Name: Get Support IT Services Limited
Price range: $$$

Update (March 2026): Azure Information Protection (AIP) is now integrated with Microsoft Purview Information Protection, and sensitivity labels are built into Microsoft 365 apps. This article has been lightly refreshed to reflect the updated naming, and to remove out-of-date pricing references.

Executive Summary

Our Inside 365 Business Premium offers a deep-dive into each of the features of the Microsoft 365 Business Premium subscription – especially those that may be lesser-known.
In this edition, we’re putting Azure Information Protection Plan 1 (AIP P1), now part of Microsoft Purview Information Protection, under the spotlight.
Azure Information Protection P1 helps you classify and protect files and emails using sensitivity labels and encryption, so access can be controlled even after data has left your business.

Introduction

How does your business handle your sensitive or confidential data?

If you don’t work in a space which requires tight regulation of digital assets, it might not be something you’ve thought about before. But in an always-online digital world, the risk of sensitive files being compromised is ever present.

Whether it’s an email attachment or a physical file on a real-world USB drive, any file can be at risk once it leaves your company’s network. It’s here that Azure Information Protection P1 (AIP P1) comes into play.

In this extensive guide, we’ll tell you everything you need to know about AIP P1 and how it fits into the roster of Microsoft 365 Business Premium tools and services.

So, let’s get started.

What is Azure Information Protection Plan 1?

If you’re at all familiar with Microsoft 365, you’ll know that security is in its DNA, and nowhere is this clearer than with Azure Information Protection, or AIP.

So, what is AIP in practice? It’s a set of cloud-based technologies that allow you to classify and label your files based on their sensitivity, then control (or even revoke) access to these files, even when they’re offline, in a centralised way – but that’s just the start.

Azure Information Protection also offers:

The ability to apply access permissions on a per-file basis even if the file isn’t on your network. That means a file on a USB stick can have its permissions revoked retroactively, making it useless to anyone even if the drive is lost.
Features to prevent users from forwarding emails, editing, or even printing files.
Email encryption which can ‘black out’ the area of the screen containing an email if a user tries to screenshot it.

At its most basic level, AIP allows users to access files protected or encrypted by the system; at its most advanced, AIP users can encrypt their data, such as emails, using encryption so sophisticated that even Microsoft won’t be able to read it. As with most things, the best option for most people lies somewhere in the middle – and this is where Azure Information Protection Plan 1 enters the frame.

AIP Plan 1 is the version of AIP you’ll receive with a Microsoft 365 Business Premium subscription and we think it offers an excellent balance of cybersecurity protection for even the most sensitive of business files.

It’s worth noting that AIP now sits within Microsoft Purview Information Protection. You may still hear older terms like Rights Management or Information Rights Management, but today the experience most businesses use is sensitivity labels and encryption managed through Purview, with the Azure Rights Management service providing the underlying protection.

How Azure Information Protection P1 works in practice

As with many Microsoft products, AIP is an incredibly sophisticated system, delivering data security solutions you won’t find anywhere else.

But with that sophistication also comes some complexity. Because the Get Support team is all about explaining things in straightforward plain English, we thought we’d break down the process of actually using Azure Information Protection P1 in the real world with your files.

Let’s look at an example of a workflow you might follow to incorporate AIP into your cybersecurity processes.

Step 1: Classifying and labelling your data

At its heart, AIP works by applying classifications and labels to your files. For example, you might label a file or email as ‘Public’, ‘General’, or even ‘Highly Confidential’.

There was a time when organisations used a dedicated Azure Information Protection add-in to apply labels in Office. Today, sensitivity labels are built into Microsoft 365 apps across Windows, Mac, web, and mobile, which makes labelling far more consistent and easier for users. The older AIP Unified Labeling add-in for Office was retired in April 2024, so any modern rollout should be based on the built-in experience.

Different label types can be applied to your files, including overall file classifications (applied to the file itself), visual elements in the file (such as headers / footers), or metadata.

Step 2: Setting up access control policies

Depending on your setup, you may want to actually set your policies prior to labelling your files, but the basics here are that AIP lets you add fine-grain access permissions and more.

The default labels provided by AIP with Microsoft 365 – ‘Public’, ‘Confidential’, etc. – can be edited in your admin panel to adjust who should have access, and which controls apply. So, for example, you could create a security group containing specific users within your company, then set your label policies so that only these users can access it. Furthermore, you can enable the other protection features – Do Not Forward, screen capture blocking, and so on – on a per-label basis.

The way you set this up is entirely up to you, but it’s essential to keep your files safe, even when they’re on the move. AIP uses file-level encryption to ensure that your most sensitive data is for your eyes only.

Step 3: Protecting and tracking files across their lifetime

Traditionally, once a file leaves your business premises, it’s essentially up to fate who can view it. If it’s on a USB stick, practically anyone with a laptop might be able to view it.

One of the big benefits of AIP is that you have control of your file access all the time, no matter where the files are. Access is granted via the Azure infrastructure sitting beneath Microsoft 365, so if a user tries to open a file, they’ll need to authenticate first before being granted access.

As your sensitive files are disseminated throughout your organisation, you’ll be able to track access logs – and revoke access if necessary – to any file you’ve labelled and classified via Azure Information Protection.

How to start using Azure Information Protection P1

As you may have noticed, there’s a lot of capability here, and it works best when it is designed around how your business actually handles sensitive information.

For most UK SMEs, the simplest route is Microsoft 365 Business Premium, which includes Azure Information Protection Plan 1 capabilities as part of Microsoft Purview Information Protection.

Microsoft pricing and plan inclusions can change over time, so we have removed the 2021 pricing from this article. If you would like a clear recommendation, we can review your licensing, confirm current costs, and help you roll out sensitivity labels and encryption in a way that protects data without creating unnecessary friction for users.

Level-up your data protection with Microsoft 365 and Get Support

Whether you’re just getting started with a basic subscription to Microsoft 365, or still getting by with a standard business plan, this guide should offer some insight into what’s possible with Business Premium.

As you can see, the benefits to small businesses in terms of data protection alone are worth the cost of entry. Want to know what else Business Premium has to offer? Then check out the rest of our Inside 365 Business Premium series at the links below:

Once you’re ready to sign up for, or upgrade to, 365 Business Premium, get set up faster by talking to the Get Support team. Call us today on 01865 59 4000 or just fill in the form below.