protected in the sample label above, Only users that are specified in the label and policy will be able to access the data.
  • Always ensure users that the label and policy applies to have an AIP license.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s