Azure Information Protection Premium Government Service Description

Note

To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated for GCC, GCC-H, and DoD customers as of September 31, 2021.

The classic client will be officially retired, and will stop functioning, on March 31, 2022.

All current Azure Information Protection classic client customers must migrate to the Microsoft Purview Information Protection unified labeling platform and upgrade to the unified labeling client. Learn more in our migration blog.

How to use this Service Description

Azure Information Protection unified labeling is available for GCC, GCC High, and DoD customers.

The Azure Information Protection Premium Government Service Description is designed to serve as an overview of our offering in the GCC High and DoD environments, and will cover feature variations compared to Azure Information Protection Premium commercial offerings.

Azure Information Protection Premium Government and third-party services

Some Azure Information Protection Premium services provide the ability to work seamlessly with third-party applications and services.

These third-party applications and services may involve storing, transmitting, and processing your organization's customer content on third-party systems that are outside of the Azure Information Protection Premium infrastructure, and therefore not covered by our compliance and data protection commitments.

Make sure you review the privacy and compliance statements provided by the third parties when assessing the appropriate use of these services for your organization.

Parity with Azure Information Protection premium commercial offerings

For infomration about known existing gaps between Azure Information Protection Premium GCC High/DoD and the commercial offering, see the Cloud feature availability for US Government customers for Azure Information Protection.

Configuring Azure Information Protection for GCC High and DoD customers

The following configuration details are relevant for all Azure Information Protection solutions for GCC High and DoD customers, including unified labeling solutions.

Important

As of the July 2020 update, all new GCC High customers of the Azure Information Protection unified labeling solution, can make use of both General menu and Scanner menu features only.

Enable Rights Management for the tenant

For the encryption to work correctly, the Rights Management Service must be enabled for the tenant.

  • Check if the Rights Management service is enabled
    • Launch PowerShell as an Administrator
    • Run Install-Module aadrm if the AADRM module is not installed
    • Connect to service using Connect-aadrmservice -environmentname azureusgovernment
    • Run (Get-AadrmConfiguration).FunctionalState and check if the state is Enabled
  • If the functional state is Disabled, run Enable-Aadrm

DNS configuration for encryption (Windows)

For encryption to work correctly, Office client applications must connect to the GCC, GCC High/DoD instance of the service and bootstrap from there. To redirect client applications to the right service instance, the tenant admin must configure a DNS SRV record with information about the Azure RMS URL. Without the DNS SRV record, the client application will attempt connect to the public cloud instance by default, and fail.

Also, the assumption is that users will log in with the username based off the tenant-owned-domain (for example: joe@contoso.us), and not the onmicrosoft username (for example: joe@contoso.onmicrosoft.us). The domain name from the username is used for DNS redirection to the right service instance.

  • Get the Rights Management Service ID
    • Launch PowerShell as an Administrator
    • If the AADRM module is not installed, run Install-Module aadrm
    • Connect to service using Connect-aadrmservice -environmentname azureusgovernment
    • Run (Get-aadrmconfiguration).RightsManagementServiceId to get the Rights Management Service ID
  • Sign in to your DNS provider, and navigate to the DNS settings for the domain to add a new SRV record
    • Service = _rmsredir
    • Protocol = _http
    • Name = _tcp
    • Target = [GUID].rms.aadrm.us (where GUID is the Rights Management Service ID)
    • Port = 80
    • Priority, Weight, Seconds, TTL = default values
  • Associate the custom domain with the tenant in the Azure portal. Associating the custom domain will add an entry in DNS, which may take a few minutes to verify after adding the value.
  • Sign in to the Office Admin Center and add the domain (example: contoso.us) for user creation. In the verification process, some more DNS changes might be required. Once verification is done, users can be created.

DNS configuration for encryption (Mac, iOS, Android)

  • Sign in to your DNS provider, and navigate to the DNS settings for the domain to add a new SRV record
    • Service = _rmsdisco
    • Protocol = _http
    • Name = _tcp
    • Target = api.aadrm.us
    • Port = 80
    • Priority, Weight, Seconds, TTL = default values

Label migration

GCC High and DoD customers need to migrate all existing labels using PowerShell. Traditional AIP migration methods are not applicable for GCC High and DoD customers.

Use the New-Label cmdlet to migrate your existing sensitivity labels. Make sure to follow the instructions for connecting and running the cmdlet using Security & Compliance Center before getting started with your migration.

Migration example when an existing sensitivity label has encryption:

New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId 'a32027d7-ea77-4ba8-b2a9-7101a4e44d89' -EncryptionAipTemplateScopes "['allcompany@labelaction.onmicrosoft.com','admin@labelaction.onmicrosoft.com']"

AIP apps configuration

When working with the Azure Information Protection client, you must configure one of the following registry keys to point your AIP apps on Windows to the correct sovereign cloud. Make sure to use the correct values for your setup.

AIP apps configuration for the unified labeling client

Relevant for: The AIP unified labeling client only

Registry Node HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP
Name CloudEnvType
Value 0 = Commercial (default)
1 = GCC
2 = GCC High
3 = DoD
Type REG_DWORD

Note

  • If this registry key is empty, incorrect, or missing, the behavior reverts to the default (0 = Commercial).
  • If the key is empty or incorrect, a print error is also added to the log.
  • Make sure not to delete the registry key after uninstalling.

AIP apps configuration for the classic client

Relevant for: The AIP classic client only

Registry Node HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP
Name WebServiceUrl
Value https://api.informationprotection.azure.us
Type REG_SZ (String)

Firewalls and network infrastructure

If you have a firewall or similar intervening network devices that are configured to allow specific connections, use the following settings to ensure smooth communication for Azure Information Protection.

  • TLS client-to-service connection: Do not terminate the TLS client-to-service connection to the rms.aadrm.us URL (for example, to perform packet-level inspection).

    You can use the following PowerShell commands to help you determine whether your client connection is terminated before it reaches the Azure Rights Management service:

    $request = [System.Net.HttpWebRequest]::Create("https://admin.aadrm.us/admin/admin.svc")
    $request.GetResponse()
    $request.ServicePoint.Certificate.Issuer
    

    The result should show that the issuing CA is from a Microsoft CA, for example: CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US. If you see an issuing CA name that is not from Microsoft, it is likely that your secure client-to-service connection is being terminated and needs to be reconfigured on your firewall.

  • Downloading labels and label policies (AIP classic client only): To enable the Azure Information Protection classic client to download labels and label policies, allow the URL api.informationprotection.azure.us over HTTPS.

For more information, see:

Service Tags

Make sure to allow access to all ports for the following Service Tags:

  • AzureInformationProtection
  • AzureActiveDirectory
  • AzureFrontDoor.Frontend