Yes. Although Azure Information Protection is a cloud-based solution, it can classify, label, and protect documents and emails that are stored on-premises, as well as in the cloud.
If you have Exchange Server, SharePoint Server, and Windows file servers, you can deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents. You can also synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users, for example, by using Azure AD Connect.
The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn’t use an on-premises PKI. For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption section in the How does Azure RMS work? article.