Blog Post

Security, Compliance, and Identity Blog
6 MIN READ

From bolt-on to built-in information protection in Microsoft 365 Apps

pefrem-MSFT's avatar
pefrem-MSFT
Icon for Microsoft rankMicrosoft
Oct 12, 2022
Updated Jan 23, 2022: Please review the most recent newsletter for important information about product timelines.
Updated Dec 5, 2022: updated dates and minimum version for the new configuration change

 

Welcome to the first quarterly newsletter from the team in Office responsible for sensitivity labels and encryption, powered by Microsoft Purview Information Protection. We’re excited to kick off this series to share with you what’s new and coming soon for information protection in Word, Excel, PowerPoint, and Outlook. Our goal is to provide regular updates to help you prepare your organization to take

full advantage of information protection.

 

From Bolt-On to Built-In

Office apps have supported sensitivity labels since September 2018, starting in Office for PC, using Azure Information Protection (AIP) Add-in. In October 2019, Office apps started providing the same functionality built into Word, Excel, PowerPoint, and Outlook and expanded sensitivity labels across Mac, Web, and Mobile for comprehensive, consistent, and seamless experience for end-users and admins.

 

Customers benefited from the choice between the AIP add-in or the built-in native labeling depending on the features they needed, but this also created challenges and tradeoffs for organizations:

 

Add-In Limitations Degrades end-user productivity and satisfaction Higher cost for IT
  • Add-in can be disabled by end-users, leaving your data potentially vulnerable.
  • Add-in features are “frozen in time” since December 2021 at the start of its maintenance period.
  • Like most add-ins, AIP regularly impacts end-user productivity because of performance implications with the add-in.
  • Users of Office on other platforms face inconsistencies with sensitivity labeling since the Add-in only supports Office for PC.
AIP Add-in requires separate configuration, deployment, and management from the rest of the admin experience.

 

Learn more about the benefits and methods for replacing AIP Add-in with the built-in labeling solution in Office apps.

 

Today, we’re excited to announce the next evolution of the sensitivity labeling experience in Office apps. Starting in January, Office apps using Current Channel will automatically replace the AIP add-in with the built-in client alongside various new features that meet and exceed the AIP Add-in's capabilities.

 

This configuration change helps you accelerate your transition to the product experience that we believe best serves your organization’s current and growing needs for information protection. Check out the “coming soon” section below for more information, including resources to learn how to opt-out.

 

Note: this configuration change was delayed from December 2022 to January 2023. Updated above on December 5th, 2022.

 

What’s New

In case you missed it, let’s summarize the recent capabilities for sensitivity labels in Office. These features are exclusively available when using Purview Information Protection with the built-in labeling client for Office; none of these features is available with AIP Add-in. Review a complete list of features for built-in labeling and their availability on other platforms or release channels.

 

PDFs created from Office apps inherit their source document’s sensitivity label, markings, and encryption.

 

Learn more: Microsoft 365 Roadmap 88516 | Office Insiders Blog | Compliance Admin Support | End-User Support

Sensitivity bar provides end-users with a prominent, streamlined user experience for viewing and applying sensitivity labels.

 

Learn more: Microsoft 365 Roadmap 88517 | Office Insiders Blog | Compliance Admin Support | End-User Support

SharePoint document libraries can apply a default label to new or edited files, offering a baseline level of protection based on the document’s cloud location, and a form of automatic labeling without content inspection.

 

Learn more: Microsoft 365 Roadmap 85621 | Tech Community Blog | Compliance Admin Support

User’s default labels apply to unlabeled documents when edited, ensuring the documents created before default label policies were published can benefit from the user’s baseline protection.

 

Learn more: Microsoft 365 Roadmap 93209 | Compliance Admin Support

Multiple users can edit encrypted documents on mobile devices, enabling Office’s collaboration tools on the go, from any device.

 

Learn more: Microsoft 365 Roadmap 88512 | Tech Community blog | Compliance Admin Support

Credentials sensitive information types allow you to detect individual credential patterns (access keys, tokens, general passwords, etc.) when using automatic classification.

 

Learn more: Microsoft 365 Roadmap 88941 | Tech Community Blog | Compliance Admin Support

Trainable classifiers provide that you get the most relevant classification across multiple common business functions (such as finance, HR, healthcare, legal, procurement, and IT), as well as more granular categories like intellectual property, trade secrets, and personal financial information.

 

Learn more: Microsoft 365 Roadmap 98099 | Tech Community Blog | Compliance Admin Support

Emails can be encrypted with S/MIME as an outcome of labeling.

 

Learn more: Microsoft 365 Roadmap 93199 | Compliance Admin Support

Users can restrict access to domain names when using user-defined permissions, allowing them to configure access for all individuals in that domain.

 

Learn more: Microsoft 365 Roadmap 98131 | Compliance Admin Support

Limit copy-to-clipboard in Office for the web, ensuring users are less likely to copy sensitive content out of documents.

 

Learn more: Microsoft 365 Roadmap 98919

 

Coming Soon

We’re excited about the continued improvements and new scenarios coming to sensitivity labels built-in to Office apps in the next few months. Keep an eye out for these changes coming to Current Channel.

 

Configuration change in Office that disables AIP add-in by default, with an opt-out policy admins can configure to delay the transition to the built-in labeling.  

 

Learn more: Compliance Admin Support

New email collaboration rules, allowing admins to configure block/warn/justify experience when users send emails containing sensitive labels externally.

 

Learn more: Microsoft 365 Roadmap 100255

New automation for labeling emails based on their attachments’ labels, ensuring there’s one less step needed by end-users to protect their communications using context from their attachments.

 

Learn more: Microsoft 365 Roadmap 100490

New compliance configuration for scoping labels based on files vs. emails, empowering admins with more flexibility when deploying sensitivity labeling policies.

 

Learn more: Microsoft 365 Roadmap 99939

Improved logging of protection scenarios by including protection properties in the activity and content explorer audit logs.

 

Learn more: Microsoft 365 Roadmap 98135

Improved collaboration experience for files encrypted with user-defined permissions, allowing these documents to be opened, edited, seamlessly co-authored, and support AutoSave in Word, Excel, and PowerPoint apps on all platforms.

 

Learn more: Microsoft 365 Roadmap 85619

New sensitive information types and trainable classifiers provide you the most relevant sensitivity labels based on the context they’re found in, such as credentials –access keys, tokens, general passwords, etc.

 

Learn more: Microsoft 365 Roadmap 82116

 

Get started today

Whether you’re a new customer starting to use sensitivity labels in Office for the first time, or are transitioning from the AIP Add-in, here are some strategies to consider as you evaluate your adoption plans:

  • Review the licensing and system requirements for using built-in labeling in Office.
  • Review the existing capabilities of built-in labeling that you can begin evaluating today.
    • Tip: Create a script on your desktop to toggle the AIP Addin on/off with a click. This will allow you to easily test how the built-in labeling responds to your current labeling policies that are already supported in your release channel.
  • Evaluate whether to opt-out of disabling the AIP Add-in. We recommend using this for customers who have regulatory obligations and require AIP Add-in functionality that’s not yet supported with built-in labeling.
    • Tip: Don’t delay your organization’s planning until your required features are supported in your release channel. It’s recommended to begin your planning now to allow you time to manage change effectively.
    • Tip: Reach out to your Microsoft account or support team for assistance
  • Join the Customer Community Program (CCP) for access to demos from the product teams, webinars from experts, and private previews that give you early access to all sensitivity labeling features that are coming soon to built-in labeling in Office.
    • Tip: If CCP is not for you, consider enrolling some of your users in the Office Insider Program. This gives you self-guided access to preview features from across Office in your production tenant.
  • Try out a self-evaluation guide to help you assess how to transition to the built-in labeling client in Office.
  • Get started with the new add-in to built-in migration playbook

We're excited for you to join us on this journey!

Updated Jan 24, 2023
Version 5.0
  • matt91070's avatar
    matt91070
    Brass Contributor

    Does Microsoft recommend going with the current channel instead of semi-annual? 

  • We recommend Current Channel, because it provides your users with the newest Office features as soon as they're ready. If you need additional predictability of when these new Office features are released each month, we recommend Monthly Enterprise Channel. In those cases where you've select devices that require extensive testing before receiving new features, we recommend Semi-Annual Enterprise Channel.

    For more information, please see Overview of update channels for Microsoft 365 Apps - Deploy Office | Microsoft Learn