At the Microsoft Ignite conference in September 2018, we announced the unified labeling platform. Since then, we’ve released public previews of the Azure Information Protection unified labeling client. Today we’re announcing that the Azure Information Protection unified labeling client is now generally available (GA), and we encourage you to start using it in your production environment.


Getting started

Releasing the Azure Information Protection unified labeling client is an important step towards enhancing the integration across Microsoft Information Protection solutions. This enables admins to manage all workloads from one admin center, the Office 365 Security & Compliance Center like all other Microsoft Information Protection workloads, including configuring and managing your sensitivity labels and protection policies.


The new unified labeling client includes several features to help you better protect your sensitive information, such as end-user driven manual labeling, automatic labeling and recommended labeling.


The unified labeling client is fully aligned with the 90+ sensitive information types found in the Microsoft 365 Compliance center and also supports custom sensitive information types, keyword dictionaries and complex conditions:


  • Custom sensitive information types allow you to create your own information types such as employee ID numbers, add keywords and set custom confidence levels.
  • Keyword dictionaries – admins can upload their own dictionary of terms that they want to automatically detect in documents and emails.
  • Complex conditions - allows you to use grouping and logical operators (AND, OR); you choose the logical operator between the sensitive information types within a group and between the groups.


Figure 1: Setting complex conditions for automatic labeling


These new capabilities help you to reduce the number of false positives, make your conditions more flexible, and make automatic labeling much more accurate.


Which client is right for me?


New customers: start with the Azure Information Protection unified labeling client.

Existing Azure Information Protection customers: review the comparisons between the Azure Information Protection client and the Azure Information Protection unified labeling client, in addition to the list of  unsupported features and choose the client that meets your business requirements.  


Note that going forward new features will be included in the Azure Information Protection unified labeling client whereas we’re not planning to add new features to the Azure Information Protection client.


Mixed environments are supported so you can run the Azure Information Protect client, Azure Information Protection scanner, and the Azure Information Protection unified labeling client side-by-side.

In addition, the Azure Information Protection unified labeling supports seamless upgrade from the Azure Information Protection client.


If you are an existing Azure Information Protection customer using Azure Information Protection client features that are not yet supported by the Azure Information Protection unified labeling client (for example, user-defined permissions,  HYOK, and advanced settings) we recommended that you wait for future Azure Information Protection unified labeling client releases.


Additional information


The latest client version with these new capabilities can be found here. For more detailed information, see the version release information.


You feedback is valuable and allows us to understand better what you need to help you in your information protection strategy. We encourage you to try the new features and share your feedback using our Yammer community.

Respected Contributor

Why is this being deployed into the SCC instead of the new Compliance Center? The SCC is being replaced so it does not make any sense to be adding new functionality to something that is going away.

Super Contributor

As i've received an explanation via PM i figured i will post it here for someone who was confused as myself. Old AIP client (which integrates with Office apps) was controlled via Azure portal and wasn't compatible with unified labels available in Security & Compliance. New AIP client will work with labels in SCC (presumably this administration bit will move to new Compliance center at some point) and should cover all Information Protection products/usage cases. New one is not covering all features of old one yet, but MS plans to reach 90% parity by 2019 end. Old one won't receive new features from now on.


I just wonder, when and whether this client will become an integral part of Office 365 package, so you won't have to install it additionally. Compliance seems like a must have thing nowadays, so if you install Office for all employees, all should have AIP capabilities out of the box. It's not that you only install AIP client just for a few users. This won't help with information protection, so i wish it would be shipped along with Office (less deployments to manage).

@Dean Gross , Office are gradually redirecting users from SCC to M365 compliance center . M365 compliance center has already the same configuration capabilities of unified labels and protection as you have today in SCC.

@Oleg K Office are planning  to ship built in  labeling during H2 of 2019 in office ProPlus only  (eliminated the need to install additional add in) . 

The first office built in release will contain manual labeling only. ( no recommendation or automatic labeling) 

Respected Contributor

@Maayan Naaman Rand  thanks for the quick response. Would you please update your original post to make this more clear. The O365 Admin Center has already had the link to the SCC removed and getting to that portal is harder than it should be. People need to know that they can go to the new Compliance Center to do to this.

New Contributor

Are we able to choose a separate default label in Outlook compared to other office apps in the Unified Label approach yet?


Bit of a blocker for us as our default for docs is set to internal only, so as soon as we install the new client users have to reclassify every email in order to send.

@Andrew Matthews this first GA release of AIP unified labeling client doesn't support default label in Outlook. However the plan is that our next release will support it . Configuration will be done by PSH cmdlet.

Established Member

When will the support for Office Online Apps will be included for Azure Information Protection? Release of Unified Labeling for Office 365 and Azure is great, We can now define consistent Labeling across MS cloud platforms( O365 and Azure), But without any Office Online support It is difficult to implement information protection features and encourage users to use it. We cannot open a AIP Labelled document in SharePoint online and ODFB. Microsoft rolled-out these Information protection features for cloud platforms, But have not provided minimum view/edit capabilities for Office Online apps.  How does Unified Labeling will help in Office 365, If we can't even open a labeled document from SharePoint online and ODFB? It doesn't make any sense to open each and every document of SPO and ODFB in a desktop client!! 


I have been waiting since more than a year now, I haven't seen any update on office Online support!! Users are happy to label a new document from their desktop using AIP banner in Office apps, But frustrated with unable to open/view the same document Online.





Frequent Contributor

So should we stop telling everyone about the amazing Track and revoke feature since the documentation states that has been killed off in Unified Labeling and will not be planned going forward? Before I start tweeting that Microsoft has killed Track and Revoke, I guess we all deserve a better explanation why this feature got dropped. It's been a huge selling point to show customers a graphical map of the world so they can see where their documents have been opened from, and email notifications when someone opens their document. In the past, the Yammer community was told that Track and Revoke would not be in the Office Ribbon, and the work-around would be to use it in the File Explorer, but that is also not possible now, nor planned. Say it aint so!

Features not planned to be in the Azure Information Protection unified labeling client

- Track and revoke from Office apps and File Explorer

Senior Member

@Maayan Naaman Rand Considering the features below that will NOT be supported in any future release of Unified Labeling Client, may we know for how long the "traditional" AIP Client will be supported? Honestly, MSFT is killing a set of capabilities that are KEY for end-user experience. Maybe the will be a better equivalent, but we do not have a clue about is as for now. Not supported features:

- Custom permissions in Office apps: Word, Excel, and PowerPoint - This is a killer! How to make a document to be accessible for selected domains only? Shold we create a separate label for every partner org we work with?

- Track and revoke from Office apps and File Explorer

- Information Protection bar title and tooltip

- Display the Do Not Forward button in Outlook

Hi  @Red Flag , Thank you for the feedback .

As soon as we reach 90% of feature parity between AIP unified labeling client and AIP client we will announce end of support of traditional AIP client of one year . I still don't have any specific ETA for that but will share this information with our customers as soon as we will have final dates. 

Regarding the list of features you mention that we don't plan to support in the unified labeling client , let's go over them one by one :

1) custom protection won't be available in  office but instead we will offer  in one of our next GA releases  "user defined permission" feature  .The option lets users specify who should be granted permissions and what those permissions are. You can then refine this option and choose Outlook only (the default), or Word, Excel, PowerPoint, and File Explore

2)We are working on a new track and revoke portal but there is still no ETA.

3) Information protection title and tool tip - removed due to low usage , what is your use case here ?

4)DNF button - you have an option to set DNF under "encrypt" button in office ribbon , we aligned it to the new office native built in labeling  experience which will be released in the future.

Established Member

Hi @Maayan Naaman Rand  Could you please share an ETA on when AIP support will be made available for the Office online apps ? We are unable to open AIP labelled documents uploaded in SPOnline sites and OneDrive site collections.


Any information that you can share will be helpful! 



Pradeep Padal.

Senior Member

@Maayan Naaman Rand – thank you for replying. It’s not always the case that MSFT people are open for discussing things.

Let me answer one by one, too:

  1. Custom permissions – it looks there will be an equivalent of current feature. However could you please confirm that “user defined permission” will allow to put just domain name like @mydomain and not only a specific e-mail address? This would make a huge difference.
  2. Track and revoke – good to know that some similar experience is under development; the current one is a big selling point for AIP/MIP – so be careful by removing it or by replacing it with some less convenient experience.
  3. Information Protection title and tool tip – first check the screencast (link), we need to make sure we refer to the same functionality. If yes, then there is a bunch of arguments to rethink the strategy:
    1. Title provides a simple advice for end-user WHEN to apply the specific label/protection
    2. Sublabel tip provides more detailed RESULT of applying the label/protection that are difficult to remember! There are more than few – actually 13 – different permissions to be set – PRINT/EXTRACT/DOCEDIT… Then an additional parameter for “lifecycle” of the labeled doc – like removing access after 100 days from applying the label or additionally X days after last check on RMS.

So, it helps to apply strict and specific labels for GDPR (edit or view only), internal docs or external time limited docs (like tender offers).

  1. DNF – if InfoSec is a real priority then the DNF deserves a “one click” button – that makes the protection just an “one click away” operation. Another selling point for M365 and against competitive solutions.

These are my views on InfoSec. I’m not convinced, we can really influence the direction MSFT is going. Just take it as a market insight and please cross check it with your telemetry data. But pls consider the adoption curve before you disable our key and unique selling points for info sec @MSFT.

Hi @Pradeep_Padal , I belive you are reffering to opening not just labeled documents in office online apps (which can be achieved today) but rather labeled and protected documents , Am I correct ?


Established Member

Hi @Maayan Naaman Rand  : Yes, Your correct. I am referring to Labeled and protected documents.  Below is the error message when we try to open from SPO and ODFB.



Hi Pradeep_Padal

The office online team are working for a unified solution but there is no committed ETA . I will be happy to connect you personally with the relevant conect in this team 

Hi @Red Flag  , 

custom permission - you can specify and domain not just an email .

Title and tool tip - you indeed referred to a different feature which we definitely continue to support .

DNF - will be 2 clicks away instead of one click , or you can also choose "encrypt" option in one click , under "option" office ribbon 

Senior Member

Hi @Maayan Naaman Rand re tooltip - I stil believe we talk the same functionality, at least the setup on Unified Labeling calls is "tooltip", which is the hoover option on AIP bar.


 Hi @Red Flag  , do you refer to this option ? to set label name and tooltip s? this ones are displayed for each label once hoovering on the label 

toolt tip.PNG