Forum Discussion
Use of AIP scanner on-premises with classic labels now with future path to UL possible?
Chris JohnstonI am glad I can help. At the moment you activate the unified labeling the configuration you do in either portal will be available in the other. This means you do not have to recreate the settings from UL to classic or from classic to UL, (but from classic to UL you do need to publish them in a policy for users to see the labels, and for the UL labels to be seen by the classic portal you publish them from the unified labeling blade.).
Example:
1. You create a sensitivity label in the Office 365 portal. Almost immediately you will see the same label in your AIP portal. For the clients to pick up the changes you use the Publish option from the Unified labeling blade in the AIP portal.
2. You create a label in your Azure portal. Almost immediately you will see the label in your Office 365 portal.
This means you can do the work in the Office portal and still use the classic client to reach the same settings from the classic portal. The configuration is syncronized. That does not however mean that all settings are synchronized, but that is because at the moment there isn't what we call feature parity between the two, but this a matter of time. But, to answer your question: You can (depending on what configuration you have) use the exact same settings for a label that exists in both portals.
It can seem quite complex, and I am sorry if I am unable to make it clearer.
Pål Winther Thanks for the info - so would the label applied to an on-prem doc using AIP scanner essentially be agnostic of whether UL or AIP was in use on the tenant?
The issue is that we would ideally want to be using UL for the tenant but we would have a constraint of having to use classic labelling for on-prem whilst AIP scanner only supports classic. Presumably we'd have to keep AIP in classic running on tenant and then cut-over to UL once AIP scanner supports UL? I guess what I'm after here is the sequencing and any issues (presumably having a UL label same as AIP would be one which is why I'm thinking it would be classic AIP on tenant with a future cut-over to UL rather than trying to use UL and classic in parallel)
That is correctChris Johnston. Unified labeling vs classic labeling is all about the method used to label the content and not the label it self. They are both using the same base protection (RMS), and that is how a document protected by the classic client can be read when you have migrated to unified labeling. You can also use the unified labeling client to protect content and this can be read by people who only use the classic client (if that makes sense?). The protection is all about identities and the RMS service, and not about which client you use. Did I understand you correctly? 🙂
Thanks Pål Winther its' getting much clearer 🙂
My remaining confusion is around how to configure the labelling in the tenant, Azure Portal for classic AIP vs unified labelling in security & compliance. Assuming AIP scanner can only consume classic, I will need Azure configured labels in the tenant whilst I am using the current AIP scanner which does not support UL. Will I be able to have identical UL labels configured for labelling the online content at the same time? (I suspect not) What happens once scanner then supports UL - do I migrate the classic labels in the tenant to UL? Essentially I'm after reassurance that we can start on a path now using AIP scanner for on-prem that will be compatible with current and future state of labelling config on the tenant (where ideally we'd want to use UL right now).
Chris JohnstonI am glad I can help. At the moment you activate the unified labeling the configuration you do in either portal will be available in the other. This means you do not have to recreate the settings from UL to classic or from classic to UL, (but from classic to UL you do need to publish them in a policy for users to see the labels, and for the UL labels to be seen by the classic portal you publish them from the unified labeling blade.).
Example:
1. You create a sensitivity label in the Office 365 portal. Almost immediately you will see the same label in your AIP portal. For the clients to pick up the changes you use the Publish option from the Unified labeling blade in the AIP portal.
2. You create a label in your Azure portal. Almost immediately you will see the label in your Office 365 portal.
This means you can do the work in the Office portal and still use the classic client to reach the same settings from the classic portal. The configuration is syncronized. That does not however mean that all settings are synchronized, but that is because at the moment there isn't what we call feature parity between the two, but this a matter of time. But, to answer your question: You can (depending on what configuration you have) use the exact same settings for a label that exists in both portals.
It can seem quite complex, and I am sorry if I am unable to make it clearer.
Pål Winther thanks for taking the time to explain labelling in depth, its much appreciated and gives me the steer that we are ok to proceed along the lines we were thinking. I think the next step is for us to set up a PoC to run through the config and steps.