AIP Client: To be or not to be

A lot of new things have been released during Microsoft Ignite and we have several news within the Office products around information security.

Microsoft Purview Information Protection continues to give more insights and abilities to detect sensitive information. All the news within Microsoft Office is integrated within the product and can’t be combined with the classic AIPC Client. This article is meant to explain and show the difference between the AIP client add-in and Office native.

One of the most requested features that the AIP Client add-in have given in Office is the ribbon that provide more visibility and make it easier to choose the correct information classification. Basically, the user doesn’t need to click on the Sensitivity button to know what information classes that are available and choose the correct sensitivity label. This function with a visible ribbon is planned to be integrated in future Office releases but is not jet here.


However, we have several functions that maybe make us want to disable AIP client Add-in already now. One example is when sensitive information has been detected, with the AIP Client it notices the end-user about it, but it doesn’t show exactly what and where the information is detected in the document.

When sensitive information is detected with Office version 2208 and above, Word notifies the user where the content is in the document as well as what type of content it is. It’s a big improvement in alerting the user to exactly what information was identified and where in the document. This makes it easier for the user to both discover incorrectly identified information but above all to be able to remove sensitive information that may not be approved in the specific document.


Custom Permissions

With the AIP Client and the add-on we have had the possibility to protect information with user defined custom permissions. Here we have the possibility to define what permission (View, Edit, Full Control) to defined users, groups or organizations by their mail domains. Without the add-in (or if we had enabled coauthoring for RMS protected content in the specific tenant) it falls back to the classic RMS function “restrict permissions” that didn’t have the possibility to restrict access to an whole organization.

This has now been resolved in new Office versions (2208) that also include the ability to assign different rights to different users and organizations.

Custom Permission native

Custom Permission with AIP Client




imageWhen it comes to protect emails to user defined recipients with sensitive labels that uses the rather new “Encrypt-Only” restrictions we had never had this possibility with the AIP add-in enabled in outlook.

Outlook native

Outlook with the AIP add-in



What we still miss in the native Outlook client is the AIP add-in Outlook pop-ups that for instance can be configured to notify and/or block the end-user to send internally protected emails externally.


Non-office files

We still need the AIP client to be able to protect non-office files and/or to protect several files/folders at a time from Windows Explorer. This mean that we don’t want to uninstall the AIP Client app, instead we can disable the add-in for per Office apps

Microsoft is planning to disable the AIP add-in by default in office starting with version 2213, read more here around this (and how to prevent it if there is a need for that):

Migrate the Azure Information Protection (AIP) add-in to Microsoft Purview Information Protection built-in labeling for Office apps – Microsoft Purview (compliance) | Microsoft Learn

Activities that should be planned

For organizations that currently have AIP client’s and its add-in enable, it is time to take a decision when and if changes should be done. Many will wait until the bar is available in native office. I recommend that you create communication plans and review whether user instructions need to be updated when the decision have been made. Service desk and other operational departments should of course be informed.

Also make sure that organization-specific (custom) Information Types/Trainable Classifiers are named and described in a good way because they will now be visible to end users.

Detta inlägg publicerades i Microsoft Information Protection och märktes , . Bokmärk permalänken.


Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

Du kommenterar med ditt Logga ut /  Ändra )


Du kommenterar med ditt Twitter-konto. Logga ut /  Ändra )


Du kommenterar med ditt Facebook-konto. Logga ut /  Ändra )

Ansluter till %s