Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing timelines for sunsetting label management in the Azure portal and AIP client (classic)
Published Mar 12 2020 09:33 PM 77K Views
Microsoft

At Microsoft, our goal is to provide a built-in, intelligent, unified and extensible solution to protect sensitive data across your digital estate – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. With Microsoft Information Protection (MIP), we are building a unified set of capabilities for classification, labeling and protection not only in Office apps, but also in other popular productivity services where information resides (e.g., SharePoint Online, Exchange Online, Power BI).

Over the past year, we consistently delivered built-in capabilities in MIP. You can now use built-in labels to protect documents and emails in the latest Office apps (Word, PowerPoint, Excel, Outlook) on all platforms including the web, iOS, Android, Mac, and Windows. Built-in labeling experiences with MIP provide a variety of benefits over a client plug-in including:

  • Greater protection coverage: Available for Office apps on Windows, web, Mac, Android and iOS 
  • Lower maintenance costs: No need to deploy/update additional software
  • Better performance: Office apps launch faster as there is no need to load add-ins

A single portal – the Microsoft 365 compliance center – unifies labeling and protection policy management across Azure Information Protection (AIP), Office 365 and Windows.

In this blog, we will cover (1) The new unified labeling client (2) Timelines to sunset label management in the Azure portal and AIP client (classic) and (3) A step-by-step guide to help you transition to MIP.

 

New features in the unified labeling client (now available)

Since the release of the unified labeling client version in October 2019, we have seen strong customer adoption. Customer feedback also indicated strong interest in features such as on-premises scanner, dynamic and per app content marking, etc. The new unified labeling client version now addresses these requests to further enable you to transition to the unified labeling platform.

New features in the unified labeling client include support for dynamic content marking and pre-app content marking, support for customizable policy tips for automatic and recommended labels, support for offline labeling, and improvement for migration from third-party solutions to sensitivity labeling. More detailed information on these new features can be found in the client release version history.

In addition, this unified labeling client includes the unified labeling scanner for on-premises data discovery that provides more accurate and flexible data classification by extending support to custom information types, complex conditions, and dictionaries. Scanner deployments can now easily scale out by creating scanner pools. For more information about these features, read this blog. Refer to this webinar to learn more about moving to unified labeling.

 

Timelines to sunset label management in the Azure portal and AIP client (classic)

With label management in the Microsoft 365 compliance center now at parity with the AIP portal experience, we are announcing that we will sunset label management in the Azure portal as of March 31, 2021. This extended timeframe will give customers currently using the Azure portal more than twelve months to transition to MIP’s unified labeling platform where the existing AIP value will continue to be fully supported. We are also announcing that the AIP client (classic) will be sunsetting on March 31, 2021. Again, this extended timeframe allows customers currently using the classic client more than a year to transition to either built-in labeling on Office ProPlus or the new unified labeling client.

 

Step by step guide to transition to MIP

If you are an existing AIP customer, we recommend the following steps to transition to MIP:

  1. Activate unified labeling from the Azure portal and migrate labels to the Microsoft 365 compliance center to apply policies uniformly across on-premises, Microsoft 365 cloud services and more. This transition has no impact on existing AIP clients, and administrators can perform this step right away. The process takes only a few minutes, depending on the number of labels and complexity
  2. Copy your policies to the Microsoft 365 compliance center or create new policies there
  3. Publish your labels with label policies from the Microsoft 365 compliance center
  4. Download the latest unified labeling client for Windows if you are not yet fully on Office 365 ProPlus
  5. Train end users to apply labels and protection in Office applications across web, Mac, iOS, Android and Windows. Read this article to know which labeling capabilities are available across platforms

Learn more about transitioning from Azure Information Protection to the unified labeling platform in this blog post, and get detailed instructions on how to migrate here.

Once you transition from the Azure portal to the Microsoft 365 compliance center, we recommend that you take advantage of the built-in labeling in the latest Office apps in web, Mac, iOS and Android. On the Windows platform, we suggest you use our built-in labeling capabilities in Office ProPlus apps as well. However, if you are not on Office 365 ProPlus fully yet, or need certain advanced capabilities listed here, we recommend using the latest unified labeling client for Windows.

 

Extended support for the AIP classic client

Some customers may need features (e.g. ability for admins to track and revoke protected documents, logging events to Windows event log on set/remove label, holding your own key for content decryption) that are not yet in the latest release of the unified client. Users of the classic client who feel blocked from transitioning to the unified labeling platform can ask for extended support for the classic client. To be eligible, customers must have actively used one or more blocking feature in the past 90 days and must have completed migration of labels from the Azure portal to the Microsoft 365 compliance center. File for extended support before September 30, 2020 to be eligible for extension consideration. 

 

Important notice for GCC customers

We expect unified labeling will be available to Office 365 U.S. Government Community (GCC) services in the second half of 2020. Meanwhile GCC customers who own licenses for AIP will receive continued support for the classic client for 12 months after the general availability of unified labeling for GCC cloud. Extended support requests for GCC customers are not required.

We are excited about our own journey with Microsoft Information Protection and look forward to continuing to deliver this industry-leading solution to our customers.

25 Comments
Brass Contributor

Thank you for providing some urgency for migration to MIP. We have been testing it and there's still some gaps that Microsoft should address,

- Including the DNF in the Outlook ribbon as part of the AIP UL client

- Support for custom permission labels in the mobile apps and web clients

- Support for track and revoke functionality

Microsoft

Thanks Nitin for raising these questions.

See below answer for point by point:

  • Currently there is no plan to bring DNF button to the UL client because we align the end user experience on the UL client with what is available on all platforms.
  • We discourage usage of customer permissions, you should use User defined permissions instead. There is no plan to bring this to UL client. If you must set custom permission without a label that allows it, you can use Office legacy UI to set restricted permissions on the file.
  • Track and revoke functionality for documents protected using UL client or built in labeling is currently in design and we plan to open it to public preview later this year.
Copper Contributor

Coincidentally, these three were exactly the ones a customer yesterday asked for. Especially the DNF button is highly adopted and used by the endusers.

Copper Contributor

Hi

 

Will this affect previuos created AIP labels? I use one important RMS template in one off our transportrule to give members in shared mailbox right to read encrypted mail to shared mailbox. Will the RMS template stop working?

 

Please mail me the answer on this adress bjorn.carlsson@intraservice.goteborg.se

 

/Björn Carlson

Microsoft

There is no impact on existing labels in the documents or on RMS templates. If you activate unified labeling in Azure portal you make all workloads that use labels (SPO, Power BI etc.) ware of your AIP labels and GUIDs are preserved. 

Copper Contributor

I want to change default label settings in Mac Outlook.
But, I know the Mac doesn't support it yet.
I am currently using custom configurations from classic (feature name: OutlookDefaultLabel)
Does this feature have a roadmap?

Microsoft

This feature is supported in AIP client only. Built-in labeling currently does not support different settings per app including different default for outlook. You are not the first one that asked for this and this is on our backlog, but there is no any committed roadmap that  can share.

Copper Contributor

When will SharePoint graduate from IRM to RMS to AIP to MIP? Seems like it's been forgotten with all this user-experience work being done, but SharePoint IRM produces PDFs that can't be used hardly anywhere. 

Microsoft

@John Pell  - SPO integration with MIP is in public preview: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-fil.... It allows SPO to start reasoning over labeled and encrypted files, support co-auth in Web Apps (rich clients are on their way yo support co-auth for encrypted files).
Auto labeling for SPO data was just opened in public preview. Read more at https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/announcing-public-preview-of-...

PDF protection format is know gap and it's on our backlog. No dates can shared around this right now.

 

Brass Contributor

@Denis Mizetski Thanks for the detailed replies. On your reply "....you should use User defined permissions instead" - we have setup a label with user defined permissions. It works well via the desktop clients (W/E/P) but if I try Mobile app or web, it's either not visible at all or tells me "You can only apply this sensitivity label with Office 365 desktop apps...". Any plans for that to change and be available?

Microsoft

User defined permissions or as they are named in M365S&C Let users assign permissions are supported in built-in labeling in Office on Windows and Mac. Brining this to more platforms is on the backlog, but I do not have timelines that I can share. 

Copper Contributor
Copper Contributor

@Denis Mizetski 

 

Hi can you please confirm or correct my understanding of Sharepoint IRM / AIP and protected PDF files.

When Sharepoint IRM capability is use a .ppdf document is created with the .pdf extension

When Azure AIP unified labelling is used a .pdf (IRM v2) ISO compliant PDF file is created

 

What happens when i use labelling from Azure AIP to classify and protect a document in Sharepoint? (with no IRM enabled on the document library)

 

Do i get the older .ppdf file format.. or the IRM v2 (ISO ) compliant PDF file? 

If i upload the file to the Sharepoint document library how long until the file is protected ? (ie if someone tries to download it straight away is it possible they will be able to do that before the classification is applied? 

Microsoft

No, when SPO applies encryption on PDF it applies different protection format. It;s not ppdf. 

You cannot use AIP to apply lebel a file in SPO, but you can label it before and then upload. There is a preview that enables SPO reason over Office files, but not pdf files. Pdf files protected using AIP will be "bricked" and will not be "indexable" in SPO.

Copper Contributor

@Denis Mizetski  

I have to share protected pdf files with an external party.. i was going to host the file on Sharepoint (it does not need to be indexable or editable etc) .. i want to use the new ISO format so they can open it in Adobe PDF viewer (with the ISO Protected PDF plugin).  

 

Whats the best way to encrypt it? Obviously i could run the AIP client on the file.. but id rather do that "as a service" or automatically..is there any way to AIP protect a file .. without installing AIP onto a server (a lot of hassle and not scalable)? 

 

I thought i would be able to label the file.. then put it onto a file store or Office location then have the AIP scanner label encrypt it automatically.. is there really no way to do this? 

Microsoft

I assume the this is SPO and not on-premises SP. Then you cannot use scanner or PowerShell. You will need to wait until PDFv2 is brought to SPO and until then use client. 

Copper Contributor

How about own key for content decryption? This is very important feature for us. Miss of this feature blocks our AIP integration. We are afraid about our information if something happens with Microsoft and we can not decrypt them.

Copper Contributor

Can we get some clear direction.... does this change the commitment for Microsoft to support traditional protection for PDF files with the older PPDF format..or decrypt them? 

Microsoft

Xeonkeeper - for you point this is valid point, but not related to deprecation of the classic client, so I recommend you to work with your CxE on cloud exist strategy.

GlennDPC - UL client supports consumption of both PPDFs and encrypted PDFs. Saying that there is no plan tp allow UL client to create new PPDF files. Out guidance is to use new encrypted PDF format that is also recognizable by Adobe and Edge Chromium

Copper Contributor

@Denis Mizetski  You say that its "recognizble" by Edge Chromium, how to i open the new PDF format in Edge Chromium? I can open it in Adobe PDF with the plugin ...  but when i try open the file in Edge Chromium i get told to download pdf reader that supports the new protection standard. 

Microsoft

As listed at https://docs.microsoft.com/en-us/azure/information-protection/rms-client/protected-pdf-readers#using... Edge supports protected PDFs. You should verify you signed in to Edge with the right credentials. If this is the case and you use latest Edge browser and still experience an issue I would recommend to work with support to troubleshoot.

Copper Contributor

Hello,

What happens with the Screen captures? Because with AIP I can't take the screen capture but with the migrated labels I can.

Regards.

Microsoft

Neocless - can you please clarify where you can take the screens shots with UL client while it is blocked in the classic client?

Copper Contributor

@Denis Mizetski  - Office applications.

Brass Contributor

Hi,
Will screenshot prevention be supported on MacOS soon? We just learned that Mac users can screenshot AIP protected emails and documents even with View-only permissions.

Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: