Preparing users and groups for Azure Information Protection

Karim Zaki

To authorize users, two attributes in Azure AD are used: proxyAddresses and userPrincipalName

Your first check is to make sure that the users you want to use with Azure Information Protection are displayed.

Then check whether the ProxyAddresses column is populated. If it is, the email values in this column can be used to authorize the user for Azure Information Protection.

 

The Azure AD proxyAddresses attribute stores all email addresses for an account and can be populated in different ways. For example, a user in Office 365 that has an Exchange Online mailbox automatically has an email address that is stored in this attribute. If you assign an alternative email address for an Office 365 user, it is also saved in this attribute. It can also be populated by the email addresses that are synchronized from on-premises accounts.
Azure Information Protection can use any value in this Azure AD proxyAddresses attribute, providing the domain has been added to your tenant (a “verified domain”). For more information about verifying domains:

 

 
 

The Azure AD userPrincipalName attribute is used only when an account in your tenant doesn’t have values in the Azure AD proxyAddresses attribute. For example, you create a user in the Azure portal, or create a user for Office 365 that doesn’t have a mailbox

 

 

In most cases, the value for UserPrincipalName matches one of the values in the ProxyAddresses field. This is the recommended configuration but if you cannot change your UPN to match the email address, you must take the following steps:

 
 

If the ProxyAddresses column is not populated, the value in the UserPrincipalName is used to authorize the user for the Azure Rights Management service.

 
 

Your first check is to make sure that the users you want to use with Azure Information Protection are displayed.

Then check whether the ProxyAddresses column is populated. If it is, the email values in this column can be used to authorize the user for Azure Information Protection.

 

Connect-MsolService

Note: If this command doesn’t work, you can run Install-Module MSOnline to install the MSOnline module.

 
 

Next, configure your PowerShell session so that it doesn’t truncate the values:

 

$Formatenumerationlimit =-1

 
 

Get-Msoluser | select DisplayName, UserPrincipalName, ProxyAddresses


Ref: https://docs.microsoft.com/en-us/azure/information-protection/prepare#group-membership-caching-by-azure-information-protection

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.