Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing the availability of unified labeling management in the Security & Compliance Center
Published Sep 26 2018 08:00 AM 56.2K Views
Microsoft

Companies across all different industries and regulatory environments have a need to manage the lifecycle of their data – keeping sensitive data secure and ensuring that their data and records are governed in accordance with compliance requirements – all the while ensuring end-user productivity isn’t hindered. More than ever, users share and move their data across devices, apps, and services. This has made protecting important data even more challenging.

 

In our Information Protection blog we announced a new unified labeling experience in the Security & Compliance Center. With unified labels, you have a single place to manage sensitivity labels that help classify and protect your sensitive data, as well as manage retention labels that help govern the lifecycle of your data (e.g. data retention and expiration). With this update also comes interoperability between Azure Information Protection labels and labels in Office 365. This means, for example, if you have content labeled by Azure Information Protection, you won’t need to reclassify or relabel your content. With unified labels, you can assign multiple labels to a single file, helping ensure your sensitive information is protected while it’s also controlled according to your governance needs.

 

MIPlabelSCC.png

The new unified label management experience in the Security & Compliance Center

 

Getting started with sensitivity labels

Getting started with sensitivity labels is an easy two-step process. First, you want to establish your taxonomy for defining different levels of sensitive content. You should use common names or terms that make sense to your end-users. For example, many customers start with labels such as Personal, Public, General, Confidential, and Highly Confidential. Then, configure the protection settings you want associated with each label. For example, lower sensitivity content (e.g. a “General” label) might have content watermarking or header/footers applied, while higher sensitivity content (e.g. a “Confidential” label) may have access controls and encryption applied to ensure only privileged users can access it. After you define your organization’s labels, you “publish” a label policy that controls which labels users can assign to their content – and this also makes labels available in Office apps and other services. More detailed instructions are available directly in the product help at https://aka.ms/manageMIP.

 

Guidance for customers using Azure Information Protection labels

The new unified labelling is designed to interoperate with Azure Information Protection labels. If you have content that’s already been labeled by Azure Information Protection, you won’t need to re-classify or re-label it. We have made it easy to merge and re-use your existing Azure Information Protection labels with the new unified labelling in the Security & Compliance Center.

 

Azure Information Protection users are currently able to classify and label content on Windows using the Azure Information Protection add-in for Office. Customers have long requested the need for classification and labelling on other platform, and today we’re announcing a public preview for existing Azure Information Protection customers – the ability to migrate Azure Information Protection labels to the unified labeling in the Security & Compliance Center. Get started today with the preview versions of the Office apps that support native labeling (as described in our Information Protection blog). To prevent confusion, we recommend you avoid creating labels in the Security & Compliance Center. Our documentation has important information and some specific caveats – you can find out more on the Azure Information Protection portal. If you are not yet ready to migrate your production tenants to unified labels then there is no cause for concern; for the moment, your users can continue using the Azure Information Protection client and admins can use the Azure portal for management. The new reporting and analytics capabilities in Azure Information Protection are also available in public preview in the Azure portal.

 

Together, these updates for Azure Information Protection represent another step towards a complete data protection strategy. Get started today!

 

The Microsoft Information Protection team

34 Comments

Ahem, we've been waiting for this for an year now, we can wait few more days/weeks, but maybe you should be a bit more specific as to when it's expected to be rolled out. As it is NOT currently available in any of the dozen or so tenants I work with.

Microsoft
Hi Vasil, thanks for your interest in our new unified labeling capabilities! 
 
All North America customers should now have access to the feature from the Office 365 Security and Compliance Center. Is your tenant in North America? 
If not, it may take (at most) a few weeks before the rollout completes saturation for all regions. We're anxious to see this released, and will plan to post an update to this blog as soon as the WW roll out completes.
 
Thanks,
/Mas

Again with that NA stuff... annoying :) Guess I'll wait, and thanks for clarifying.

When will it become available in Japanese version?

I can find them on Home tabs, but cannot click them now.

 

Microsoft

Hi Akio - we'll post an update as soon as its available, I assure you! Just a few more days ....

Thanks.

Looking forward to announcing from you.

Brass Contributor

@Mas Libman so once i see the Sensitivity tab in my EU tenants i should be able to go in to https://portal.azure.com/?ActivateMigration=true#blade/Microsoft_Azure_InformationProtection/DataCla... and activate unified labeling?

 

 

Brass Contributor

Is this available in the GCC or GCC High? 

Microsoft

Hey everyone - circling back real quick to confirm that all regions are now enabled for Sensitivity labels!! Just open the Security and Compliance Center, click Classification --> Labels, and look for the "Sensitivity tab".

 

@Eric Schrader We're working on GCC/etc rollout as quickly as we can, but don't have an ETA yet when it will be ready.

@Tommy Clarke - Yes, that's the expected process.

 

 

 

 

Copper Contributor

@Mas Libman Hi Mas, a couple of questions if that's OK?

 

Will published labels appear in OWA? under the Encrypt button?

Will published labels appear in Outlook under the Encrypt / Permissions button?

Will the watermark option for content apply to emails as well? or just documents?

 

Thanks

 

Ben.

Microsoft

Hi @Ben Harris I suggest taking a look at our product documentation that should answer most of your questions: http://aka.ms/managemip as well as further details on Office client behavior here: https://support.office.com/en-us/article/apply-sensitivity-labels-to-your-documents-and-email-within...

Iron Contributor

Hello @Mas Libman - Are there any plans to apply unified labels to Office 365 Groups? I recently migrated my AIP labels to Office 365 Security and Compliance Center and now they are in-sync (in preview feature). However, I still see that my Office 365 Group classification labels are standalone settings and disconnected from the unified labeling. And I do not see anything on the road map, is this something in the works still? 

 

Providing a sample screenshot to be clear of which classification I am talking about. O365 Group Data Classification.jpg

 

 

Ali. 

Iron Contributor

 

@Ali Salih I also have the same question given the above settings are only for "Unified  Groups".  Surely we want to do something similar for our newly provisioned Hub and Communication sites? Why can't all this be in done in a Site Design on PnP Provisioning template? 

Iron Contributor

@Daniel Westerdale- I checked with couple folks and re-watched BRK2137 - Embrace Office 365 Groups: What's new and how to get started, and the Unified Labeling is definitely in the works for Office 365 Groups classification. You can see it in action towards the end of the video as well. However, no ETA yet. 

Iron Contributor

Good call @Ali Salih I have now watched BRK2137  a couple of times and getting used to Christophe's speed talking!  Interesting about the use of labels in groups which seems to do that they described ealier custom jobs as in if Category =  Highly confidential then 

 

 

Set-SPOSite -Identity $siteUrl -SharingCapability Disabled

I think we will want this even for internal team members as we would rather they were participating in the team site from within - another reason not to mirror departments but to represent cross-team business functions..

 

 

Just got the sequel lined up to watch:  https://myignite.techcommunity.microsoft.com/sessions/66487

Iron Contributor

Hey @Mas Libman - Would you be so kind and provide an update for us about how Unified Labeling vs. Data Classification is being positioned?

 

Is it safe to assume that data classification property is less significant to use now, since it was just a "string" field, while with MIP labels -which I am guessing that will replace Data Classification labels- will be actionable labels. I don't want to assume. Please let us know! 

Microsoft

Hi Ali,

 

For the scenario where the customer wants to assign a classification that persists with their data, I would advocate using our Unified Labeling solution instead of Exchange Data Classifiers. Unified labels provide a more holistic approach thats support a broader set of content types (docs, emails, data) and we will continue to invest in the apps and services that can interop with our Unified Labeling solution. Of course, customers can continue to use Data Classifiers - e.g. if they have a technical need that is not yet supported with unified labels. (And if there are gaps preventing them from moving to Unified Labels - please do share the feedback with us!)

 

thanks

 

/Mas

Brass Contributor

Are there any plans to implement the advanced features of AIP to Unified Labelling?

We have enabled Unified Labelling for our tenant and migrated our AIP labels to SCC but some features such as the Automatic/recommended classification of files based on PPI in document aren’t working?

I am currently using the Azure Information Protection unified labelling client for Windows on client devices.

I know that Unified Labelling cannot be disabled currently but we were very impressed by the automatic features of AIP labels and disappointed that the functionality is missing.

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels#consid...

Thanks,
Mark.

Brass Contributor

Any idea on when the client will move from Preview to production? ETA would be great! :)

Copper Contributor

It is a shame that DLP policy cannot use the Sensitivity labels in the same way retention labels can, are there any plans for this?

Microsoft

Hi Andrea - thanks for the feedback. Yes, we have DLP support for Sensitivity labels on our roadmap! Can you expand a bit on your top-scenarios for Sensitivity label support in DLP? What kind of content, and where is it stored/shared?

Copper Contributor

Thanks Mas that is good news! We have migrated our AIP labels to O365 Security & Compliance and have been testing with the Unified Client.  I was thinking that I could then create a DLP policy using them.  For example on a 'Secret' sensitivity label it would be great to have a Mail/Policy tip warning that a document (word, excel, pdf) is being emailed/shared externally or internally and either being able to prevent it being sent or have the option to override.  Therefore also having a log of who shared what and when.  I notice I could create a retention label with no retention to achieve this for OneDrive and SharePoint but then I would have duplicate labels that have to be applied in OneDrive and SharePoint online and not through Word or Excel and it does not support emails.

Copper Contributor

As i can see, currently unified labels do support auto classification for retention labels.

Is there any update on when the "Auto Classification feature" will be available for sensitivity labels? 

 

For a client we consider to make use of the unified labels, but only when auto classification on sensitivity labels is general available....

Microsoft

Thanks Andrea - our goal is to allow you to use labels in DLP consistently/uniformly across Office 365, and our upcoming investments will address your asks around visibility - who\when is labeled content shared - as well as the ability to trigger tips in Outlook. Are you using Retention labels to show Policy tips in SPO currently?

Microsoft

Hi Shane - Office on Mac, iOS and Android is with native labeling capabilities are currently available in "Prod"! here's a link to the blog announcement: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/New-labeling-capabilities-in-... 

Brass Contributor

Thanks @Mas Libman. I've been advised that there will be another preview of the unified labelling client (Windows) in Fed-March with GA around April.

 

Still awaiting the rest of the features that are yet to come to make it a uniform experience.

 

Also noticed that content that has been labelled isn't being picked up in the Data Governance dashboard - How labels were applied.

Copper Contributor

Thanks @Mas Libman that is good news, no we are not yet using retention labels and therefore not using tips in SharePoint, they are however very useful and we have plans to use them in the near future although I think our users would prefer to set retention within the document like sensitivity.  We do use DLP rules which are great with mail tips (bit slow to appear sometimes!).  We currently do not allow sharing externally with SharePoint so tips in SharePoint have been less important again we may look to change this in the future.

Iron Contributor

In the case of tenants who are  currently using  AIP classic labelling and want to move to the new AIP unified labelling: Is it mandatory to Activate  the Unified labelling status? 

 

Activate Unfied labelling.PNG

 

 

Microsoft

Hi @Daniel Westerdale - yes, you must activate unified labeling before you can use the new unified labeling plugin with your existing/classic AIP labels.

Iron Contributor

Understood, @Mas Libman. Finally, can I also simply add new sensitivity labels in Office 365 to work with the new UL client as an early pre test prior to activation. 

Microsoft

@Daniel Westerdale Yes, you could postpone activation and create "test" labels in SCC, however I suggest activating first, and then create test labels. This assures you don't create inadvertent conflicts, and you can test the labels across all supported clients. https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels

Iron Contributor

 

@Mas Libman  Thanks for your reply which is timely, as I have just been given the go ahead to Activate in our test Azure environment . Once I have migrated the labels and policies, I will be repeating the usability testing on behalf or our users. Thanks again for your responses

Brass Contributor
@Mas Libman - Thank you for keeping this thread alive. One of my customers is having a problem. They are GCC (not High) and we are helping this test things in a small tenant where all users have G5 and EMS G5 licensed. UL Sensitivity Labels are available in S&C, and have been configured. They work correctly on Windows machines with the UL client loaded, but they do not work correctly on Mac machines. Below is are some (I hope) relevant bits of information that lead me to ask: Are UL labels supposed to be working in GCC? - The Unified Labeling activation (for label sync between classic and UL) is not present in the Azure portal. We've been told that the sync is not available for GCC, yet, but that UL sensitivity labels should work fine. - Every UL label that is not set for user permissions shows up in the Protection Templates in Azure (not in the labels, of course, as there is no sync running). I hope what I'm trying to say makes sense. For example, we have a head label called "Sensitive Information". A sub-label under that called "Sensitive Information - Company Users" that applies encryption allowing anyone in our company access to the file. We have another sub-label called "Sensitive Information - Custom" that lets the user choose the permissions when they apply the label. All of this is configured in UL. The "Sensitive Information - Company" label shows up as a Protection Template in Azure (the name shows up as a combination of the head label and the sub-label. "Sensitive Information - Sensitive Information - Company Users" in this example). The "Custom" label in UL does NOT show up in the Azure AIP Protection Template section. - There are no labels configured in Azure (there *were* labels, but we deleted them before configuring the UL labels) - In Mac Office apps, there is no Sensitivity button on display at all. We have even signed out of Office and signed back in (multiple Macs are experiencing this, all have Office 2019 pointed to the tenant). - In Mac Office apps, the "Protection" button will show what's contained in the Azure AIP Protection Template section (which lists the non-custom labels we defined in UL). We have a premier ticket open, but the going has been slow. I thought I would post here and just ask the general question around whether or not UL was supposed to be working in GCC. Thanks in advance.
Copper Contributor

 

@Mas Libman, you mentioned in feb 2019 that sensitivity labels is on the roadmap, however looking for it, it is not there.
As we migrated recently to Unified Labels, to be able to use them across the 
platform, it is a big pity that DLP still cannot handle it.
 
 
 Any ETA known?
 
Version history
Last update:
‎Oct 12 2018 01:35 PM
Updated by: