The default Azure Information Protection policy

Applies to: Azure Information Protection

Relevant for: Azure Information Protection classic client for Windows. For the unified labeling client, see Learn about sensitivity labels from the Microsoft 365 documentation.

Note

To provide a unified and streamlined customer experience, we are sunsetting the Azure Information Protection classic client and Label Management in the Azure Portal as of March 31, 2021. No further support is provided for the classic client, and maintenance versions will no longer be released.

  • The classic client will be fully retired, and will stop functioning, on March 31, 2022.
  • As of March 18, 2022, we are also sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022.

The content in this article is provided to support customers with extended support only. For more information, see Removed and retired services.

Use the following information to understand how the default policy for Azure Information Protection is configured.

When an administrator first connects to the Azure Information Protection service by using the Azure portal, the Azure Information Protection default policy for that tenant is created. Occasionally, Microsoft might make changes to this default policy but if you were already using the service before the default policy was revised, your earlier version of the Azure Information Protection default policy is not updated because you might have configured it and deployed into production.

You can reference the following values to return your Azure Information Protection policy to the defaults, or update your Azure Information Protection policy to the latest values.

Important

Starting April 2019, the default labels are not automatically created for new customers. These tenants are automatically provisioned for the unified labeling platform, so there is no need to migrate labels after you have configured them in the Azure portal.

For these tenants, if there aren't any sensitivity labels already created in the Microsoft 365 compliance center, you can create the default labels from the current default policy for Azure Information Protection. To do this, select Generate default labels from the Labels pane, and add the labels to the global policy. If you don't see the option to generate default labels, you might need to first activate unified labeling from the Manage > Unified labeling pane. For detailed instructions, see the Get started with Azure Information Protection in the Azure portal quickstart.

Current default policy

This version of the Azure Information Protection default policy is from July 31, 2017.

This Azure Information Protection default policy is created when the Azure Rights Management service is activated, which is the case for new tenants starting February 2018. For more information, see the blog post announcement Improvements to the protection stack in Azure Information Protection.

This Azure Information Protection default policy is also created if you have manually activated the service before the Azure Information Protection policy was created.

If the service was not activated, the Azure Information Protection default policy does not configure protection for the following sublabels:

  • Confidential \ All Employees

  • Confidential \ Recipients Only

  • Highly Confidential \ All Employees

  • Highly Confidential \ Recipients Only

When these sublabels are not automatically configured for protection, the Azure Information Protection default policy remains the same as the previous default policy.

When protection is applied to the All Employees sublabels, the protection is configured by using the default templates that are automatically converted to labels in the Azure portal. For more information about these templates, see Configuring and managing templates for Azure Information Protection.

Starting August 30, 2017, this version of the Azure Information Protection default policy includes multi-language versions of the label names and descriptions.

More information about the Recipients Only sublabel

Users see this label in Outlook only. They do not see this label in Word, Excel, PowerPoint, or from File Explorer.

When users select this label, the Outlook Do Not Forward option is automatically applied to the email. The recipients that the users specify cannot forward the email and cannot copy or print the contents, or save any attachments.

Labels

Label Tooltip Settings
Personal Non-business data, for personal use only. Enabled: On

Color: Light green

Visual markings: Off

Conditions: None

Protection: None
Public Business data that is specifically prepared and approved for public consumption. Enabled: On

Color: Green

Visual markings: Off

Conditions: None

Protection: None
General Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. Enabled: On

Color: Blue

Visual markings: Off

Conditions: None

Protection: None
Confidential Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data. Enabled: On

Color: Orange

Visual markings: Off

Conditions: None

Protection: None
Highly Confidential Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. Enabled: On

Color: Red

Visual markings: Off

Conditions: None

Protection: None

Sublabels

Label Tooltip Settings
Confidential \ All Employees Confidential data that requires protection, which allows all employees full permissions. Data owners can track and revoke content. Enabled: On

Visual markings: Footer (document and email)

Classified as Confidential

Conditions: None

Protection: Azure (cloud key) [1]
Confidential \ Anyone (not protected) Data that does not require protection. Use this option with care and with appropriate business justification. Enabled: On

Visual markings: Footer (document and email)

Classified as Confidential

Conditions: None

Protection: None
Confidential \ Recipients Only Confidential data that requires protection and that can be viewed by the recipients only. Enabled: On

Visual markings: Footer (email)

Classified as Confidential

Conditions: None

Protection: Set user defined permissions (Preview [3]), In Outlook apply Do Not Forward
Highly Confidential \ All Employees Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content. Enabled: On

Visual markings: Footer (document and email)

Classified as Highly Confidential

Conditions: None

Protection: Azure (cloud key) [2]
Highly Confidential \ Anyone (not protected) Data that does not require protection. Use this option with care and with appropriate business justification. Enabled: On

Visual markings: Footer (document and email)

Classified as Highly Confidential

Conditions: None

Protection: None
Highly Confidential \ Recipients Only Highly confidential data that requires protection and that can be viewed by the recipients only. Enabled: On

Visual markings: Footer (email)

Classified as Highly Confidential

Conditions: None

Protection: Set user defined permissions (Preview [3]), In Outlook apply Do Not Forward
Footnote 1

The protection permissions match those in the default template, Confidential \ All Employees.

Footnote 2

The protection permissions match those in the default template, Highly Confidential \ All Employees.

Footnote 3

This feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Information Protection bar

Setting Value
Title Sensitivity
Tooltip The current label for this content. This setting identifies the risk to the business if this content is shared with unauthorized people inside or outside the organization.

Settings

Some of the settings were added after July 31, 2017.

Setting Value
Select the default label None
Send audit data to Azure Information Protection analytics Off
All documents and emails must have a label (applied automatically or by users) Off
Users must provide justification to set a lower classification label, remove a label, or remove protection Off
For email messages with attachments, apply a label that matches the highest classification of those attachments Off
Display the Information Protection bar in Office apps Off
Add the Do Not Forward button to the Outlook ribbon Off
Make the custom permissions option available for users Off
Provide a custom URL for the Azure Information Protection client "Tell me more" web page Blank

Default policy before July 31, 2017

Note that descriptions in this policy refer to data that requires protection, and also to data tracking and revoking. The policy does not configure this protection for these labels, so you must take additional steps to fulfill this description. For example, configure the label to apply protection or use a data loss prevention (DLP) solution. Before you can track and revoke a document by using the document tracking site, the document must be protected by the Azure Rights Management service and tracked by the person who protected the document.

Labels

Label Tooltip Settings
Personal Non-business data, for personal use only. Enabled: On

Color: Light green

Visual markings: Off

Conditions: None

Protection: None
Public Business data that is specifically prepared and approved for public consumption. Enabled: On

Color: Green

Visual markings: Off

Conditions: None

Protection: None
General Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. Enabled: On

Color: Blue

Visual markings: Off

Conditions: None

Protection: None
Confidential Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data. Enabled: On

Color: Orange

Visual markings: Off

Conditions: None

Protection: None
Highly Confidential Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. Enabled: On

Color: Red

Visual markings: Off

Conditions: None

Protection: None

Sublabels

Label Tooltip Settings
Confidential \ All Employees Confidential data that requires protection, which allows all employees full permissions. Data owners can track and revoke content. Enabled: On

Visual markings: Footer (document and email)

Classified as Confidential

Conditions: None

Protection: None
Confidential \ Anyone (not protected) Data that does not require protection. Use this option with care and with appropriate business justification. Enabled: On

Visual markings: Footer (document and email)

Classified as Confidential

Conditions: None

Protection: None
Highly Confidential \ All Employees Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content. Enabled: On

Visual markings: Footer (document and email)

Classified as Highly Confidential

Conditions: None

Protection: None
Highly Confidential \ Anyone (not protected) Data that does not require protection. Use this option with care and with appropriate business justification. Enabled: On

Visual markings: Footer (document and email)

Classified as Highly Confidential

Conditions: None

Protection: None

Information Protection bar

Setting Value
Title Sensitivity
Tooltip The current label for this content. This setting identifies the risk to the business if this content is shared with unauthorized people inside or outside the organization.

Settings

Setting Value
All documents and emails must have a label (applied automatically or by users) Off
Select the default label None
Users must provide justification to set a lower classification label, remove a label, or remove protection Off
For email messages with attachments, apply a label that matches the highest classification of those attachments Off
Provide a custom URL for the Azure Information Protection client "Tell me more" web page Blank

Default policy before March 21, 2017

Labels

Label Tooltip Settings
Personal For personal use only. This data will not be monitored by the organization. Personal information must not include any business-related data. Enabled: On

Color: Light green

Visual markings: Off

Conditions: None

Protection: None
Public This information is internal and can be used by everyone inside or outside the business. Enabled: On

Color: Green

Visual markings: Off

Conditions: None

Protection: None
Internal This information includes a wide spectrum of internal business data that can be used by all employees and can be shared with authorized customers and business partners. Examples for internal information are company policies and most internal communications. Enabled: On

Color: Blue

Visual markings: Footer (document and email):

Sensitivity: Internal

Conditions: None

Protection: None
Confidential This data includes sensitive business information. Exposing this data to unauthorized users may cause damage to the organization. Examples for Confidential information are employee information, individual customer projects or contracts, and sales account data. Enabled: On

Color: Orange

Visual markings: Footer (document and email):

Sensitivity: Confidential

Conditions: None

Protection: None
Secret This data includes highly sensitive information for the business that must be protected. Exposing Secret data to unauthorized users may cause serious damage to the organization. Examples for Secret information are personal identification information, customer records, source code, and pre-announced financial reports. Enabled: On

Color: Red

Visual markings: Footer (document and email):

Sensitivity: Secret

Conditions: None

Protection: None

Sublabels

Label Tooltip Settings
Secret \ All Company This data includes sensitive business information - permitted for all company employees. Enabled: On

Visual markings: Off

Conditions: None

Protection: None
Secret \ My Group This data includes sensitive business information - permitted for employee groups only. Enabled: On

Visual markings: Off

Conditions: None

Protection: None

Information Protection bar

Setting Value
Title Sensitivity
Tooltip Information Sensitivity consists of four distinct levels (Public, Internal, Confidential, Secret), allowing the user to identify the risk of exposing the information to unauthorized users inside or outside the business.

Settings

Setting Value
All documents and emails must have a label (applied automatically or by users) Off
Select the default label None
Users must provide justification to set a lower classification label, remove a label, or remove protection Off
Provide a custom URL for the Azure Information Protection client "Tell me more" web page Blank

Next steps

For more information about configuring your Azure Information Protection policy, use the links in the Configuring your organization's policy section.