Hold your own key (HYOK) details for Azure Information Protection
Applies to: Azure Information Protection
Relevant for: Azure Information Protection classic client for Windows. For the unified labeling client, see Double Key Encryption.
*If you have Windows 7 or Office 2010, see AIP and legacy Windows and Office versions
Note
To provide a unified and streamlined customer experience, we are sunsetting the Azure Information Protection classic client and Label Management in the Azure Portal as of March 31, 2021. No further support is provided for the classic client and maintenance versions will no longer be released.
- The classic client will be fully retired, and will stop functioning, on March 31, 2022.
- As of March 18, 2022, we are also sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022.
For more information, see Removed and retired services.
Hold Your Own Key (HYOK) configurations enable AIP customers with the classic client to protect highly sensitive content while maintaining full control of their key. HYOK uses an additional, customer-held key that's stored on premises for highly sensitive content, together with the default cloud-based protection used for other content.
For more information about the default, cloud-based tenant root keys, see Planning and implementing your Azure Information Protection tenant key.
Cloud-based protection vs. HYOK
Typically, protecting sensitive documents and emails using Azure Information Protection uses a cloud-based key that is either generated by Microsoft or by the customer, using a BYOK configuration.
Cloud-based keys are managed in Azure Key Vault, which provides customers with the following benefits:
No server infrastructure requirements. Cloud solutions are quicker and more cost-effective to deploy and maintain than on-premises solutions.
Cloud-based authentication enables easier sharing with partners and users from other organizations.
Tight integration with other Azure and Microsoft 365 services, such as search, web viewers, pivoted views, anti-malware, eDiscovery, and Delve.
Document tracking, revocation, and email notifications for sensitive documents that you have shared.
However, some organizations may have regulatory requirements that require specific content to be encrypted using a key that is isolated from the cloud. This isolation means that encrypted content can be read only by on-premises applications and on-premises services.
With HYOK configurations, customer tenants have both a cloud-based key to use with content that can be stored on the cloud, and an on-premises key for content that must be protected on-premises only.
HYOK guidance and best practices
When configuring HYOK, consider the following recommendations:
- Content suitable for HYOK
- Define the users who can see HYOK-configured labels
- HYOK and email support
Important
An HYOK configuration for Azure Information Protection is not a replacement for a fully AD RMS and Azure Information Protection deployment.
HYOK is supported only by applying labels, does not offer feature parity with AD RMS, and does not support all AD RMS deployment configurations.
Content suitable for HYOK
HYOK protection doesn't provide the benefits of cloud-based protection, and often comes at the cost of "data opacity", since the content can be accessed only by on-premises applications and services. Even for organizations that use HYOK protection, it's typically suitable only for a small number of documents.
We recommend that you use HYOK only for content that matches the following criteria:
- Content with the highest classification in your organization ("Top Secret"), where access is restricted to just a few people
- Content that isn't shared outside the organization
- Content that is consumed only on the internal network.
Define the users who can see HYOK-configured labels
To ensure that only users who need to apply HYOK protection see the HYOK-configured labels, configure your policy for those users with scoped policies.
HYOK and email support
Microsoft 365 services and other online services can't decrypt HYOK-protected content.
For emails, this loss of functionality includes malware scanners, encrypt-only protection, data loss prevention (DLP) solutions, mail routing rules, journaling, eDiscovery, archiving solutions, and Exchange ActiveSync.
Users may not understand why some devices aren't able to open HYOK-protected emails, leading to additional calls to your help desk. Be aware of these severe limitations when configuring HYOK protection with emails.
Supported applications for HYOK
Use Azure Information Protection labels to apply HYOK to specific documents and emails. HYOK is supported for Office versions 2013 and higher.
HYOK is an administrator configuration option for labels, and workflows remain the same, regardless of whether the content uses as cloud-based key or HYOK.
The following tables list the supported scenarios for protecting and consuming content using HYOK-configured labels:
- Windows application support for HYOK
- macOS application support for HYOK
- iOS application support for HYOK
- Android application support for HYOK
Note
Office Web and Universal applications are not supported for HYOK.
Windows application support for HYOK
| Application | Protection | Consumption |
|---|---|---|
| Azure Information Protection client with Microsoft 365 apps, Office 2019, Office 2016, and Office 2013: Word, Excel, PowerPoint, Outlook |
 |
|
| Azure Information Protection client with File Explorer | |
|
| Azure Information Protection Viewer | Not applicable | |
| Azure Information Protection client with PowerShell labeling cmdlets | |
|
| Azure Information Protection scanner | |
|
macOS application support for HYOK
| Application | Protection | Consumption |
|---|---|---|
| Office for Mac: Word, Excel, PowerPoint, Outlook |
 |
|
iOS application support for HYOK
| Application | Protection | Consumption |
|---|---|---|
| Office Mobile: Word, Excel, PowerPoint |
|
|
| Office Mobile: Outlook only |
|
|
| Azure Information Protection Viewer | Not applicable | |
Android application support for HYOK
| Application | Protection | Consumption |
|---|---|---|
| Office Mobile: Word, Excel, PowerPoint |
|
|
| Office Mobile: Outlook only |
|
|
| Azure Information Protection Viewer | Not applicable | |
Implementing HYOK
Azure Information Protection supports HYOK when you have an Active Directory Rights Management Services (AD RMS) that complies with all of the requirements listed below.
Usage rights policies and the organization's private key that protects these policies are managed and kept on-premises, while the Azure Information Protection policy for labeling and classification remains managed and stored in Azure.
To implement HYOK protection:
- Make sure your system complies with the AD RMS requirements
- Locate the information you want to protect
When you're ready, continue with How to configure a label for Rights Management protection.
Requirements for AD RMS to support HYOK
An AD RMS deployment must meet the following requirements to provide HYOK protection for Azure Information Protection labels:
| Requirement | Description |
|---|---|
| AD RMS configuration | Your AD RMS system must be configured in specific ways to support HYOK. For more information, see below. |
| Directory synchronization | Directory synchronization must be configured between your on-premises Active Directory and the Azure Active Directory. Users who will use HYOK protection labels must be configured for single-sign-on. |
| Configuration for explicitly defined trusts | If you share HYOK-protected content with others outside your organization, AD RMS must be configured for explicitly defined trusts in a direct point-to-point relationship with the other organizations. Do this using trusted user domains (TUDs) or federated trusts that are created using Active Directory Federation Services (AD FS). |
| Microsoft Office supported version | Users who are protecting or consuming HYOK-protected content must have: - A version of Office that supports Information Rights Management (IRM) - Information Rights Management (IRM) is supported only for Microsoft 365 Apps for enterprise (build 11731.10000 or higher). Note: Office 2010, Office 2013, and other Office 2016 versions are not supported. |
Important
To fulfill the high assurance that HYOK protection offers, we recommend:
Locating your AD RMS servers outside of your DMZ, and ensuring that they are used only by managed devices.
Configure your AD RMS cluster with a hardware security module (HSM). This helps to ensure that your Server Licensor Certificate (SLC) private key cannot be exposed or stolen if your AD RMS deployment should ever be breached or compromised.
Tip
For deployment information and instructions for AD RMS, see Active Directory Rights Management Services in the Windows Server library.
AD RMS configuration requirements
To support HYOK, ensure that your AD RMS system has the following configurations:
| Requirement | Description |
|---|---|
| Windows version | At minimum, one of the following Windows versions: Production environments: Windows Server 2012 R2 Testing/evaluation environments: Windows Server 2008 R2 with Service Pack 1 |
| Topology | HYOK requires one of the following topologies: - A single forest, with a single AD RMS cluster - Multiple forests, with AD RMS clusters in each of them. Licensing for multiple forests If you have multiple forests, each AD RMS cluster shares a licensing URL that points to the same AD RMS cluster. On this AD RMS cluster, import all the trusted user domain (TUD) certificates from all other AD RMS clusters. For more information about this topology, see Trusted User Domain. Global policy labels for multiple forests When you have multiple AD RMS clusters in separate forests, delete any labels in the global policy that apply HYOK (AD RMS) protection and configure a scoped policy for each cluster. Assign users for each cluster to their scoped policy, making sure that you do not use groups that would result in a user being assigned to more than one scoped policy. The result should be that each user has labels for one AD RMS cluster only. |
| Cryptographic mode | Your AD RMS must be configured with Cryptographic Mode 2. Confirm the mode by checking the AD RMS cluster properties, General tab. |
| Certification URL configuration | Each AD RMS server must be configured for the certification URL. For more information, see below. |
| Service connection points | A service connection point (SCP) is not used when you use AD RMS protection with Azure Information Protection. If you have an SCP registered for your AD RMS deployment, remove it to ensure that service discovery is successful for Azure Rights Management protection. If you are installing a new AD RMS cluster for HYOK, do not register the SCP when configuring the first node. For each additional node, make sure that the server is configured for the certification URL before you add the AD RMS role and join the existing cluster. |
| SSL/TLS | In production environments, the AD RMS servers must be configured to use SSL/TLS with a valid x.509 certificate that is trusted by the connecting clients. This is not required for testing or evaluation purposes. |
| Rights templates | You must have rights templates configured for your AD RMS. |
| Exchange IRM | Your AD RMS cannot not be configured for Exchange IRM. |
Configuring AD RMS servers to locate the certification URL
On each AD RMS server in the cluster, create the following registry entry:
Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\GICURL = "<string>"`For the <string value>, specify one of the following strings:
Environment String value Production
(AD RMS clusters using SSL/TLS)https://<cluster_name>/_wmcs/certification/certification.asmxTesting / evaluation
(no SSL/TLS)http://<cluster_name>/_wmcs/certification/certification.asmxRestart IIS.
Locating the information to specify AD RMS protection with an Azure Information Protection label
Configuring HYOK-protection labels requires that you specify the licensing URL of your AD RMS cluster.
Additionally, you must either specify a template that you've configured with the permissions you want to grant users, or enable users to define permissions and users.
Do the following to locate the template GUID and licensing URL values from the Active Directory Rights Management Services console:
Locate a template GUID
Expand the cluster and click Rights Policy Templates.
From the Distributed Rights Policy Templates information, copy the GUID from the template you want to use.
For example: 82bf3474-6efe-4fa1-8827-d1bd93339119
Locate the licensing URL
Click the cluster name.
From the Cluster Details information, copy the Licensing value minus the /_wmcs/licensing string.
For example: https://rmscluster.contoso.com
Note
If you have different extranet and intranet licensing values, specify the extranet value only if you will be sharing protected content with partners. Partners who share protected content must be defined with explicit point-to-point trusts.
If you are not sharing protected content, use the intranet value and make sure that all client computers that are using AD RMS protection with Azure Information Protection connect via an intranet connection. For example, remote computers must use a VPN connection.
Next steps
When you're done configuring your system to support HYOK, continue with configuring labels for HYOK protection. For more information, see How to configure a label for Rights Management protection.