Protecting Documents with Azure Information Protection (AIP)

When documents contain sensitive or confidential information, you may use AIP to protect the documents such that only authorized persons can open and read the documents. AIP is applicable to Office documents such as Microsoft Word, Excel, and PowerPoint.

Sensitivity Labels 

With Azure Information Protection (AIP), we apply a sensitivity label to classify a document according to the HKUST Data Classification Guidelines.  The sensitivity labels, “HKUST Restricted” and “Highly Confidential” will enforce encryption to protect documents such that they can only be accessed by authorized users [1].  Below is a summary of the sensitivity labels you may use to protect your documents with AIP. 



Sensitivity Labels 

HKUST Restricted 

Highly Confidential 


Suggested Usage 

A quick and simple way to protect a document for access by HKUST (CWB) staff only  

Protects documents for access by specific users who could be members of HKUST (CWB), HKUST (GZ) or external users.  

Optionally classify a document for public access.   

Authorized Users 

HKUST (CWB) staff members only 

Specified by the document owner [2] 

Documents do not have encryption protection and can be opened by anyone. 

Allowed Permissions 

Read and Write only 

Specified by the document owner 

No restrictions



[1] Authorized users will need to login to Microsoft Office with their credentials.  For HKUST (CWB) staff, they need to login with their ITSC username ( and passwords.  Other users will need to login with their own accounts which have a valid Microsoft Office license.   

[2] You need to enter the username with which your authorized users will use to open the document.  The usernames will need to be valid Microsoft accounts which they use to activate their Microsoft Office.   For HKUST, you enter their email address, but alias (e.g. not  



AIP Client and Microsoft Office 

For Microsoft Office 365, the sensitivity labels are available in the ribbon bar of Word, Excel, PowerPoint and Outlook. 

Image 1 - Sensitivity labels are available in the ribbon bar in Microsoft Office 365 applications.

Please note that you will need to sign in to Microsoft Office applications with your ITSC username and password.  Restart the applications if the sensitivity labels are dimmed or not visible.

For Microsoft Office 2016, you need to install the AIP client to enable the AIP features.  


The AIP client (only available to Windows) allows you to apply a sensitivity label to a file by mouse right-clicking it in in Windows File Explorer. Then select “Classify and protect” from the pop-up menu.

Image 2 – The AIP client (Windows only) allows you to apply a sensitivity label to a file by mouse right-clicking to it,
then select "Classify and protect" in Windows File Explorer

Click here to view how to download and install the AIP client application.



Using HKUST Restricted

The sensitivity label, HKUST Restricted, is used when you wish to protect documents such that only HKUST (CWB) staff members (with email addresses ending with can open them to read or write. Users other than HKUST (CWB) staff members will not be able open the documents protected by HKUST Restricted. It is a fast and simple way to protect documents for use by HKUST (CWB) staff members.


Using Highly Confidential

Using the sensitivity label, Highly Confidential, allows you to specify which users can open the document with specific permission. 

User Permission

For Microsoft Office 365 users, when you apply the “Highly Confidential” label to a document within Word, Excel or PowerPoint. You may specify the persons to have the Read or Write permission.

Image 3 – Applying the Highly Confidential label within Microsoft Office 365 Word, Excel or PowerPoint.


With the AIP client (Windows only), there are more options of user permission to choose when you apply the Highly Confidential label to a document.

Image 4 – The AIP client offers more permission options to protect a file when it is used to apply a Highly Confidential label.



With the Highly Confidential label, you need to enter the users' accounts (usually their email addresses, but not email aliases) with which your users use to login to their Microsoft Office applications.  They will also need to have a valid Microsoft Office license when the open the protected document.

Notes: In HKUST, all users are using their email accounts (not email aliases) to login to Microsoft Office. However, some external users are not using their email addresses to login to Microsoft Office. You will need to ask your users which Microsoft accounts they are using to login to Microsoft Office before entering their accounts when protecting documents with AIP.


Changing or Removing a Sensitivity Label

To change a sensitivity label, you may select another sensitivity label in the “Sensitivity” button from the ribbon bar. To remove the applied label, you select the same label again to remove it.

To change a sensitivity label with the AIP client, you select another label in the AIP client. To remove the applied label, select Delete Label to remove it.

Image 5 - With the AIP client, you may change the label applied to the document by
selecting another one, or remove the applied label by selecting the Delete Label button.