Classification and labeling solutions are important tools for organizations to get control over their data, understand where their data resides, the sensitivity of documents and apply actions based on the information’s sensitivity, such as applying encryption.
Some of organizations have already implemented classification and labeling solutions in the past for their unstructured documents (like Secure Islands IQP for example) and are now looking to migrate from another labeling solution to Azure Information Protection to enjoy the benefit of having a labeling solution that is highly integrated with their Office 365 environment and integrates with a growing ecosystem of 3rd-party solutions, such as Adobe Acrobat reader, among many others.
For such organizations it’s important to have the ability to leverage the existing labeled documents and have these labels automatically converted to the labeling used in Azure Information Protection.
Usually the document label is stored as metadata in the form of a Custom Property within the document itself.
The Azure Information Protection client can be configured to pick-up the Custom Property, and Azure Information Protection admins can create a mapping between the old labels and the new Azure Information Protection labels.
There are a few things you should be aware of when implementing this:
When setting up the below configuration, the new Azure Information Protection label is applied by the Azure Information Protection client as follows:
Mapping old labels to Azure Information Protection labels in documents
To be able to setup a mapping between the old labels and the new Azure Information Protection labels, the admin should follow these steps:
Identify the Custom Properties added by the old labeling solution
Define the logical mapping between the old labels by the Custom Property and the new Azure Information Protection labels by the Azure Information Protection label ID.
Repeat this for each label in the target and source tenant you wish to create a mapping for.
Old label Custom Property Name |
Old label Custom Property Value (Old label name) |
Azure Information Protection equivalent label name |
Azure Information Protection equivalent label ID |
Classification |
Public |
Public |
11ba5c36-b7cf-1234-bbc2-bd5b3a9f9511 |
Classification |
Internal |
General |
22ba5c36-b7cf-1234-bbc2-bd5b3a9f9522 |
Classification |
Confidential |
Confidential |
33ba5c36-b7cf-1234-bbc2-bd5b3a9f9533 |
Classification |
Secret |
Highly Confidential |
44ba5c36-b7cf-1234-bbc2-bd5b3a9f9544 |
Configure the Azure Information Protection Advanced Settings to identify the old labels and apply the new Azure Information Protection labels.
This configuration requires you to specify an advanced client setting named LabelbyCustomProperty for each Azure Information Protection label that you want to map to the old label. Then for each entry, set the value by using the following syntax:
[Azure Information Protection label ID],[migration rule name],[Old custom property name],[Specific label name OR Regex value matching the old custom property values (label names)]
In our example we will create 4 new Advanced Setting entries – one for each of the labels.
Specify your choice of a migration rule name. Use a descriptive name that helps you to identify how one or more labels from your previous labeling solution should be mapped to an Azure Information Protection label. The name displays in the scanner reports and in Event Viewer.
To configure the Azure Information Protection Advanced setting:
Advanced Setting Name |
Value |
LabelbyCustomProperty |
11ba5c36-b7cf-1234-bbc2-bd5b3a9f9511,"Old Public label mapping",Classification,Public |
LabelbyCustomProperty |
22ba5c36-b7cf-1234-bbc2-bd5b3a9f9522,"Old Internal label mapping",Classification,Internal |
LabelbyCustomProperty |
33ba5c36-b7cf-1234-bbc2-bd5b3a9f9533,"Old Confidential label mapping",Classification,Confidential |
LabelbyCustomProperty |
44ba5c36-b7cf-1234-bbc2-bd5b3a9f9544,"Old Secret label mapping",Classification,Secret |
Advanced label mapping settings
In the above example we have presented the most common migration scenario we see configured (1-to-1 mapping between the old label taxonomy and the new Azure Information Protection label).
Although this is relevant for most organizations, sometimes there are cases in which an organization has more than 1 label from the old taxonomy that they would like to associate with a specific Azure Information Protection label.
Usually this situation is one of two scenarios:
For such cases, the Azure Information Protection Advanced Settings supports a Regex value that can be configured to map all labels that start with “Confidential” to a specific Azure Information Protection label by using the “.*” wildcard at the end.
[Azure Information Protection label ID],[migration rule name],[Old custom property name],[Specific label name OR Regex value matching the old custom property values (label names)]
Advanced Setting Name |
Value |
LabelbyCustomProperty |
11ba5c36-b7cf-1234-bbc2-bd5b3a9f9511,"Old Confidential label mapping",Classification,Confidential.* |
In our example we will associate such labels with the “Secret” label. For such a scenario, you should add another Advanced Setting entry to map each of these labels to the “Secret” label.
Advanced Setting Name |
Value |
LabelbyCustomProperty |
11ba5c36-b7cf-1234-bbc2-bd5b3a9f9511,"Old PCI label mapping",Classification,PCI |
LabelbyCustomProperty |
11ba5c36-b7cf-1234-bbc2-bd5b3a9f9511,"Old PII label mapping",Classification,PII |
LabelbyCustomProperty |
11ba5c36-b7cf-1234-bbc2-bd5b3a9f9511,"Old ProjectX label mapping",Classification,ProjectX |
Conclusion
Azure Information Protection enables you to easily migrate from a previous labeling\tagging solution to Azure Information protection by following the instructions above.
We recommend getting started with testing first the migration process with Azure Information Protection labels without protection action associate to it on a small set of users by using the scoped policies. After testing the migration process on small set of documents and users and found it working as you expect you can associate a protection action if needed.
Thanks,
The Information Protection Customer Experience Engineering Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.