This post has been republished via RSS; it originally appeared at: Azure Information Protection Blog articles.
This blog is updated for November 2019 and includes the latest Microsoft Information Protection capabilities that are now available.
Unified labeling is here and it is the next step in the Microsoft Information Protection story. Each new Microsoft product and service that utilizes classification and protection capabilities (and 3rd party ones using MIP SDK capabilities) will require unified labeling. Because of this, now is the time to execute a migration to this service as there is zero risk when done properly following our recommended steps.
The primary migration plan is to migrate labels and policies from the Azure Information Protection blade in the Azure portal to the Office 365 Security & Compliance Center, re-create your label conditions and deploy a Unified Labeling supported client, via an add-in or built-in Office 365 apps. Both can be deployed as a new installation or in-place upgrade to the Azure Information Protection client (classic). If you want to understand why this is necessary and why the migration plan is not as complicated as it initially sound, please continue to review the information contained in this blog.
Note: Unified labeling support is only available for commercial cloud tenants.
Unified labeling Migration
Back in 2016 when the Azure Information Protection client was initially released, it was the first Microsoft product that introduced labeling capabilities which was applied on top of the already available Azure Rights Management service. The Azure Information Protection blade in the Azure portal replaced the old Azure Rights Management interface which was available only in the Azure classic portal. At that point, Azure Information Protection was the only product that supported labeling of sensitive content as part of Microsoft portfolio.
Based on customer feedback and the evolution of Office 365, a strategic decision was made to integrate Azure Information Protection labeling capabilities into Office 365 services. Because the Office 365 suite of products were managed from the Office management portals and the plan included a big initiative to integrate Azure Information Protection labeling capabilities into Office 365 and many other Microsoft and 3rd party products, a unified approach has been agreed upon and initiated these changes:
- Microsoft introduced a unified SDK to be implemented by all applications and services that want to use Azure Information Protection classification and labeling – the Microsoft Information Protection SDK.
- A unified backend in the Office 365 eco-system to manage the Azure Information Protection labels – the Office 365 Security & Compliance Center (same label admin capabilities are also available at Microsoft 365 Security and Microsoft 365 Compliance portals).
- Referring to Azure Information Protection labels in a consistent and short name which will also differentiate from Retention labels that are already exist in Office 365 platform – Sensitivity labels.
Performing these changes caused the creation of a new label management tab, in addition to a new client support (via add-in and built-in Office 365 apps) that is based on the Microsoft Information Protection SDK. Unlocking the availability of Sensitivity labels across the complete Microsoft 365 platform.
At the time of writing this blog (Updated on November 2019), there are 2 main label management portals which are supported by different products:
- Azure Information Protection blade in the Azure portal - Supported by:
- The Azure Information Protection client (classic)
- The Azure Information Protection scanner (classic)
- Microsoft Cloud App Security
- Unified labeling console in Office 365 Security & Compliance Center – Supported by:
- The Azure Information Protection unified labeling client
- Microsoft Cloud App Security
- Azure Information Protection Scanner (in preview)
- SharePoint Online (in Preview)
- Office 365 apps for Windows, MacOS, iOS and Android (built-in without an add-in requirement)
- Office for the web (in Preview for SharePoint Online integration preview customers)
- Outlook for the web
- Outlook for mobile devices (iOS & Android)
- PowerBI Data protection (in preview)
- Microsoft Information Protection SDK and applications based on it (For example: Adobe Acrobat)
As you can see and understand, moving forward, every app and service that implement labeling capabilities in Microsoft will be using unified labeling exclusively. In addition to that, the Azure Information Protection client (classic) and portals are still here but not for long (a separate announcement will be published in the future and will details the specific plans).
Lastly, unified labels support advanced capabilities that aren’t available when Azure Information Protection labels are in use and are now available as part of the native integration with the Microsoft 365 platform. Some of these capabilities are:
- Enable sensitivity labels in Office 365 cross platform apps without deploying a client.
- Unified experience with applying sensitivity labels across Office 365 apps and services (built-in and with an add-in).
- Advanced label automation with the same logic as used by Office 365 DLP with sensitive information types, custom and pre-defined.
- Flexible label polices which now can scope the same label to multiple policies.
There is no risk for end users and production environment in migrating to unified labeling today, the migration process from Azure Information Protection backend to Security and Compliance backend is separated for labels and policies. So as long you didn’t publish a unified labeling policy or didn’t deployed an application that support unified labeling, nothing happens for end users!
So, what now? It’s time to migrate to unified labeling!
Are you a new customer who is just starting your Information Protection journey? Start with unified labeling and create your policies and labels in the Office 365 Security & Compliance Center (Or Microsoft 365 Compliance / Microsoft 365 Security portals in case you are a Microsoft 365 customer). New tenants are already enabled with unified labeling, so no action is required from your side. If no labels are already created and you wish to leverage Azure Information Protection default labels, go to the Azure Information Protection blade in the Azure portal and generate the default labels (Fig. 1). In addition, verify that your tenant is already migrated to unified labeling, if not, go to the unified labeling blade and activate the migration (Fig. 2). Once the service side configuration has be completed, continue to “Phase 3 – Client deployment” part of this blog to understand which client you should deploy so your users can leverage labeling capabilities in their environment.
Fig 1. Generate default labels
Fig 2. Unified labeling migration activated
Are you an existing Azure Information Protection customer who wish to migrate to unified labeling? Here are the suggested steps you should perform to plan and execute the migration:
Phase 1 – Planning
Unified labels support most functionalities that are available in Azure Information Protection labels, some functionalists are not available, and some are configured differently when managed from the Security & Compliance Center. There are also difference between which capabilities are available in each platform. Please review the following:
- Client differences between the classic client for Azure Information Protection, and the unified labeling client.
- How sensitivity labels work in Office apps, to learn about the built-in labeling capabilities, the supported environments and when they are available.
- Label settings that are not supported in the admin centers and learn how they are manageable.
- Features not planned to be in the Azure Information Protection unified labeling client. As a clarification please note that although custom permissions are not supported in the unified labeling client as a standalone action with the Office add-in, it is supported as a label that is configured with User Defined Permissions action.
- How you can use the AIP Unified Labeling client TODAY blog.
If one of the documented differences impact your end users’ behavior, please reflect this accordingly in your end user communication before deploying the latest client and publishing the unified labeling policy.
As of today (Updated on November 2019), the Azure Information Protection scanner and Analytics supports Unified Labels, are in preview and managed from the Azure Information Protection blade in the Azure Portal. Please note that Azure Information Protection Analytics - audit activities that are generated only form the Azure Information Protection client (Classic and Unified Labeling).
Phase 2 – Service migration
After you have reviewed the 1st phase, it’s time to migrate your labels and policies to the Security & Compliance Center. It is important to mention that “Migrate” doesn’t mean you need to move away from managing labels and policies in the Azure Information Protection blade and the Azure Information Protection client (classic). This migration can happen in the background and works side by side with no additional configuration.
Migration is a 2-step action:
- Enable label migration (Mandatory step).
- One-time policy copy from Azure Information Protection blade to Security & Compliance (Optional step).
Step 1: Label migration
We will start with describing what happens when you migrate your Azure Information Protection labels to unified labels. This happens once you click the “Activate” (Fig 3) button under “Unified Labeling” blade.
Fig 3. Unified Labeling activation button for label migration
Before you activate the migration, both Azure Information Protection backend and unified labeling backend are 2 separate services which work independently (Fig. 4). Once you activate the unified labeling migration, the labels are copied from the Azure Information Protection backend to the unified labeling backend and both services are using the same backend to store labels (Fig. 5). This means that every change you perform to any label at any portal will be changed also in the other portal.
Fig 4. Service architecture pre-unified labeling migration
Fig 5. Service architecture post unified labeling migration
After you activate the unified labeling migration, your labels are expected to be visible in both the Azure Information Protection blade and unified labeling page in the Security & Compliance Center (Fig 6).
Fig 6. Azure Information Protection and unified labeling in the Microsoft 365 compliance center post migration UI.
Moving forward you can manage your labels at one place. After the migration, when you edit a migrated label in the Azure Information Protection blade, the same change is automatically reflected in the admin centers. However, when you edit a migrated label in the Security & Compliance Center, you must return to the Azure Information Protection blade, go to Azure Information Protection - Unified labeling blade, and select Publish. This additional action is needed for the Azure Information Protection clients (classic) to pick up the label changes. Once you are fully migrated to the unified labeling client, you no longer need to do this step, so migrating quickly helps to reduce this administrative overhead.
As you may notice, label configuration in the Security & Compliance Center doesn’t include some of the advanced settings that were able to be configured using Azure Information Protection labels. These configurations are now applied to the label after its initial creation / migration using the Security and Compliance PowerShell module. Here are few examples of these configurations:
- Specify a color for the label
- Specify a default sublabel for a parent label
- Configure a label to apply S/MIME protection in Outlook
A full list of all the advanced label settings is published here with instructions how to apply them. Please note that these label advanced settings are supported only by the Azure Information Protection unified labeling client on Windows and not by the Office 365 apps built-in integration with unified labeling.
Step 2: Copy policies
Once your labels have been migrated to Security & Compliance center we can discuss and check the possibility to migrate your policies as well with a one-time copy action (Fig 7.) Policies can be migrated or otherwise, you can create them manually and start this part from scratch.
Fig 7. Copy Policies (preview) button
Selecting “Copy policies (preview)” will perform a one-time copy of your policies with their settings and any advanced client settings to the Security & Compliance center (Fig 8). Before doing that, there are few considerations that you should be aware of:
- Copy policy is being done for all policies that are configured in the Azure Information Protection blade.
- Once policies are being copied, they will automatically be published to all Unified Labeling supported clients. Please don’t copy your policies if you don’t want to publish them.
- To avoid duplications and conflicts, policies that are copied to Security & Compliance center naming convention is “AIP_<policyname>”. That mean that policies that are already configured in the same name in Unified Labels policy will be overridden (for example, you performed an update in Azure Information Protection policies and would like to update the policies in Security & Compliance, additional click on “copy policies” will update them).
- Due to different policy design, few advanced client settings are not copied in the process, these are “LabelbyCustomProperty” and “LabelToSMIME”.
- Unlike labels, copy policies doesn’t “synchronize” the policies between Security & Compliance center to the Azure Information Protection blade, once copied each platform policies is independent.
Fig 8. Copy policies summary after the action has been completed
As an Azure Information Protection admin, you probably noticed that some policy configurations are not available when you configure your policy in the Security & Compliance Center. In case you copied your policies using the “Copy Policies” feature then these configurations are copied as well. For future policy configuration you will decide to use, or if you created your label policy manually, these configurations should be applied to the policy you created in the Security & Compliance Center after its initial creation and using the Security & Compliance PowerShell module. Here are few examples for such configurations:
- For email messages with attachments, apply a label that matches the highest classification of those attachments
- Implement pop-up messages in Outlook that warn, justify, or block emails being sent
- Add "Report an Issue" for users
The full list of all the advanced policy settings is published here with instructions for how to apply them. Please note that these advanced settings (both for policies and labels) are supported only by the Azure Information Protection unified labeling client and not by the Office 365 built-in integration with unified labeling.
Important Note: If you use Microsoft Cloud App Security and Azure Information Protection labels (or intend to do so in the future), verify you have published at least 1 policy with minimal set of labels even if this is scoped to a single user. This is required for Microsoft Cloud App Security to identify all labels in the Security & Compliance Center and show them in the Microsoft Cloud App Security portal.
What doesn’t migrate and need to be created separately?
- Label conditions
- Label translations
Why? As mentioned earlier in this blog, conditions are more flexible and have additional advanced settings that allows better accuracy and less false positive matches. Therefore, they cannot be directly translated across the services.
Label conditions should be created manually under each unified label as they are far more flexible than their Azure portal counterparts. By the way – If you already have custom sensitive information types that were built to use with Office 365 DLP or Microsoft Cloud App Security you can apply them as-is to a unified label with simple configuration. Read our official documentation on how to create automated and recommend rules for unified labeling.
Label translations can be configured, once labels are migrated, using Security & Compliance PowerShell module using the set-label cmdlet with the -LocaleSettings parameter. Please note that translations are supported only for labels and with the Azure Information Protection Unified Labeling client.
Phase 3 – Client deployment
The last part is to verify the end users will be able to get the unified labeling policies and labels. For this they need a supported client that knows to connect to the Security & Compliance backend and pull the unified labeling policy. For all non-windows platforms, there is no Azure Information Protection client as labeling capabilities are already integrated, out of the box in Office clients for MacOS, Office for the web (preview), Outlook Web App and Mobile devices. Once labels are published, these platforms will be able to leverage them. Click here to read how to apply sensitivity label in each platform that supports built-in labeling. For Windows platform there are 2 options you can use if you are using Office 365 ProPlus:
- Use Office 365 built-in label support (Versions newer them 1910 - 12130.20272)
- Deploy the Azure Information Protection Unified Labeling client
More details on the functionality differences are detailed in the official client comparison. What should lead you in the decision are the required functionality in the current point and time for your organization. As we move forward, more functionalities will be added to the built-in capability that doesn’t require an add-in to be deployed. Here is a short table that describe the major differences between these options:
You can read more on the capabilities that are currently supported with Office 365 apps built-in labeling in this official documentation.
For Windows Office perpetual clients (2010, 2013, 2016, 2019), install the Azure Information Protection unified labeling client (Option 2) which can be downloaded from http://aka.ms/aipclient (verify you download the AzInfoProtection_ul.exe file. If you currently have Azure Information Protection client (classic) deployed, installing the unified labeling client will perform an in-place upgrade.
See the following screenshots (Fig. 9) that describe the experience across multiple platforms. You can also see this in the latest official documentation.
If you published your labels and the clients that have built-in support do not show the “Sensitivity” button, review the troubleshooting guide that covers this topic.
Fig 9. Consistent user experience for applying Sensitivity labels across different platforms.
The main differences for end users who use the classic client for Azure Information Protection today and move to use the unified labeling client is the new “Sensitivity” button that replaces the “Protect” button (Fig. 10). The functionality and experience to apply labels remains the same with the vertical bar across all platforms and with the horizontal bar which is exclusive to the Azure Information Protection unified labeling client in Windows.
Fig. 10 – End users changes when upgrading from the classic client to the unified labeling client
That’s it! Once you have performed the steps mentioned above, you have completed your migration to unified labeling and are now ready for the future and the exciting updates that will be available soon across the Microsoft 365 platform!
You can manage labels in one place which is the unified labeling console in Office 365 Security & Compliance Center. The only reason you may still need to use the Azure Portal for Azure Information Protection, is to manage the Azure Information Protection scanner and to monitor label activities using Azure Information Protection analytics.
If you have questions or want to follow up on the latest updates from Microsoft Information Protection, please review these resources: