Microsoft Purview Information Protection support in Acrobat

Search
Enterprise

Enterprise

Admin Console

What is Microsoft Purview Information Protection?

Microsoft Purview Information Protection (MPIP) is a Microsoft rights management solution that enables a rights-based access to assets including PDF documents. Adobe Acrobat Pro/Standard and Reader desktop apps support consistent viewing of PDFs protected by Microsoft Purview Information Protection. In addition, for organizations standardizing on MPIP, we have launched the native experience to apply and edit Information Protection sensitivity labels and policies to their PDFs within the desktop version of Acrobat Pro/Standard.

For details, see Protect your sensitive data with Microsoft Purview.

Covered in this article:

Consistent Viewing of Microsoft Purview Information Protection protected PDFs in Acrobat and Adobe Reader

Users of Azure Information Protection and other Microsoft Purview Information Protection solutions can use Acrobat or Adobe Reader to read labeled and protected content. For more on Acrobat and Adobe Reader support for viewing such files, see MPIP for Acrobat and Adobe Reader.

Steps to enable document message bar

To enabled the document message bar in MPIP protected PDFs in Acrobat and Adobe Reader, download the latest version of Acrobat or Adobe Reader, and then follow these steps (depending on your OS).

  1. Ensure Acrobat is not running.

  2. Keeping the Command button pressed, press the Space bar.

  3. In the Search bar, enter Terminal, and double-click Terminal in the left sidebar to open the macOS terminal.

  4. In the terminal, run the following commands:

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:MicrosoftAIP:ShowDMB array" ~/Library/Preferences/com.adobe.acrobat.pro.plist
    2. sudo /usr/libexec/PlistBuddy -c "Add :DC:MicrosoftAIP:ShowDMB:item1 bool true" ~/Library/Preferences/com.adobe.acrobat.pro.plist
    3. sudo /usr/libexec/PlistBuddy -c "Add :DC:MicrosoftAIP:ShowDMB:item0 integer 0" ~/Library/Preferences/com.adobe.acrobat.pro.plist
    4. sudo killall cfprefsd

  1. Ensure Acrobat is not running.

  2. To open Windows registry editor, press the Windows key + r and type regedit.

  3. Set the following registry entries:

    • Go to:
      Computer\HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\MicrosoftAIP
      And set the value:
      bShowDMB value to 1

  4. Close the registry editor.

Apply and edit Microsoft Purview Information Protection sensitivity labels on PDFs in Acrobat

For end users

If you're an end user, follow these steps to enable MPIP support in Acrobat.

Note:
  • This feature is available in Acrobat starting from the June release 23.003.20201.1ec7624. If you have not upgraded to this version of Acrobat, your admin will need to enable the feature using the steps given in the section below.
  • Enabling Sensitivity labelling also enables the document message bar (DMB) to display label information.

  1. Open Acrobat.

  2. Navigate to Preferences > Security.

  3. Check Enable Microsoft Purview Information Protection, and click OK to confirm your selection.

    Enable MPIP support in Acrobat

    Note:

    The availability of the Enable Microsoft Purview Information Protection option is determined by the registry settings configured by the admin (as described in the Admin section, below). If the registry is set by the admin, this option will be grayed out for the end user. Which means that the end user will not have the option to change the setting in the Preferences dialog, once configured by the admin.

  4. Restart Acrobat to apply the MPIP settings.

For admins

As an admin, follow these steps to enable MPIP support in your enterprise environment.

  1. Ensure Acrobat is not running.

  2. Keeping the Command button pressed, press the Space bar.

  3. In the Search bar, enter Terminal, and double-click Terminal in the left sidebar to open the macOS terminal.

  4. In the terminal, run the following commands:

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPLabelling bool true" /Library/Preferences/com.adobe.acrobat.pro.plist
    2. sudo killall cfprefsd

  1. Ensure Acrobat is not running.

  2. To open Windows registry editor, press the Windows key + r and type regedit.

  3. Set the following registry entries:

    • Go to:
      Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown
      And set the value
      bMIPLabelling to 1

  4. Close the registry editor.

If your admin has created labels with pre-defined permissions, you can use these labels on your Acrobat documents.

  1. Open a PDF document on which you are required to apply an Admin-defined label.

  2. Choose File > Protect PDF > Select a Microsoft Sensitivity Label.

    Alternatively, choose Tools > ProtectSelect a Microsoft Sensitivity Label.

    Select a Microsoft sensitivity label

  3. If prompted, in the following screens, enter your MPIP email ID and password to sign in.

  4. Choose any Admin-defined label as specified by your Admin, and click Apply.

    Select sensitivity label

The Acrobat document message bar displays the applied label.

Label on the document message bar

You can define custom permissions for your Acrobat document. This will enable you to select permissions for each user separately and assign different permissions to different users simultaneously.

  1. Open a PDF document on which you are required to apply a user-defined label.

  2. Choose File > Protect PDF > Select a Microsoft Sensitivity Label.

    Alternatively, choose Tools > ProtectSelect a Microsoft Sensitivity Label.

    Select sensitivity label

  3. If prompted, in the following screens, enter your MPIP email ID and password to sign in.

  4. Click the Hightly Confidential > Specific People label and click Apply.

    Choose label

  5. Specify an email address, group, domain for users who require access to this document.

    Users, groups, or domains of users for this document

  6. Choose the permissions required for each email addressuser group, and domain, and click Add.

    Define label permissions

  7. Optionally, you can also apply the following permissions to the document:

    Document expiry: Choose a date when the document will no longer be available to the users.

    Copy this document: Choose this option to all the users to copy this document.

    Print this document: Choose this option to all the users to print this document.

    To apply these permissions, click  in the upper-right corner of the dialog box.

    Note:

    These permissions are applied to all users, groups, and domains that you've added for this document.

  8. Choose:

    • Expiry date
    • Permission to copy
    • Permission to print.
    Define more label permissions

  9. Click < (back).

    You can view the additional permissions that you've applied for the users of this document.

    You can also Delete the user, group, or domain from this document when applying the label.

    Define more label permissions

  10. When you done and users, groups, domains, and applying the required permssions, click Save.

The Acrobat document message bar displays the applied label.

Label on the document message bar

Any MPIP label applied to a document may be updated by the user who has created the document or has appropriate rights to change the labels.

  1. Open the PDF in Acrobat.

  2. On the document message bar, click Update label.

    Label on the document message bar

    Or go to the Protect tool > Select a Microsoft sensitivity label.

  3. Choose another label, and click Update.

  4. If your MPIP admin has applied this setting, you will be prompted to provide a justification for the update.

    Choose or enter a justification and click Submit

    Justify label update

The Acrobat document message bar displays the updated label.

Label on the document message bar

You can delete a label from a document that you have created.

  1. Open the PDF in Acrobat.

  2. On the document message bar, click Update label.

    Label on the document message bar

    Or go to the Protect tool > Select a Microsoft sensitivity label.

  3. Click Delete label, and then click Update

    Delete sensitivity label

  4. If your MPIP admin has applied this setting, you will be prompted to provide a justification for deleting the label.

    Choose or enter a justification and click Submit

    Justify label update

The label now does not appear on the Acrobat document message bar, at the top of the PDF.

The MPIP admin in your organization has the option to set up default and mandatory labeling. This means that, depending on these setting, you may be forced to apply labels (mandatory labeling) or the default label may be applied on your PDF if you don't set one (default labeling).

Windows

  1. Press the Windows key + r to open the Registry editor.
  2. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown.
  3. Set the value: bMIPCheckPolicyOnDocSave to 1.
  4. Create a DWORD32 type entry.
  5. Close the Registry editor.

macOS

In the macOS terminal window, run the following commands:

  1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPCheckPolicyOnDocSave bool true" /Library/Preferences/com.adobe.acrobat.pro.plist
  2. sudo killall cfprefsd
Note:

Ensure that default and mandatory labeling settings are enabled in the Information Protection policy in Microsoft Purview Compliance Portal.

If your MPIP admin has set up default labeling for your organization, this means that if you don't set up a label, Acrobat will mark the document with the default label when you save the document. 

For modified files you will be prompted to apply the default label when saving.

Default label

  1. Say you're working on a PDF with mandatory labeling setup. If you save the document without applying a label, you'll be prompted to sign in.

    Enter you Microsoft email address and password.

  2. When prompted, click Choose label.

    Select sensitivity label

  3. Following the steps detailed in the procedures above, to choose an Admin-defined or a user-defined label. 

Note:

In the procedure to choose a label, if you click Cancel, the document will not be saved. So, when mandatory labeling is enabled, to save the document, you must choose a label.

Say you're working on a PDF with mandatory and default labeling setup. If you save the document without applying a label, you'll be prompted to sign in.

Enter you Microsoft email address and password.

After you sign in, the default label is applied to the PDF. So, when you save the document, the default label appears in the document message bar.

Default label

You can update the default label. You can also delete the default label.

As per your organization's policies, you are not required to apply labels. However, if required, may apply Admin-defined or a user-defined labels, as detailed in the procedures above.

Additional MPIP setup requirements for Microsoft Sovereign Cloud tenants

When working with the MPIP protected PDFs, you must configure the registry to point Adobe Acrobat or Reader to your Microsoft Sovereign Cloud.

  1. Ensure Acrobat or Reader are not running.

  2. Keeping the Command button pressed, press the Space bar.

  3. In the Search bar, enter Terminal, and double-click Terminal in the left sidebar to open the macOS terminal.

  4. In the terminal, run the following commands:

    For Acrobat

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:iMIPCloud integer <value>"  /Library/Preferences/com.adobe.acrobat.pro.plist
    2. sudo killall cfprefsd

    For Reader

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:iMIPCloud integer <value>"  /Library/Preferences/com.adobe.Reader.plist
    2. sudo killall cfprefsd
    Note:

    The value of the registry is based on the type of your Sovereign Cloud.  Refer to following link to see this mapping of values with Sovereign Cloud type:

    https://learn.microsoft.com/it-it/dotnet/api/microsoft.informationprotection.cloud?view=mipsdk-dotnet-1.6

  1. Ensure Acrobat or Reader are not running.

  2. To open Windows registry editor, press the Windows key + r and type regedit.

  3. Go to the following registry locations:

    For Acrobat

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

    For Reader

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\Trunk\FeatureLockDown
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\DC\FeatureLockDown

    And set the following registry entries:

    • Registry Type: REG_DWORD
    • Name: iMIPCloud
    Note:

    The value of the registry is based on the type of your Sovereign Cloud.  Refer to following link to see this mapping of values with Sovereign Cloud type:

    https://learn.microsoft.com/it-it/dotnet/api/microsoft.informationprotection.cloud?view=mipsdk-dotnet-1.6

  4. Close the registry editor.

Setup requirements for Browser Authentication in MPIP workflow

You can use following registry to enable or disable browser authentication for MPIP operations in Adobe Acrobat or Reader.

  1. Ensure Acrobat or Reader are not running.

  2. Keeping the Command button pressed, press the Space bar.

  3. In the Search bar, enter Terminal, and double-click Terminal in the left sidebar to open the macOS terminal.

  4. In the terminal, run the following commands:

    For Acrobat:

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPExternalAuthAdmin bool true"  /Library/Preferences/com.adobe.acrobat.pro.plist
    2. sudo killall cfprefsd

    For Reader:

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPExternalAuthAdmin bool true "  /Library/Preferences/com.adobe.Reader.plist
    2. sudo killall cfprefsd
    3. To disable, use the value false in place of true

  1. Ensure Acrobat or Reader are not running.

  2. To open Windows registry editor, press the Windows key + r and type regedit.

  3. Go to the following registry locations:

    For Acrobat:

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

    For Reader:

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\Trunk\FeatureLockDown
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\DC\FeatureLockDown

    And set the following registry entries:

    • Registry Type: REG_DWORD
    • Name: bMIPExternalAuthAdmin
    • Value: 1 to enable or 0 to disable

  4. Close the registry editor.

Setup requirements for double key encryption labels in MPIP workflow

You can use following registry to enable or disable double key encryption for MPIP operations in Adobe Acrobat or Reader.

  1. Ensure Acrobat or Reader are not running.

  2. Keeping the Command button pressed, press the Space bar.

  3. In the Search bar, enter Terminal, and double-click Terminal in the left sidebar to open the macOS terminal.

  4. In the terminal, run the following commands:

    For Acrobat:

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bEnableDKEAdmin bool true"  /Library/Preferences/com.adobe.acrobat.pro.plist
    2. sudo killall cfprefsd

    For Reader:

    1. sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bEnableDKEAdmin bool true "  /Library/Preferences/com.adobe.Reader.plist
    2. sudo killall cfprefsd
    3. To disable, use the value false in place of true

  1. Ensure Acrobat or Reader are not running.

  2. To open Windows registry editor, press the Windows key + r and type regedit.

  3. Go to the following registry locations:

    For Acrobat:

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

    For Reader:

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\Trunk\FeatureLockDown
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\DC\FeatureLockDown

    And set the following registry entries:

    • Registry Type: REG_DWORD
    • NamebEnableDKEAdmin
    • Value: 1 to enable or 0 to disable

  4. Close the registry editor.

Common questions

When you create a MPIP-protected PDF document through Adobe Acrobat, a splash page is added on top of the PDF. This splash page will be shown to the user when MPIP supported Adobe Acrobat desktop application is not installed. Or, the user opens the PDF file in an application that does not support MPIP.

If the MPIP-protected document is opened in a non-MPIP aware viewer, the following splash screen is displayed.

Splash screen

Yes. If the label has content markings like header, footer, or watermarks, they will be embedded inside the PDF. The content markings will be part of the PDF structure.

Yes. You can clear the currently saved Microsoft account. The next time you apply a label, you will be prompted again for your Microsoft credentials.

  1. Go to Edit > Preferences > Security.

  2. In the Microsoft Purview Information Proection section, click Clear remembered account information.

    Clear remembered account MPIP information

  3. Click OK to confirm.

  4. Click OK to close the Preference dialog box, and then restart Acrobat.

The next time your apply a label, you will be prompted to sign in.

 Adobe

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links

Legal Notices    |    Online Privacy Policy