Azure Information Protection (AIP) unified labeling in Microsoft 365 provides organizations an integrated and consistent approach to creating, configuring, and applying labels and policies to protect information worker data across all locations. Workloads that can leverage unified labeling such as AIP unified labeling client and scanner, Office 365 apps, Office for web, SharePoint, OneDrive, MCAS and many more can apply these policies in a consistent manner. The AIP classic client and label management in the AIP Portal will be deprecated for sovereign clouds on September 30, 2021, therefore it is highly encouraged that administrators move their environment to unified labeling.
AIP unified labeling is generally available to Government Community Cloud High (GCC-H) environments and this release brings data discovery, classification, and protection capabilities to government Microsoft 365 instances.
Activating unified labeling for GCC-H is quite different from commercial and regular GCC environments. Commercial and regular GCC environments require administrators to navigate to the AIP blade in the Azure Portal to activate unified labeling. “Activating unified labeling” is not relevant to GCC-H tenants. All GCC-H tenants are already enabled for unified labeling; therefore, this step is not required.
Once unified labeling is enabled, commercial and GCC clouds can migrate their AIP classic client labels directly to the Security and Compliance Center, whereas this is not applicable to GCC-H tenants. GCC-H tenants require a manual migration of their AIP labels and protection templates to the Security and Compliance Center.
The benefits of migrating your labels from one portal to the next provides continuity and consistency of labels from your AIP classic environment to your Microsoft Information Protection ecosystem. Ideally, your end users will be using the same label name, label template and (optionally) protection template.
This blog gives an end-to-end use case example on how a GCC-H admin can migrate their parent label and sublabel with its corresponding protection template from the AIP Portal to the Security and Compliance Center. Additional information about label migration can be found in our official documentation.
Note: For new GCC-H tenants, label migration is not applicable. Please create new labels directly in the Security and Compliance Center.
Label Migration at a High Level
At a high level, below are the following steps to migrate AIP labels from the AIP Portal to the Security and Compliance Center:
1. Retrieve label(s) properties from the AIP Portal
2. Migrate label(s) from the AIP Classic Portal to the Security Compliance Center
3. Verify labels has been migrated to the Security and Compliance Center
Retrieve Label Properties from the AIP Portal
In this exercise, we will be migrating the parent label “Highly Confidential” with its corresponding sub label “All Employees”. First, we will retrieve the label properties and settings from the AIP Portal.
Note: When doing this exercise, administrators can retrieve all labels policies at one time.
Instructions:
- Navigate to the AIP Management Page within the Azure Portal
- Under Classifications, select “Labels”
- Select the parent label that you want to migrate. In this example we are migrating the label “Highly Confidential”
Figure 1: Selecting parent label to migrate
- Document parent label properties and settings using a spreadsheet, notepad, etc. This information will be used later in PowerShell
Figure 2: Parent label properties and settings
| Parent Label Property | Value | 
| Name (internal name; must be unique) | Highly Confidential | 
| Tooltip | Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. | 
| Display Name (displayed to end users) | Highly Confidential | 
| Identity | 06960349-c5b2-465e-8d31-1652e5969da4 | 
| Parent ID | 
 | 
| EncryptionEnabled | 
 | 
| EncryptionProtectionType | 
 | 
| EncryptionTemplateId | 
 | 
| EncryptionAipTemplateScopes | 
 | 
Table 1: Parent label settings and properties
- Under Classifications, select “Labels” again
- Select the sub label that you want to migrate. In this example we are migrating sub label “All Employees”
Figure 3: Selecting sub label to migrate
- Document sub label properties and settings using a spreadsheet, notepad, etc. This information will be used later for PowerShell
Figure 4: Sub label properties and settings
- (Optional) If your sub label has encryption, you will need to get the protection ID. Select Protection in your sub label properties.
Figure 5: Sub label protection selection
- (Optional) Document sub label protection template ID using a spreadsheet, notepad, etc. This information will be used later for PowerShell.
Figure 5: Sub label protection template ID
| Sub Label Property | Value | 
| Name (internal name; must be unique) | All Employees | 
| Tooltip | Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content. | 
| Display Name (displayed to end users) | All Employees | 
| Identity | d90363e7-f9a6-43b6-b83f-ac66df2c3c01 | 
| Parent ID | 06960349-c5b2-465e-8d31-1652e5969da4 | 
| EncryptionEnabled | True | 
| EncryptionProtectionType | Template | 
| EncryptionTemplateId | 19989161-dacd-409c-ab97-48d1433e1de7 | 
| EncryptionAipTemplateScopes | 
Table 2: Parent label settings and properties
Migrate AIP Labels to the Security and Compliance Center
In this section, we will be connecting to the Security and Compliance Center PowerShell module to migrate our AIP labels to the new management portal.
- Open PowerShell in administrative mode
- Import Security and Compliance PowerShell Module
Import-Module ExchangeOnlineManagement
- Connect to Security and Compliance Center for GCC-H
Connect-IPPSSession -UserPrincipalName -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/
Example:
Connect-IPPSSession -admin@contoso.onmicrosoft.com -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/
- Migrate parent Label from Azure Portal to Security and Compliance Center using ‘New-Label’ cmdlt in PowerShell
New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113'
Example: Migrate parent label “Highly Confidential” from Azure Portal to Compliance Center using the parent label properties.
| Parent Label Property | Value | 
| Name (internal name; must be unique) | Highly Confidential | 
| Tooltip | Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. | 
| Comment | Highly Confidential Parent Label | 
| Display Name (displayed to end users) | Highly Confidential | 
| Identity | 06960349-c5b2-465e-8d31-1652e5969da4 | 
| Parent ID | 
 | 
| EncryptionEnabled | 
 | 
| EncryptionProtectionType | 
 | 
| EncryptionTemplateId | 
 | 
| EncryptionAipTemplateScopes | 
 | 
New-Label -Name 'Highly Confidential' -Tooltip 'Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.' -Comment 'High Confidential Parent Label' -DisplayName 'Highly Confidential' -Identity ‘06960349-c5b2-465e-8d31-1652e5969da4'
- Migrate sub label from Azure Portal to Security and Compliance Center using ‘New-Label’ cmdlt in PowerShell
New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId 'a32027d7-ea77-4ba8-b2a9-7101a4e44d89' -EncryptionAipTemplateScopes "['allcompany@labelaction.onmicrosoft.com','admin@labelaction.onmicrosoft.com']"
Example: Migrate sub label “All Employees” from Azure Portal to Compliance Center using the sub label properties.
| Property | Value | 
| Name (internal name; must be unique) | All Employees | 
| Tooltip | Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content. | 
| Comment | Highly Confidential All Employees sub label | 
| Display Name (displayed to end users) | All Employees | 
| Identity | d90363e7-f9a6-43b6-b83f-ac66df2c3c01 | 
| ParentID | 06960349-c5b2-465e-8d31-1652e5969da4 | 
| EncryptionEnabled | True | 
| EncryptionProtectionType | Template | 
| EncryptionTemplateId | 19989161-dacd-409c-ab97-48d1433e1de7 | 
| EncryptionAipTemplateScopes | contoso@contoso.onmicrosoft.com | 
New-Label -Name 'Highly Confidential All Employees' -Tooltip ' Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.' -Comment 'Highly Confidential All Employees sub label' -DisplayName 'All Employees' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113'-ParentId ‘06960349-c5b2-465e-8d31-1652e5969da4’ -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId ‘19989161-dacd-409c-ab97-48d1433e1de7' -EncryptionAipTemplateScopes "['allcompany@contoso.onmicrosoft.com']"
Verify labels has been migrated to the Security and Compliance Center
Finally, we will verify that our labels have been migrated from the AIP Portal by navigating to the new label management portal, the Security and Compliance Center.
- Sign in to the Security and Compliance Center for GCC-H
- Go to your Information Protection tab
- Verify your new labels has been created
Figure 6: Security and Compliance Center label management
Note: Policies are not migrated from the AIP Portal to the Security and Compliance Center. Administrators will have to create new label policies in the Security and Compliance Center.
Sunsetting Label Management in the Azure Portal and AIP client (classic)
We have a plan to sunset label management in Azure Portal and AIP client (classic) for Government Cloud Customers. Meanwhile, Government Cloud Customers who own licenses for AIP will receive continued support for the classic client for 12 months after the general availability of unified labeling for Government Cloud. Government Cloud Customers who may need features that are not yet in the latest release of the unified labeling client can ask for additional extended support for the classic client here before September 30, 2021.
Azure Information Protection's classic client and Label Management in the Azure Portal will be deprecated on September 30, 2021 for Government Community Cloud customers. For information on admin experience post deprecation date, check out this blog.
Note: AIP UL scanner management will still be available on AIP portal and will not be deprecated.