Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?
The Azure Information Protection add-in is retired and replaced with labels that are built in to your Microsoft 365 apps and services. Learn more about the support status of other Azure Information Protection components.
If you have previously deployed Active Directory Rights Management Services (AD RMS), you might be wondering how the Azure Rights Management service compares in terms of functionality and requirements as an information protection solution.
Some of the main differences for the Azure Rights Management service include:
| Difference | Description |
|---|---|
| No server infrastructure required | The Azure Rights Management service doesn't require the extra servers and PKI certificates that AD RMS needs, because Azure takes care of those requirements for you. That makes this cloud solution quicker to deploy and easier to maintain. |
| Cloud-based authentication | The Azure Rights Management service uses Microsoft Entra ID for authentication - for both internal users and users from other organizations. That means your users can be authenticated even when they aren't connected to your internal network and it's easier to share encrypted content with users from other organizations. Many organizations already have user accounts in Microsoft Entra ID because they're running Azure services or have Microsoft 365. But if not, a Microsoft account or RMS for individuals lets users create a Trial for authentication. In comparison, to share AD RMS protected content with another organization, you must configure explicit trusts with each organization. |
| Built-in support for mobile devices | No deployment changes are needed for the Azure Rights Management service to support mobile devices and Mac computers. To support these devices with AD RMS, you must install the mobile device extension, configure Active Directory Federation Services (AD FS) for federation, and create extra records for your public DNS service. |
| Default templates | The Azure Rights Management service automatically creates default templates that restrict access of the content to your own organization. These templates make it easy to start protecting sensitive data immediately. There are no default templates for AD RMS. |
| Document tracking and revocation | Only the Azure Rights Management service supports these features. |
| Classification and labeling | The Azure Rights Management service integrates with sensitivity labels from Microsoft Purview Information Protection, and other Microsoft Purview capabilities. These labels apply classification, and optionally, protection actions that include encryption from the Azure Rights Management service. Sensitivity labels are built into Microsoft 365 apps and services with no additional installation required. Optionally, use the Microsoft Purview Information Protection client to extend labels to all file types, use PowerShell for automation, and a scanner for on-premises data stores. AD RMS does not support these classification and labeling capabilities. |
In addition, because the Azure Rights Management service is a cloud service, it can deliver new features and fixes more quickly than an on-premises server-based solution. There aren't any new features planned for AD RMS in Windows Server.
Detailed comparison between AIP and AD RMS
For more details, use the following table for a side-by-side comparison.
If you have security-specific comparison questions, see the Cryptographic controls for signing and encryption section in this article.
| Difference | Rights Management service | AD RMS |
|---|---|---|
| Information Rights Management (IRM) | Supports IRM capabilities in both Microsoft Online services and on-premises Microsoft server products. | Supports IRM capabilities for on-premises Microsoft server products, and Exchange Online. |
| Secure collaboration | Automatically enables secure collaboration on documents with any organization that also uses Microsoft Entra ID for authentication. | Secure collaboration on documents outside the organization requires authentication trusts to be explicitly defined in a direct point-to-point relationship between two organizations. You must configure either trusted user domains (TUDs) or federated trusts that you create by using Active Directory Federation Services (AD FS). |
| Encrypted emails | Send an encrypted email (optionally, with Office and PDF document attachments that are automatically encrypted) to users when no authentication trust relationship exists. This scenario is made possible by using federation with social providers or a one-time passcode and web browser for viewing. |
Doesn't support sending encrypted email when no authentication trust relationship exists. |
| Multifactor authentication (MFA) | Supports MFA for computers and mobile devices. For more information, see the Multifactor authentication (MFA). |
Supports smart card authentication if IIS is configured to request certificates. |
| Cryptographic Mode | Supports Cryptographic Mode 2 by default, to provide a recommended level of security for key lengths and encryption algorithms. | Supports Cryptographic Mode 1 by default, and requires extra configuration to support Cryptographic Mode 2 for a recommended level of security. For more information, see AD RMS Cryptographic Modes. |
| Licensing | Requires a license for Microsoft Purview Information Protection with Microsoft 365 to encrypt content. No license is required to consume content that has been protected by the Azure Rights Management service (includes users from another organization). |
Requires an RMS license to encrypt content, and to consume content that has been encrypted by AD RMS. For more information about licensing, see Client Access Licenses and Management Licenses for general information, but contact your Microsoft partner or Microsoft representative for specific information. |
Cryptographic controls for signing and encryption
The Azure Rights Management service by default, uses RSA 2048 for all public key cryptography and SHA 256 for signing operations. In comparison, AD RMS supports RSA 1024 and RSA 2048, and SHA 1 or SHA 256 for signing operations.
Both the Azure Rights Management service and AD RMS use AES 128 for symmetric encryption.
The Azure Rights Management service is compliant with FIPS 140-2 when your tenant key size is 2048 bits, which is the default when the service is activated.
For more information about the cryptographic controls, see Cryptographic controls: Algorithms and key lengths.
Next steps
For more detailed requirements to use the Azure Rights Management service, see Requirements for the Azure Rights Management service.