Sending and Reading Confidential Emails with Azure Information Protection (AIP)

You may use Azure Information Protection (AIP) to send emails with sensitive or confidential information to users to ensure email confidentiality and so only authorized users can read the emails.

Using Sensitivity Labels in Microsoft Outlook

With Microsoft Outlook, you may apply one of the following sensitivity labels to control the protection to your emails when they are sent to your recipients.


Sensitivity Labels 

HKUST Restricted 

Highly Confidential 


Suggested Usage 

A quick and easy way to protect emails to ensure access by only HKUST (CWB) staff 

Protects emails for access only by specified recipients 

Optionally to indicate the email containing non-sensitive or confidential information.  

Authorized Recipients 

The recipients must be HKUST (CWB) staff (, email aliases also work). 

Sender can specify any email addresses as recipients 

Email does not have encryption protection and is readable by any recipients specified by sender. 

Email Protection 

Recipients can read the email and perform the following actions: 

  • Can forward 

  • Can print 

  • Can copy email contents 

Recipients can read the email but cannot perform the following actions: 

  • Cannot forward 

  • Cannot print 

  • Cannot copy email contents 

Do not have any restriction or protection to the email 


Using the sensitivity label, HKUST Restricted

The sensitivity label, HKUST Restricted, is used when you wish to protect your email such that only HKUST (CWB) staff members (with email addresses ending with can open to read it. Recipients will be able to read, copy, print and forward the protected emails. Users other than HKUST (CWB) staff members will not be able to open the emails protected by HKUST Restricted.

HKUST (CWB) staff members can use Microsoft Outlook (or Outlook on the Web) to read the protected email seamlessly. However, if they are using other email clients. They cannot see the email contents directly. They will see a screen (similar to the image below) and need to click on the “Read the message”.  They will then be redirected to Microsoft to login with their ITSC usernames and passwords from a browser. When the authentication is successful, they can read the protected message from the browser.

Image 1 - The screen users will see when HKUST (CWB) staff members are not using  
Microsoft Outlook to read a HKUST Restricted email


The HKUST Restricted label restricts emails to be readable only by HKUST (CWB) staff members. If you need to send a protected email to other users (e.g. HKUST (GZ) staff, HKUST student, or external users), you need to use the Highly Confidential label instead.

Using the Sensitivity Label, Highly Confidential

The sensitivity label, Highly Confidential is used when you would like to specify which recipients can open and read the email. Recipients can be any users (e.g. staff members and students of HKUST (CWB) and HKUST (GZ), and any external users). Only the specified recipients can open and read the email contents. However, they cannot forward, print, or copy the email contents.

Email Clients & Microsoft Accounts

If your recipients are using Microsoft Outlook and using Microsoft accounts as their email addresses, they can read the protected email directly in Microsoft Outlook. If they are not using Microsoft Outlook or if their email addresses are not Microsoft accounts, they will be redirected to Microsoft for further authentication before viewing the contents of the protected emails.

Technically, Microsoft accounts are the accounts with which users use to login to their Microsoft Office. In general, users from UGC-funded institutions in HK are using Microsoft accounts. Email addresses from are also examples of Microsoft accounts.

If your recipients are not using Microsoft Outlook or not using Microsoft accounts, they will see the following screen when they receive the protected email.

Image 2 - A sample screen that users will see if they are not using Microsoft Outlook or they are not using Microsoft accounts

To read the protected email, your recipients need to click on the “Read the message” button. They will then be asked to Sign In (with the email provider) or Sign in with a one-time passcode in a popup browser. Depending on the email provider of your recipients, the option of signing in with their email providers may be different or not available. For example, the following images are sample screens from and


Image 3 -  A sample screen that Gmail users will see when they click on "Read the message" button
after receiving an AIP protected email


Image 3 –  A sample screen of Yahoo Mail users will see when they click on "Read the message" button
after receiving an AIP protected email


If “Sign in with a One-time passcode” is selected, Microsoft will send a one-time passcode to your recipient’s email address, he or she will then need to enter the passcode on the screen for verification.


Image 4 – Users will need to enter the one-time passcode for verification if “Sign in with a One-time passcode”
is selected when they receive an AIP protected email. 


The protected email will be displayed in the browser when the authentication is successful.   

Image 5 – The contents of the protect email are displayed after successful authentication 


Changing or Removing a Sensitivity Label

Before the email is sent, you may remove the sensitivity label applied to the email by applying the same label to the email again. If you select another sensitivity label, the email will be protected according to the label you have selected at the end.


Protection for Email Attachments

When you attach a Microsoft Office file (e.g. Microsoft Word, Excel or PowerPoint) to an email protected by AIP, Outlook will apply the same protection to the file when the email is sent. However, if the attached file is already with a sensitivity label, the label applied to the attachment will remain unchanged.

If recipients would like to download and open the attachments in their computers, they will need to have a valid Microsoft Office license with the email address that the email is sent to. Without the license, they will not be able to download and open the attachments in the email protected by AIP.