When handling documents with confidential or sensitive data, encryption is often used to protect documents from unauthorized access. When documents are encrypted, no matter where they are stored and sent to, only authorized users can open your encrypted documents to view or edit the contents.
In HKUST, Microsoft’s Azure Information Protection (AIP) technology is used to protect documents. This webpage summarizes the essential steps for you to get started to make use of the protection technology.
AIP Exercise
To ensure colleagues can master fundamental AIP skills, ITSC has prepared an exercise built on our Canvas Learning Management System. The exercise has a quiz which will be graded.
Before taking the exercise, you should have either attended our previous trainings "Data protection with AIP" (video recording available here) or read through contents in this webpage.
Free
7x24
How-to Guides
- Getting Started - Supported Systems and Required Software
- Viewing Encrypted Documents
- Protecting Documents with Sensitivity Labels
- Encrypting Office Documents or PDF Files Using the AIP Client (Windows only)
- Change the Protection on a File
- Removing encryption from a protected file
- Reading Restricted Email Message and documents
- Sending Confidential Emails Using Microsoft Outlook
1. Getting Started - Supported Systems and Required Software
Follow the links below to view the installation instructions of the required software.
Windows 10 | macOS | iOS | Android | |
Microsoft Office & Microsoft Outlook |
Office 365 or Office 2016 |
Office 365 |
Microsoft Office & Microsoft Outlook |
Microsoft Office & Microsoft Outlook |
Azure Information Protection (AIP) Client or Viewer |
AIP Client [1] |
Adobe Reader and Plug-in for Acrobat Reader DC Continuous |
AIP Viewer [3] | AIP Viewer [3] |
(Important: Remember to sign in to your Microsoft Office with your ITSC username and password after the installation.)
[1] For Windows users, follow the steps below to install the AIP Client to read and protect documents (including PDFs).
- Visit the webpage (https://www.microsoft.com/en-us/download/details.aspx?id=53018)
- Press the “Download” button
- Select “AzInfoProtection_UL.exe” option by checking the checkbox next to it. (make sure you have selected the correct option)
- Press the “Next” button
- Install that software when the download is finished.
- Restart Outlook or Word if the Sensitivity icon is dimmed.
2. Viewing Encrypted Documents
Before you begin… Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office. |
a. Viewing encrypted office documents (e.g. Word, Excel, PowerPoint)

b. Viewing encrypted files other than Microsoft Office documents
- For PC user users, start the Azure Information Protection Viewer app
- Press the “Open” button
- Browse the file to open it
- For mobile users, you can send the protected PDF to the AIP Viewer or choose to open it with the AIP Viewer.
e.g. use the following icon (navigation action) to send it to the AIP Viewer in iOS: - For MacOS users, please use Adobe Reader with Adobe plug-in.

3. Protecting Documents with Sensitivity Labels
Before you begin… Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office. |
a. What are Sensitivity Labels?
A Sensitivity Label is used to quickly apply encryption and permission settings to a document. Some content markings (e.g. footer or watermark) may also be added to a document to reflect its importance.
Label | Encryption | Sharing Options | Content Markings |
Highly Confidential | Applied | User-defined permission | “Highly Confidential” in watermark and footer |
Confidential/ HKUST Restricted | Applied | All HKUST staff with read and write permission | “Confidential – HKUST Restricted” in footer |
Public | None | Not Applicable | None |
Notes: The labels shown here may be slightly different in different departments.
Tips: Documents with sensitive and confidential information should always be encrypted. |
b. Apply a sensitive label to your documents for encryption
In Microsoft Office, the labels you can use are shown under the Sensitivity button in the Ribbon.
Different labels provide different encryption and permission settings, and may apply visual markings (e.g. footer or watermark) to your documents. Please refer to the previous step to see a summary of sensitivity labels.
Labels with encryption settings should be used to encrypt and protect sensitive or confidential documents. You may use one of the following two labels to encrypt your documents with different permission settings.
-
Confidential / HKUST Restricted
It is used to encrypt your documents and allows only HKUST staff members to have the read and write permission. It will also turn on the footer with “HKUST Restricted” in your document. -
Labels with User-defined Permissions
The following label is used to encrypt your documents with user-specific permissions.
- Highly Confidential
When you apply either one label to your document, a screen will then pop up for you to specify the permission for your intended users.
Only the assigned users (whose user accounts you have entered) can open the encrypted document with the assigned permission.
4. Encrypting Office Documents or PDF Files Using the AIP Client (Windows only)
Before you begin… Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office. |
Apart from using Microsoft Office to protect your document, user may also Azure Information Protection client with custom protections. When you protect a file in-place, it replaces the original unprotected file. You can then leave the protected file where it is (either on PC or on-cloud) and copy it to another folder or device. You can also attach the protected file to an email message.
To protect a file on a device:
- In File Explorer, select a file to protect. Right-click, and then select Classify and protect.
Note: You can also protect multiple files and a folder. When you select a folder, all the files in that folder are automatically selected for protection. You will need to perform file protection for any newly added files as new files will not be automatically protected.
- Apply a Highly Confidential label (for example)
- Select Protect with custom permissions with one of the following options:
-
Viewer – View Only
Users can view the attachments, but cannot print, edit, or copy content. -
Reviewer – View and Edit
User can view and edit the attachments but cannot print or copy content. -
Co-Author – View, Edit, Copy and Print
Users can view, edit, copy, and print the attachments, but cannot unprotect the content. -
Co-owner – All permission
Users have full control for the attachments; they can view, edit, print, and unprotect the content. - Only for me
-
Viewer – View Only
- Select the users, groups or organizations or type the users email address(es). For example, a Viewer permission for usera@ust.hk and userb@ust.hk
- Click Apply and you may see a dialog box telling you that the files are protected.
Note: Only the Windows version can add protection to PDF files.
5. Change the Protection on a File
Before you begin… Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office. |
Follow the steps in Encrypting Office documents or PDF files using AIP Client to assign new label or permission settings for the file.
For files with custom permission together with specified users, you may just update the user list and modify the permission settings. For example, adding userc@ust.hk@ust.hk to Select users, groups or organizations section to enable userc@ust.hk (in additional to usera@ust.hk and userb@ust.hk) to have view only access rights to the document.
6. Removing encryption from a protected file
Before you begin… Make sure you have completed Step 1 – Getting Started to install the required software for your computer and properly sign-in to your Microsoft Office. |
If you want to remove the protection from a file,
- Right-click the file
- Click Classify and protect
- Click Delete Label and then un-check the protect with custom permissions option (Note: You must be an owner of the file to remove the protection).