Note: The procedure in this article is relevant if you have purchased or implemented the Microsoft® Purview Data Compliance Configuration Service from RM (22Z-168 - INS MS Purview Data Compliance Config.(Remote) Service).

• Ensure your clients are Windows 10 or above.
• Ensure your clients have Office Professional Plus 2016 or above installed.
• If you have a web proxy that requires authentication, configure it to use integrated Windows authentication with the user's Active Directory logon credentials.
• Allow HTTPS traffic on TCP port 443 to *.informationprotection.azure.com and informationprotection.hosting.portal.azure.net.
• If you have a firewall or similar intervening network device that is configured to allow specific connections, configure it to allow access to the endpoints listed in the Azure Rights Management (RMS) section of the Microsoft 365 article.

For more detailed information on the requirements for Microsoft Purview Information Protection, please refer to the Microsoft article.

1. The Azure Information Protection unified labeling client can be installed using an executable (AzInfoProtection_UL.exe) or an MSI (AzInfoProtection_UL.msi). Download your preferred installation file from here.
2. Click here to review additional prerequisites that may be required prior to installing the Azure Information Protection unified labeling client.
3. Refer to the relevant link below for instructions on how to install using your preferred installation method.
   Important: We strongly recommend that the Azure Information Protection unified labeling client is installed only on the computers used by the staff accounts that need to use the protection features.
   • By using exe: click here.
   • By using MSI: click here.

If you are using a CC4 network and wish to import and create a package for Azure Information Protection unified labeling client, please refer to DWN3152898 in the Other Useful Articles section below (DWN3152898 will only be visible to logged in network support contract holders).
 
The MSI can also be used with other central deployment mechanisms like SCCM, Group Policy.

4. Reboot the computers after installation is completed.

1. Sign in to your Microsoft 365 tenancy as a global administrator user.
2. From Admin Center, click Groups.
3. Select the Azure Rights Management Group and add a staff user account as a member.
4. Sign out of your Microsoft 365 tenancy.
5. Log on to the computer as the staff user you selected in step 3 above.
6. Open a Microsoft Office application (Word, Excel or PowerPoint).
7. Click File, Account and confirm you are signed in as the staff user in step 3 above.
8. Click Info, Protect Document, Restrict Access, 'Connect to Rights Management Servers and get templates'.
9. Return to the document.
10. Confirm that the user sees an information bar prompting to sign in to the Azure Information Protection service, as shown in the image below.

Image showing the Azure Information Protection service prompt

11. Click the 'Sign in' button and enter the staff user's Microsoft 365 user credentials.
    Note: If your Microsoft 365 domain is federated to RM Unify the user may get re-directed to the RM Unify page to complete the sign in.
12. In the Office application, confirm the information bar displays Sensitivity as 'Not set' and the seven custom labels are visible, e.g., Confidential - Staff, Sensitive - HR, etc. as shown in the image below.
    Note: If you cannot see the custom labels, your app window may not be large enough to accommodate them. In that case, click the Edit icon next to 'Not set' (the pencil icon) to open a new window to display the labels.

Image showing the information bar

13. Click the 'Confidential - Internal Only' label.
14. Confirm a 'This is a confidential internal document' header has been added to the document and no error appears.
15. On the same computer, open Microsoft Outlook and create a new email.
16. Confirm you can see the same seven custom labels as you did in Word.
17. Click the custom 'Highly Confidential - All Staff' label and send the email to a recipient account external to Microsoft 365, e.g., a Gmail or Yahoo account.
18. Confirm the external recipient receives the email with the message, as shown in the image below: '<user> has sent you a protected message'.

Image showing the message

19. Ask the external recipient to click 'Read the message' and confirm they can view the message content following the instructions provided on screen.

For information on the file types supported by Azure Information Protection unified labeling client, please refer to:
https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-file-types

For information on the Office apps (Office 2019, 2016), please refer to:
https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-office-apps#office-2016-and-office-2013