Preparing users and groups for Azure Information Protection


To authorize users, two attributes in Azure AD are used: proxyAddresses and userPrincipalName

Your first check is to make sure that the users you want to use with Azure Information Protection are displayed.

Then check whether the ProxyAddresses column is populated. If it is, the email values in this column can be used to authorize the user for Azure Information Protection.


The Azure AD proxyAddresses attribute stores all email addresses for an account and can be populated in different ways. For example, a user in Office 365 that has an Exchange Online mailbox automatically has an email address that is stored in this attribute. If you assign an alternative email address for an Office 365 user, it is also saved in this attribute. It can also be populated by the email addresses that are synchronized from on-premises accounts.
Azure Information Protection can use any value in this Azure AD proxyAddresses attribute, providing the domain has been added to your tenant (a “verified domain”). For more information about verifying domains:



The Azure AD userPrincipalName attribute is used only when an account in your tenant doesn’t have values in the Azure AD proxyAddresses attribute. For example, you create a user in the Azure portal, or create a user for Office 365 that doesn’t have a mailbox



In most cases, the value for UserPrincipalName matches one of the values in the ProxyAddresses field. This is the recommended configuration but if you cannot change your UPN to match the email address, you must take the following steps:


If the ProxyAddresses column is not populated, the value in the UserPrincipalName is used to authorize the user for the Azure Rights Management service.


Your first check is to make sure that the users you want to use with Azure Information Protection are displayed.

Then check whether the ProxyAddresses column is populated. If it is, the email values in this column can be used to authorize the user for Azure Information Protection.



Note: If this command doesn’t work, you can run Install-Module MSOnline to install the MSOnline module.


Next, configure your PowerShell session so that it doesn’t truncate the values:


$Formatenumerationlimit =-1


Get-Msoluser | select DisplayName, UserPrincipalName, ProxyAddresses




Convert label from PPDF to be PDF


The following command assigns or remove label to a shared folder

Connect to azure online PowerShell


Get list of all PDF files only make sure to add the *.PPDF

Get-ChildItem \\servername\foldername\*.PPDF -File -Recurse | Get-AIPFileStatus

Note: Must add justification

Get-ChildItem \\servername\sharename\*.ppdf -File -Recurse | Set-AIPFileLabel -RemoveLabel -JustificationMessage “The previous label no longer applies”

Then to make sure

Get-AIPFileStatus “\\servername\sharename\*.ppdf

Add any other label to all any extension files

Get-ChildItem drive:\folder\*.docx -File -Recurse | Get-AIPFileStatus | where {$_.IsLabeled -eq $False} | Set-AIPFileLabel -LabelId the ID of the label

for all details



The following is general view for the Labels

Azure portal View

This is how it looks like

labels on office

How to connect to AIP module


how to connect to Azure Information protection PowerShell module
The PowerShell is Connected

This is how you classify the PDF

Classify and Protect from explorer View

PowerShell for Azure Portal Admin tasks

Install the module

Import-Module AzureInformationProtection

Gets the Azure Information Protection label and protection information for a specified file or files.

The following command to view the file status


The following is how you get the label ID

Set-AIPFileLabel(you will need the label ID)

Sets or removes an Azure Information Protection label for a file, and sets the protection according to the label configuration.

The following is the permissions for labels

these are the permission used for labels

Azure Rights Management usage logs


Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

Your subscription must support it

When the document tracking site is enabled, by default, it shows information such as the email addresses of the people who attempted to access the protected documents, when these people tried to access them, and their location


Azure Information Protection Premium P1

Azure Information Protection Premium P2

Document tracking and revocation


Check the PowerShell module version you must have at least version
of the AADRM module for PowerShell

Install the module

Install-Module -Name AADRM press yes

Get all the module commands




Or update the module

Update-Module -Name AADRM


(Get-Module aadrm –ListAvailable).Version


First you need to connect to the azure


The check if the tracking is enabled


You can enable it by



For event log monitoring

The client logs user activity to the local Windows event log Applications and Services Logs
> Azure Information Protection. The events include the following information:


Client version, policy ID


IP addresses of the signed in user


File name and location




Set Label: Information ID 101


Set Label (lower): Information ID 101


Set Label (higher): Information ID 101


Remove label: Information ID 104


Recommended tip: Information 105


Apply custom protection: Information ID 201


Remove custom protection: Information ID 202


Sign in (operational): Information ID 902


Download policy (operational): Information ID 901


The event id: 102

I think this is the most important event


Item Name: wordpressv1intro.docx

Item Directory: path

Process Name: WINWORD Action: Set Label Protection

Before Action: Protected

Protection After Action: Unprotected

Owner Before Action:

Label Before Action: Internal Label ID Before Action: labelidnaylabel

Label After Action: Public Label ID After Action: labelidnaylabel

User Justification: teta

Labeled Before Action: Automatically Action Source: Manual

Azure AD Connect sync: Prevent accidental deletes

Azure AD Connect sync: Prevent accidental deletes

This topic describes the prevent accidental deletes (preventing accidental deletions) feature in Azure AD Connect.

Continue reading