Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
The Azure Information Protection unified labeling client is now generally available
Published Apr 16 2019 02:19 AM 25.4K Views

At the Microsoft Ignite conference in September 2018, we announced the unified labeling platform. Since then, we’ve released public previews of the Azure Information Protection unified labeling client. Today we’re announcing that the Azure Information Protection unified labeling client is now generally available (GA), and we encourage you to start using it in your production environment.

 

Getting started

Releasing the Azure Information Protection unified labeling client is an important step towards enhancing the integration across Microsoft Information Protection solutions. This enables admins to manage all workloads from one admin center, the Office 365 Security & Compliance Center like all other Microsoft Information Protection workloads, including configuring and managing your sensitivity labels and protection policies.

 

The new unified labeling client includes several features to help you better protect your sensitive information, such as end-user driven manual labeling, automatic labeling and recommended labeling.

 

The unified labeling client is fully aligned with the 90+ sensitive information types found in the Microsoft 365 Compliance center and also supports custom sensitive information types, keyword dictionaries and complex conditions:

 

  • Custom sensitive information types allow you to create your own information types such as employee ID numbers, add keywords and set custom confidence levels.
  • Keyword dictionaries – admins can upload their own dictionary of terms that they want to automatically detect in documents and emails.
  • Complex conditions - allows you to use grouping and logical operators (AND, OR); you choose the logical operator between the sensitive information types within a group and between the groups.

condition.png

Figure 1: Setting complex conditions for automatic labeling

 

These new capabilities help you to reduce the number of false positives, make your conditions more flexible, and make automatic labeling much more accurate.

 

Which client is right for me?

 

New customers: start with the Azure Information Protection unified labeling client.

Existing Azure Information Protection customers: review the comparisons between the Azure Information Protection client and the Azure Information Protection unified labeling client, in addition to the list of  unsupported features and choose the client that meets your business requirements.  

 

Note that going forward new features will be included in the Azure Information Protection unified labeling client whereas we’re not planning to add new features to the Azure Information Protection client.

 

Mixed environments are supported so you can run the Azure Information Protect client, Azure Information Protection scanner, and the Azure Information Protection unified labeling client side-by-side.

In addition, the Azure Information Protection unified labeling supports seamless upgrade from the Azure Information Protection client.

 

If you are an existing Azure Information Protection customer using Azure Information Protection client features that are not yet supported by the Azure Information Protection unified labeling client (for example, user-defined permissions,  HYOK, and advanced settings) we recommended that you wait for future Azure Information Protection unified labeling client releases.

 

Additional information

 

The latest client version with these new capabilities can be found here. For more detailed information, see the version release information.

 

You feedback is valuable and allows us to understand better what you need to help you in your information protection strategy. We encourage you to try the new features and share your feedback using our Yammer community.

27 Comments
Silver Contributor

Why is this being deployed into the SCC instead of the new Compliance Center? The SCC is being replaced so it does not make any sense to be adding new functionality to something that is going away.

Silver Contributor

As i've received an explanation via PM i figured i will post it here for someone who was confused as myself. Old AIP client (which integrates with Office apps) was controlled via Azure portal and wasn't compatible with unified labels available in Security & Compliance. New AIP client will work with labels in SCC (presumably this administration bit will move to new Compliance center at some point) and should cover all Information Protection products/usage cases. New one is not covering all features of old one yet, but MS plans to reach 90% parity by 2019 end. Old one won't receive new features from now on.

 

I just wonder, when and whether this client will become an integral part of Office 365 package, so you won't have to install it additionally. Compliance seems like a must have thing nowadays, so if you install Office for all employees, all should have AIP capabilities out of the box. It's not that you only install AIP client just for a few users. This won't help with information protection, so i wish it would be shipped along with Office (less deployments to manage).

@Dean Gross , Office are gradually redirecting users from SCC to M365 compliance center . M365 compliance center has already the same configuration capabilities of unified labels and protection as you have today in SCC.

@wroot Office are planning  to ship built in  labeling during H2 of 2019 in office ProPlus only  (eliminated the need to install additional add in) . 

The first office built in release will contain manual labeling only. ( no recommendation or automatic labeling) 

Silver Contributor

@Maayan Naaman Rand  thanks for the quick response. Would you please update your original post to make this more clear. The O365 Admin Center has already had the link to the SCC removed and getting to that portal is harder than it should be. People need to know that they can go to the new Compliance Center to do to this.

Brass Contributor

Are we able to choose a separate default label in Outlook compared to other office apps in the Unified Label approach yet?

 

Bit of a blocker for us as our default for docs is set to internal only, so as soon as we install the new client users have to reclassify every email in order to send.

@Andrew Matthews this first GA release of AIP unified labeling client doesn't support default label in Outlook. However the plan is that our next release will support it . Configuration will be done by PSH cmdlet.

Copper Contributor

When will the support for Office Online Apps will be included for Azure Information Protection? Release of Unified Labeling for Office 365 and Azure is great, We can now define consistent Labeling across MS cloud platforms( O365 and Azure), But without any Office Online support It is difficult to implement information protection features and encourage users to use it. We cannot open a AIP Labelled document in SharePoint online and ODFB. Microsoft rolled-out these Information protection features for cloud platforms, But have not provided minimum view/edit capabilities for Office Online apps.  How does Unified Labeling will help in Office 365, If we can't even open a labeled document from SharePoint online and ODFB? It doesn't make any sense to open each and every document of SPO and ODFB in a desktop client!! 

 

I have been waiting since more than a year now, I haven't seen any update on office Online support!! Users are happy to label a new document from their desktop using AIP banner in Office apps, But frustrated with unable to open/view the same document Online.

 

Regards,

Padal.

 

Steel Contributor

So should we stop telling everyone about the amazing Track and revoke feature since the documentation states that has been killed off in Unified Labeling and will not be planned going forward? Before I start tweeting that Microsoft has killed Track and Revoke, I guess we all deserve a better explanation why this feature got dropped. It's been a huge selling point to show customers a graphical map of the world so they can see where their documents have been opened from, and email notifications when someone opens their document. In the past, the Yammer community was told that Track and Revoke would not be in the Office Ribbon, and the work-around would be to use it in the File Explorer, but that is also not possible now, nor planned. Say it aint so!

Features not planned to be in the Azure Information Protection unified labeling client

- Track and revoke from Office apps and File Explorer

Iron Contributor

@Maayan Naaman Rand Considering the features below that will NOT be supported in any future release of Unified Labeling Client, may we know for how long the "traditional" AIP Client will be supported? Honestly, MSFT is killing a set of capabilities that are KEY for end-user experience. Maybe the will be a better equivalent, but we do not have a clue about is as for now. Not supported features:

- Custom permissions in Office apps: Word, Excel, and PowerPoint - This is a killer! How to make a document to be accessible for selected domains only? Shold we create a separate label for every partner org we work with?

- Track and revoke from Office apps and File Explorer

- Information Protection bar title and tooltip

- Display the Do Not Forward button in Outlook

Hi  @Red Flag , Thank you for the feedback .

As soon as we reach 90% of feature parity between AIP unified labeling client and AIP client we will announce end of support of traditional AIP client of one year . I still don't have any specific ETA for that but will share this information with our customers as soon as we will have final dates. 

Regarding the list of features you mention that we don't plan to support in the unified labeling client , let's go over them one by one :

1) custom protection won't be available in  office but instead we will offer  in one of our next GA releases  "user defined permission" feature  .The option lets users specify who should be granted permissions and what those permissions are. You can then refine this option and choose Outlook only (the default), or Word, Excel, PowerPoint, and File Explore

2)We are working on a new track and revoke portal but there is still no ETA.

3) Information protection title and tool tip - removed due to low usage , what is your use case here ?

4)DNF button - you have an option to set DNF under "encrypt" button in office ribbon , we aligned it to the new office native built in labeling  experience which will be released in the future.

Copper Contributor

Hi @Maayan Naaman Rand  Could you please share an ETA on when AIP support will be made available for the Office online apps ? We are unable to open AIP labelled documents uploaded in SPOnline sites and OneDrive site collections.

 

Any information that you can share will be helpful! 

 

Thanks,

Pradeep Padal.

Iron Contributor

@Maayan Naaman Rand – thank you for replying. It’s not always the case that MSFT people are open for discussing things.

Let me answer one by one, too:

  1. Custom permissions – it looks there will be an equivalent of current feature. However could you please confirm that “user defined permission” will allow to put just domain name like @mydomain and not only a specific e-mail address? This would make a huge difference.
  2. Track and revoke – good to know that some similar experience is under development; the current one is a big selling point for AIP/MIP – so be careful by removing it or by replacing it with some less convenient experience.
  3. Information Protection title and tool tip – first check the screencast (link), we need to make sure we refer to the same functionality. If yes, then there is a bunch of arguments to rethink the strategy:
    1. Title provides a simple advice for end-user WHEN to apply the specific label/protection
    2. Sublabel tip provides more detailed RESULT of applying the label/protection that are difficult to remember! There are more than few – actually 13 – different permissions to be set – PRINT/EXTRACT/DOCEDIT… Then an additional parameter for “lifecycle” of the labeled doc – like removing access after 100 days from applying the label or additionally X days after last check on RMS.

So, it helps to apply strict and specific labels for GDPR (edit or view only), internal docs or external time limited docs (like tender offers).

  1. DNF – if InfoSec is a real priority then the DNF deserves a “one click” button – that makes the protection just an “one click away” operation. Another selling point for M365 and against competitive solutions.

These are my views on InfoSec. I’m not convinced, we can really influence the direction MSFT is going. Just take it as a market insight and please cross check it with your telemetry data. But pls consider the adoption curve before you disable our key and unique selling points for info sec @MSFT.

Hi @Pradeep_Padal , I belive you are reffering to opening not just labeled documents in office online apps (which can be achieved today) but rather labeled and protected documents , Am I correct ?

 

Copper Contributor

Hi @Maayan Naaman Rand  : Yes, Your correct. I am referring to Labeled and protected documents.  Below is the error message when we try to open from SPO and ODFB.

 

Capture1.PNG

Hi Pradeep_Padal

The office online team are working for a unified solution but there is no committed ETA . I will be happy to connect you personally with the relevant conect in this team 

Hi @Red Flag  , 

custom permission - you can specify and domain not just an email .

Title and tool tip - you indeed referred to a different feature which we definitely continue to support .

DNF - will be 2 clicks away instead of one click , or you can also choose "encrypt" option in one click , under "option" office ribbon 

Iron Contributor

Hi @Maayan Naaman Rand re tooltip - I stil believe we talk the same functionality, at least the setup on Unified Labeling calls is "tooltip", which is the hoover option on AIP bar.

tooltip.PNG

 Hi @Red Flag  , do you refer to this option ? to set label name and tooltip s? this ones are displayed for each label once hoovering on the label 

toolt tip.PNG

Copper Contributor

We're using AIP Scanner to scan and label documents for on-premise servers.  It's my understanding that the labeling available here vs O365 is different - one provides classification labels, the other retention.  

 

1.  Am I correct in understanding that Unified labeling attempts to merge these two together - allowing the classification and retention label to be one label?

2.  Does this mean that retention policies applied to labels in O365 will apply to the files scanned and labeled for my on-premise servers using the AIP Scanner?

 

Any help is appreciated - trying to get this off the ground ASAP.

 
 
 
    The retention labels are not related to AIP unified labeling or to the scanner . both are using only sensitivity labels.

 

Copper Contributor

This tech community post says that :

 

  • SharePoint Online service supports Azure Information Protection encryption on document upload, understands label policies applied to the document, and applies label permissions to document open when the document is in SharePoint or OneDrive.
  • When the document is downloaded from SharePoint or OneDrive, the document is protected by the label, so the protection continues to travel with the document.
  • Users can now open, edit and co-author a protected document in Office Online if the label policy allows. 

 

https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Updates-to-SharePoint-security-admi...

 

But, I am unable to find any change while trying to view/open/edit documents in online applications. Anyone of you tried this recently ?

 

Thanks,

Pradeep

Brass Contributor

@Maayan Naaman Rand  So Retention labels will always be seperate from sensitivity/ unified labeling?
We want to actually merge thoes two, so that when a user classify an email, as "Confidential", the email will be deleted after x days, and the email wil be protected / encrypted.

 

But as i see it now, the user needs to classify the email with both Retentionlabel, to delete it after x days, and also classify it with a Sensitivity label to protect it?

 

looking very much forward for your answer :)

Hi Micki Wulffeld , 

Right now the retention labels are separated from sensitivity labels. I believe you should sync with DLP team in order to understand their future plans for sensitivity and retention label reunion, if any .

Brass Contributor

@Maayan Naaman Rand 

I also have som Sensitivity label questions :)

 

I notice that i cant apply a sensitivity lable on mails that i have in my inbox?

I have both a classify-only Sensitivity label, and some protection sebnsitivity labels, but i can only classify emails when i create a new E-mail?

 

And the Sensitivity labels are not searchable from outlook client, either?
It would be nice to at leat search emails'with specific sensitivity label name, to delete them later.

Is that the default behaviour?
I use tne newest O365 Proplus office version, on Win 10, 1909

 

 

Hi Micky , labels can only applied to sent mails , not to mails in Inbox .In addition we don't have an option to search according to a specific label 

 

Copper Contributor

Hello, We have an Microsoft SharePoint 2016 Standard On-premise deployment. Are sensitivity labels available for the on-premise version? If yes, can you direct me to an installation/configuration documentation. Thank you very much.

Version history
Last update:
‎Nov 09 2023 11:09 AM
Updated by: