Unified labeling is here and it is the next step in the Microsoft Information Protection story. Each new Microsoft product and service that utilizes classification and protection capabilities (and 3rd party ones using MIP SDK capabilities) will require unified labeling. Because of this, now is the time to execute a migration to this service as there is zero risk when done properly following our recommended steps.
The primary migration plan is to migrate labels from the Azure Information Protection blade in the Azure portal to the Office 365 Security & Compliance Center, re-create your label policies, conditions and deploy the latest unified labeling client as a new installation or in-place upgrade to the Azure Information Protection client (classic). If you want to understand why this is necessary and why the migration plan is not as complicated as it initially sound, please continue to review the information contained in this blog.
Note: Unified labeling support is only available for commercial cloud tenants.
Unified labeling Migration
Back in 2016 when the Azure Information Protection client was initially released, it was the first Microsoft product that introduced labeling capabilities which was applied on top of the already available Azure Rights Management service. The Azure Information Protection blade in the Azure portal replaced the old Azure Rights Management interface which was available only in the Azure classic portal. At that point, Azure Information Protection was the only product that supported labeling of sensitive content as part of Microsoft portfolio.
Based on customer feedback and the evolution of Office 365, a strategic decision was made to integrate Azure Information Protection labeling capabilities into Office 365 services. Because the Office 365 suite of products were managed from the Office management portals and the plan included a big initiative to integrate Azure Information Protection labeling capabilities into Office 365 and many other Microsoft and 3rd party products, a unified approach has been agreed upon and initiated these changes:
Performing these changes caused the creation of a new label management tab, in addition to a new client that is based on the Microsoft Information Protection SDK. Unlocking the availability of Sensitivity labels across the complete Microsoft 365 platform.
At the time of writing this blog (August 2019), there are 2 main label management portals which are supported by different products:
As you can see and understand, moving forward, every app and service that implement labeling capabilities in Microsoft will be using unified labeling exclusively. In addition to that, the Azure Information Protection client (classic) and portals are still here but not for long (a separate announcement will be published with specific plans).
Lastly, unified labeling supports advanced capabilities that aren’t available when Azure Information Protection labels are in use and are now available as part of the native integration with the Microsoft 365 platform. Some of these capabilities are:
There is no risk for end users and production environment in migrating to unified labeling today, the migration process copies labels from Azure Information Protection backend to Security and Compliance backend but not its policies. So as long you didn’t publish a unified labeling policy or didn’t deployed an application that support unified labeling, nothing happens for end users!
So, what now? It’s time to migrate to unified labeling!
Are you a new customer who is just starting your Information Protection journey? Start with unified labeling and create your policies and labels in the Office 365 Security & Compliance Center (Or Microsoft 365 Compliance / Microsoft 365 Security portals in case you are a Microsoft 365 customer). New tenants are already enabled with unified labeling, so no action is required from your side. If no labels are already created and you wish to leverage Azure Information Protection default labels, go to the Azure Information Protection blade in the Azure portal and generate the default labels (Fig. 1). In addition, verify that your tenant is already migrated to unified labeling, if not, go to the unified labeling blade and activate the migration (Fig. 2).
Are you an existing Azure Information Protection customer who wish to migrate to unified labeling? Here are the suggested steps you should perform to plan and execute the migration:
Phase 1 – Planning
Unified labels support most functionalities that are available in Azure Information Protection labels, some functionalists are not available and some are configured differently when managed from the Security & Compliance Center. Please review the following:
If one of the documented differences impact your end users’ behavior, please reflect this accordingly in your end user communication before deploying the latest client and publishing the unified labeling policy.
As of today (August 2019), the Azure Information Protection scanner supports only labels from Azure Information Protection blade but this is not a blocker as the Azure Information Protection label metadata is identical to unified labels.
Same applied for Azure Information Protection analytics (Preview) which is available with full feature set in Azure Information Protection blade but do cover analytics from the unified labeling client as well.
Phase 2 – Service migration
After you have reviewed the 1st phase, it’s time to migrate your labels to the Security & Compliance Center. It is important to mention that “Migrate” doesn’t mean you need to move away from managing labels and policies in the Azure Information Protection blade and the Azure Information Protection client (classic). This migration can happen in the background and works side by side with no additional configuration.
What happens when you migrate your labels to unified labels?
Before you activate the migration, both Azure Information Protection backend and unified labeling backend are 2 separate services which work independently (Fig. 3). Once you activate the unified labeling migration, the labels are copied from the Azure Information Protection backend to the unified labeling backend and both services are using the same backend to store labels (Fig. 4). This means that every change you perform to any label at any portal will be changed also in the other portal.
After you activate the unified labeling migration, your labels are expected to be visible in both the Azure Information Protection blade and unified labeling page in the Security & Compliance Center (Fig 5).
Moving forward you can manage your labels at one place. After the migration, when you edit a migrated label in the Azure Information Protection blade, the same change is automatically reflected in the admin centers. However, when you edit a migrated label in the Security & Compliance Center, you must return to the Azure Information Protection blade, go to Azure Information Protection - Unified labeling blade, and select Publish. This additional action is needed for the Azure Information Protection clients (classic) to pick up the label changes. Once you are fully migrated to the unified labeling client, you no longer need to do this step, so migrating quickly helps to reduce this administrative overhead.
As you may notice, label configuration in the Security & Compliance Center doesn’t include some of the advanced settings that were able to be configured using Azure Information Protection labels. These configurations are now applied to the label after its initial creation / migration using the Security and Compliance PowerShell module. Here are few examples of these configurations:
A full list of all the advanced label settings is published here with instructions how to apply them. Please note that these label advanced settings are supported only by the Azure Information Protection unified labeling client on Windows and not by the Office 365 built-in integration with unified labeling.
What doesn’t migrate and need to be created separately?
Why? As mentioned earlier in this blog, policies and conditions are more flexible and have additional advanced settings. Thus, they cannot be directly translated across the services.
You should create your Label policies manually in the Security & Compliance Center, so they reflect your current settings as they are configured in the Azure portal. To do so, go to Label Policies console and create a new policy by clicking the “Publish labels” button (Fig 6). Follow the configuration steps to verify these are configured properly.
As an Azure Information Protection admin, you probably noticed that some policy configurations are not available when you configure your policy in the Security & Compliance Center. These configurations should be applied to the policy you created in the Security & Compliance Center after its initial creation and using the Security & Compliance PowerShell module. Here are few examples for such configurations:
The full list of all the advanced policy settings is published here with instructions for how to apply them. Please note that these advanced settings (both for policies and labels) are supported only by the Azure Information Protection unified labeling client and not by the Office 365 built-in integration with unified labeling.
Important Note: If you use Microsoft Cloud App Security and Azure Information Protection labels (or intend to do so in the future), verify you have published at least 1 policy with minimal set of labels even if this is scoped to a single user. This is required for Microsoft Cloud App Security to identify all labels in the Security & Compliance Center and show them in the Microsoft Cloud App Security portal.
Label conditions should be created manually under each unified label as they are far more flexible than their Azure portal counterparts. By the way – If you already have custom sensitive information types that were built to use with Office 365 DLP or Microsoft Cloud App Security you can apply them as-is to a unified label with simple configuration. Read our official documentation on how to create automated and recommend rules for unified labeling.
Label translations can be configured, once labels are migrated, using Security & Compliance PowerShell module using the set-label cmdlet with the -LocaleSettings parameter. Please note that translations are supported only for labels and with the Azure Information Protection Unified Labeling client.
Phase 3 – Client deployment
The last part is to verify the end users will be able to get the unified labeling policy and labels. For this they need a supported client that knows to connect to the Security & Compliance backend and pull the unified labeling policy.
For Windows Office 365 and perpetual versions of Office clients (2010, 2013, 2016, 2019), install the Azure Information Protection unified labeling client which can be downloaded from http://aka.ms/aipclient (verify you download the AzInfoProtection_ul.exe file. If you currently have Azure Information Protection client (classic) deployed, installing the unified labeling client will perform an in-place upgrade. In the future, unified labeling will be built in to Office 365 for Windows. Once this is released, a separate announcement and documentation will be published to plan the move from add-in based labeling to built-in Office capabilities. Please note that for end users this transition will be seamless, so there is no need to delay deployment of the unified labeling client.
For MacOS, iOS, Android (and additional applications that is mentioned as “Coming Soon” earlier in this blog), no action is needed beyond publishing the unified labeling policy. These clients natively support unified labeling and will enable the Sensitivity button automatically when policy is published. Click here to read how to apply sensitivity label in each platform that supports built-in labeling.
See the following screenshots (Fig. 7) that describe the experience across multiple platforms. You can also see this in the latest official documentation.
If you published your labels and the clients that have built-in support do not show the “Sensitivity” button, review the troubleshooting guide that covers this topic.
The main differences for end users who use the classic client for Azure Information Protection today and move to use the unified labeling client is the new “Sensitivity” button that replaces the “Protect” button (Fig. 8). The functionality and experience to apply labels remains the same with the vertical bar across all platforms and with the horizontal bar which is exclusive to the Azure Information Protection unified labeling client in Windows.
That’s it! Once you have performed the steps mentioned above, you have completed your migration to unified labeling and are now ready for the future and the exciting updates that will be available soon across the Microsoft 365 platform!
You can manage labels in one place which is the unified labeling console in Office 365 Security & Compliance Center. The only reason you may still need to use the Azure Portal for Azure Information Protection, is to manage the Azure Information Protection scanner and to monitor label activities using Azure Information Protection analytics.
If you have questions or want to follow up on the latest updates from Microsoft Information Protection, please review these resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.