This plugin helps Information Rights Management (IRM) -covered files created in Adobe Acrobat XI Pro and Reader DC to be opened and viewed securely from within the Microsoft Azure Information Protection client. Learn more.
Microsoft Azure Information Protection Plugin for Adobe Acrobat Reader is a cloud-based data protection solution that helps you control how your data is accessed from tablets, smartphones and PCs. This solution delivers powerful data loss prevention (DLP) and mobile application management (MAM) for ensuring compliance with internal corporate policies, HIPAA, HITECH and other industry regulations.
To protect your confidential content and to empower you to take control of your information, Information Rights Management (IRM) provides the tools and technologies you need to achieve these objectives. IRM makes it possible to better secure the copy and use of your sensitive information: emails, documents, spreadsheets, presentations, and more. Microsoft’s Information Protection plugin for Adobe Acrobat Reader delivers a future-proof way to confidently protect PDF files from exposure as intended.
Microsoft Azure Information Protection Plugin for Adobe Acrobat Reader
As of October 12th, 2018, our Information Protection customers can use Adobe Acrobat Reader on Windows to open-labeled and protected PDFs. This reflects a fundamental change in the ability to enforce labels and encryption on PDFs – up until this announcement, PDFs protected by Azure Information Protection were renamed with the .pPDF file extension and could only be opened using the Azure Information Protection viewer. For more information about the new PDF protection standard, see section 7.6 Encryption from the document that is derived from ISO 32000-1 and published by Adobe Systems Incorporated.
In this blog we will cover the complete end-to-end configuration and deployment that allows your company to be able to label & protect PDFs in the new format, in addition to be able to consume them easily. We will also discuss how to enforce automatic classification on PDFs using the Azure Information Protection scanner. Lastly, we will provide a short script that will migrate an already labeled file in the pPDF format and will “re-label” it as the new PDF format.
thumbnail image 1 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view themPrerequisites
Azure Information Protection client installed – version 1.37 and newer (versions 1.xx only).
Adobe Acrobat Reader and Azure Information Protection plugin installed, which can be downloaded from here
Windows 10 and previous versions through Windows 7 Service Pack 1
Service Configuration
With the current Azure Information Protection client version 1.41 and newer, by default AIP is configured to protect PDF’s with the new format. In case you use version 1.37 then by default, PDFs are protected in the Pfile format and the extension is renamed to pPDF. As the new PDF format feature is in private preview, the Information Protection admin needs to opt-in his company to be able to protect in the new format.
- If you haven’t already done so, in a new browser window, sign in to the Azure portal, and then navigate to the Azure Information Protection blade.
- From the Classifications > Labels menu option: Select Policies.
thumbnail image 2 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them- On the Azure Information Protection – Policies blade, select the context menu (…) next to the policy, then select Advanced settings. You can configure advanced settings for the Global policy, as well as for scoped policies.
thumbnail image 3 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them- On the Advanced settings blade, type the following advanced setting name and value, and then select Save and close.
Key: EnablePDFv2Protection
Value: True
thumbnail image 4 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view themClient configuration
Adobe Acrobat Reader and the Azure Information Protection plugin that goes with it can be downloaded from here.
The installation procedure is straight-forward; no special configuration is required
Initial labeling & protection of a PDF file
- Select a PDF file that you would like to label with protection
- Right-click the file and select “Classify and protect”
thumbnail image 5 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them- Select a label that applies for protection on the PDF file
thumbnail image 6 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them- Click “Apply” and notice that once the process completes, the PDF file extension remain the same and doesn’t change.
Initial open and view of protected PDF file
- Double click on the protected PDF file to open it in Adobe Acrobat Reader
- Initially, when you open the protected PDF file you will be prompted for your Microsoft account credentials. After successful authentication you will be prompt if you to stay “sign in” to avoid re-authentication process when the next file is opened:
thumbnail image 7 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view themthumbnail image 8 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them- Once the protected file is consumed you will be able to see the small “lock” icon on the left pane, this indicate the file is protected.
thumbnail image 9 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them- Clicking on this Icon will show the protection information on the current consumed PDF.
thumbnail image 10 of blog post titled
Using Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them- Clicking on “Permission Detail” will open the “Document Properties” window that will show more information on the protection rights.
thumbnail image 11 of blog post titledUsing Azure Information Protection to protect PDF’s and Adobe Acrobat Reader to view them
Viewing the label ribbon when PDF is labeled or labeled and protected
To view the label ribbon in Acrobat reader interface please update or create the following registry entry on your computer
Computer\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP
Create a DWORD value name called : bShowDMB with a Hexadecimal value of 1
thumbnail image 12 captioned Figure 3: Label Banner in the Adobe Reader after the Registry update
Figure 3: Label Banner in the Adobe Reader after the Registry update
That will allow the ability to view the label ribbon within the Acrobat interface
Apply automatic labels and protection on PDF files
Now, once your policy and your scanner is configured to properly protect PDFs using the new native Adobe format, all that you need to do is to apply your policy labels to your files. You can do that either manually or automatically. Yes, PDFs (which contain text that is not an image) can be inspected and labeled automatically based on the conditions that are configured in your policy.
You can perform the inspection manually by using the Set-AIPFileClassification cmdlet or by running the Azure Information Protection scanner with -enforce on parameter. The PDF extension will remain the same and will be available in the new format.
Which PDF readers are supported for protected PDFs?
Applies to: Azure Information Protection
Relevant for: AIP unified labeling client and classic client
If you have Windows 7 or Office 2010, see AIP and legacy Windows and Office versions.
[!INCLUDE AIP classic client is deprecated]
This article describes the protected PDF readers that are supported for Information Rights Management (IRM) protection in SharePoint Online and Azure Information Protection (AIP). Protected PDF readers enable users to open those encrypted PDFs and view the sensitive information contained.
Encrypting your PDFs with AIP ensures that unauthorized people cannot read the file’s content. Protected PDF readers that support AIP verify that you’ve been granted permissions to open the document, and also decrypt the content for you.
For example, the following image shows an encrypted document open in Adobe Acrobat Reader. The bar at the top indicates that the document is protected by a Microsoft Information Protection solution.
:::image type=”content” source=”../media/protected-pdf-in-adobe-reader.png” alt-text=”Protected PDF open in Adobe Acrobat Reader”:::
For instructions, see the following sections:
Viewing protected PDFs in Microsoft Edge on Windows or Mac
Installing a protected PDF reader for Windows or Mac
Installing a protected PDF reader for mobile (iOS/Android)
[!TIP] If your document doesn’t open after installing a recommended reader, the document may be protected in an older format.
In this case, try one of the readers listed as supported for previous formats. For more information, see Support for previous formats.
ISO standards for PDF encryption
The PDF readers referenced on this page can all open protected documents that adhere to the ISO standard for PDF encryption.
This standard is used by default by the AIP client.
[!NOTE] Classic client only: If you have the AIP classic client, this may have been disabled by an administrator.
Viewing protected PDFs in Adobe Acrobat Reader
Adobe Acrobat Reader integrates with Microsoft Information Protection solutions, such as Azure Information Protection to provide users with a simplified and consistent experience for classified and/or protected PDFs.
The Adobe Acrobat Reader with Microsoft Information Protection integration is supported for Windows and macOS.
For more information, see the following blog posts:
General Availability of Adobe Acrobat Reader Integration with Microsoft Information Protection
Adobe reader and Microsoft Information Protection integration FAQs
Viewing protected PDFs in Microsoft Edge on Windows or Mac
Microsoft Edge offers built-in support for viewing PDF files that are classified and protected. Use of Microsoft Edge ensures that users can open protected PDF files seamlessly without the need to install or configure any extra settings or software.
Supported versions include:
Windows: Windows 11 and previous versions through Windows 8.
For more information about earlier versions, see Support for previous formats.
Mac: macOS versions 10.12 and above
Instructions:
Check which Microsoft Edge version is installed on your system.
If the Microsoft Edge version is 83.0.478.37 or above, you can open protected files directly in the Edge browser.
To open PDF files in SharePoint, click Open > Open in browser.
:::image type=”content” source=”../media/edge_open_browser.png” alt-text=”Open a protected PDF using Microsoft Edge from the browser using the Open in browser option”:::
Installing a protected PDF reader for Windows or Mac
To open a protected PDF document on your desktop computer, we recommend that you install the relevant Microsoft Information Protection (MIP) plug-in for Acrobat and Acrobat Reader for your operating system.
Instructions:
If you haven’t already, install the Adobe Reader from the Adobe site.
Make sure that you read and agree to the Adobe General Terms of Use.
Install the MIP plug-in for Acrobat and Acrobat Reader for your operating system.
Supported versions include:
Windows: Windows 10 and previous versions through Windows 8.
For more information about earlier versions, see Support for previous formats.
Mac: macOS versions 10.12 – 10.14
If prompted for admin approval, ask your admin to authorize the plug-in.
For example:
:::image type=”content” source=”../media/admin-approval-for-mip-in-adobe-reader.png” alt-text=”Admin approval required to install the MIP plug-in for Acrobat and Acrobat Reader”:::
[!NOTE] For more information, see the Microsoft Information Protection and Adobe release announcement.
Alternative protected PDF readers for Windows
Alternatively, use one of the following PDF readers for Windows that adhere to the ISO standard for PDF encryption:
Azure Information Protection viewer
Foxit Reader
Installing a protected PDF reader for mobile (iOS/Android)
To open a protected PDF on your iOS or Android device, download and install the app for your operating system:
OS Link
iTunes Install from iTunes.
Google Play Install from Google Play.
For more information, see Mobile viewer apps for Azure Information Protection (iOS and Android).
Support for previous formats
The following PDF readers support both protected PDFs with a .ppdf extension, and older formats with a .pdf extension.
If you’re unable to open your protected PDF using the recommended reader, the document may be protected in a previous format.
Windows 11 / previous versions through Windows 7 Service Pack 1
Azure Information Protection viewer
Gaaiho Doc
GigaTrust Desktop PDF Client for Adobe
Foxit Reader
Nitro PDF Reader
Nuance Power PDF
Android:
Azure Information Protection app
Foxit MobilePDF with RMS
iOS:
Azure Information Protection app
Foxit MobilePDF with RMS
TITUS Docs
macOS Catalina: Edge Chromium