Unified labeling is here and it is the next step in the Microsoft Information Protection story. Each new Microsoft product and service that utilizes classification and protection capabilities (and 3rd party ones using MIP SDK capabilities) will require unified labeling. Because of this, now is the time to execute a migration to this service as there is zero risk when done properly following our recommended steps.
The primary migration plan is to migrate labels and policies from the Azure Information Protection blade in the Azure portal to the Office 365 Security & Compliance Center, re-create your label conditions and deploy a Unified Labeling supported client, via an add-in or built-in Office 365 apps. Both can be deployed as a new installation or in-place upgrade to the Azure Information Protection client (classic). If you want to understand why this is necessary and why the migration plan is not as complicated as it initially sound, please continue to review the information contained in this blog.
Note: Unified labeling support is only available for commercial cloud tenants.
Unified labeling Migration
Back in 2016 when the Azure Information Protection client was initially released, it was the first Microsoft product that introduced labeling capabilities which was applied on top of the already available Azure Rights Management service. The Azure Information Protection blade in the Azure portal replaced the old Azure Rights Management interface which was available only in the Azure classic portal. At that point, Azure Information Protection was the only product that supported labeling of sensitive content as part of Microsoft portfolio.
Based on customer feedback and the evolution of Office 365, a strategic decision was made to integrate Azure Information Protection labeling capabilities into Office 365 services. Because the Office 365 suite of products were managed from the Office management portals and the plan included a big initiative to integrate Azure Information Protection labeling capabilities into Office 365 and many other Microsoft and 3rd party products, a unified approach has been agreed upon and initiated these changes:
Performing these changes caused the creation of a new label management tab, in addition to a new client support (via add-in and built-in Office 365 apps) that is based on the Microsoft Information Protection SDK. Unlocking the availability of Sensitivity labels across the complete Microsoft 365 platform.
At the time of writing this blog (Updated on November 2019), there are 2 main label management portals which are supported by different products:
As you can see and understand, moving forward, every app and service that implement labeling capabilities in Microsoft will be using unified labeling exclusively. In addition to that, the Azure Information Protection client (classic) and portals are still here but not for long (a separate announcement will be published in the future and will details the specific plans).
Lastly, unified labels support advanced capabilities that aren’t available when Azure Information Protection labels are in use and are now available as part of the native integration with the Microsoft 365 platform. Some of these capabilities are:
There is no risk for end users and production environment in migrating to unified labeling today, the migration process from Azure Information Protection backend to Security and Compliance backend is separated for labels and policies. So as long you didn’t publish a unified labeling policy or didn’t deployed an application that support unified labeling, nothing happens for end users and they still don't have the ability to apply sensitivity labels.
Note that while enabling the migration doesn't change the label production capabilities till you publish a label policy. In case you have mails that are already labeled and sent internally, these labels will be visible in OWA.
So, what now? It’s time to migrate to unified labeling!
Are you a new customer who is just starting your Information Protection journey? Start with unified labeling and create your policies and labels in the Office 365 Security & Compliance Center (Or Microsoft 365 Compliance / Microsoft 365 Security portals in case you are a Microsoft 365 customer). New tenants are already enabled with unified labeling, so no action is required from your side. If no labels are already created and you wish to leverage Azure Information Protection default labels, go to the Azure Information Protection blade in the Azure portal and generate the default labels (Fig. 1). In addition, verify that your tenant is already migrated to unified labeling, if not, go to the unified labeling blade and activate the migration (Fig. 2). Once the service side configuration has be completed, continue to “Phase 3 – Client deployment” part of this blog to understand which client you should deploy so your users can leverage labeling capabilities in their environment.
Are you an existing Azure Information Protection customer who wish to migrate to unified labeling? Here are the suggested steps you should perform to plan and execute the migration:
Phase 1 – Planning
Unified labels support most functionalities that are available in Azure Information Protection labels, some functionalists are not available, and some are configured differently when managed from the Security & Compliance Center. There are also difference between which capabilities are available in each platform. Please review the following:
If one of the documented differences impact your end users’ behavior, please reflect this accordingly in your end user communication before deploying the latest client and publishing the unified labeling policy.
As of today (Updated on November 2019), the Azure Information Protection scanner and Analytics supports Unified Labels, are in preview and managed from the Azure Information Protection blade in the Azure Portal. Please note that Azure Information Protection Analytics - audit activities that are generated only form the Azure Information Protection client (Classic and Unified Labeling).
Phase 2 – Service migration
After you have reviewed the 1st phase, it’s time to migrate your labels and policies to the Security & Compliance Center. It is important to mention that “Migrate” doesn’t mean you need to move away from managing labels and policies in the Azure Information Protection blade and the Azure Information Protection client (classic). This migration can happen in the background and works side by side with no additional configuration.
Migration is a 2-step action:
Step 1: Label migration
We will start with describing what happens when you migrate your Azure Information Protection labels to unified labels. This happens once you click the “Activate” (Fig 3) button under “Unified Labeling” blade.
Before you activate the migration, both Azure Information Protection backend and unified labeling backend are 2 separate services which work independently (Fig. 4). Once you activate the unified labeling migration, the labels are copied from the Azure Information Protection backend to the unified labeling backend and both services are using the same backend to store labels (Fig. 5). This means that every change you perform to any label at any portal will be changed also in the other portal.
After you activate the unified labeling migration, your labels are expected to be visible in both the Azure Information Protection blade and unified labeling page in the Security & Compliance Center (Fig 6).
Moving forward you can manage your labels at one place. After the migration, when you edit a migrated label in the Azure Information Protection blade, the same change is automatically reflected in the admin centers. However, when you edit a migrated label in the Security & Compliance Center, you must return to the Azure Information Protection blade, go to Azure Information Protection - Unified labeling blade, and select Publish. This additional action is needed for the Azure Information Protection clients (classic) to pick up the label changes. Once you are fully migrated to the unified labeling client, you no longer need to do this step, so migrating quickly helps to reduce this administrative overhead.
As you may notice, label configuration in the Security & Compliance Center doesn’t include some of the advanced settings that were able to be configured using Azure Information Protection labels. These configurations are now applied to the label after its initial creation / migration using the Security and Compliance PowerShell module. Here are few examples of these configurations:
A full list of all the advanced label settings is published here with instructions how to apply them. Please note that these label advanced settings are supported only by the Azure Information Protection unified labeling client on Windows and not by the Office 365 apps built-in integration with unified labeling.
Step 2: Copy policies
Once your labels have been migrated to Security & Compliance center we can discuss and check the possibility to migrate your policies as well with a one-time copy action (Fig 7.) Policies can be migrated or otherwise, you can create them manually and start this part from scratch.
Selecting “Copy policies (preview)” will perform a one-time copy of your policies with their settings and any advanced client settings to the Security & Compliance center (Fig 8). Before doing that, there are few considerations that you should be aware of:
As an Azure Information Protection admin, you probably noticed that some policy configurations are not available when you configure your policy in the Security & Compliance Center. In case you copied your policies using the “Copy Policies” feature then these configurations are copied as well. For future policy configuration you will decide to use, or if you created your label policy manually, these configurations should be applied to the policy you created in the Security & Compliance Center after its initial creation and using the Security & Compliance PowerShell module. Here are few examples for such configurations:
The full list of all the advanced policy settings is published here with instructions for how to apply them. Please note that these advanced settings (both for policies and labels) are supported only by the Azure Information Protection unified labeling client and not by the Office 365 built-in integration with unified labeling.
Important Note: If you use Microsoft Cloud App Security and Azure Information Protection labels (or intend to do so in the future), verify you have published at least 1 policy with minimal set of labels even if this is scoped to a single user. This is required for Microsoft Cloud App Security to identify all labels in the Security & Compliance Center and show them in the Microsoft Cloud App Security portal.
What doesn’t migrate and need to be created separately?
Why? As mentioned earlier in this blog, conditions are more flexible and have additional advanced settings that allows better accuracy and less false positive matches. Therefore, they cannot be directly translated across the services.
Label conditions should be created manually under each unified label as they are far more flexible than their Azure portal counterparts. By the way – If you already have custom sensitive information types that were built to use with Office 365 DLP or Microsoft Cloud App Security you can apply them as-is to a unified label with simple configuration. Read our official documentation on how to create automated and recommend rules for unified labeling.
Label translations can be configured, once labels are migrated, using Security & Compliance PowerShell module using the set-label cmdlet with the -LocaleSettings parameter. Please note that translations are supported only for labels and with the Azure Information Protection Unified Labeling client.
Phase 3 – Client deployment
The last part is to verify the end users will be able to get the unified labeling policies and labels. For this they need a supported client that knows to connect to the Security & Compliance backend and pull the unified labeling policy. For all non-windows platforms, there is no Azure Information Protection client as labeling capabilities are already integrated, out of the box in Office clients for MacOS, Office for the web (preview), Outlook Web App and Mobile devices. Once labels are published, these platforms will be able to leverage them. Click here to read how to apply sensitivity label in each platform that supports built-in labeling. For Windows platform there are 2 options you can use if you are using Office 365 ProPlus:
More details on the functionality differences are detailed in the official client comparison. What should lead you in the decision are the required functionality in the current point and time for your organization. As we move forward, more functionalities will be added to the built-in capability that doesn’t require an add-in to be deployed. Here is a short table that describe the major differences between these options:
You can read more on the capabilities that are currently supported with Office 365 apps built-in labeling in this official documentation.
For Windows Office perpetual clients (2010, 2013, 2016, 2019), install the Azure Information Protection unified labeling client (Option 2) which can be downloaded from http://aka.ms/aipclient (verify you download the AzInfoProtection_ul.exe file. If you currently have Azure Information Protection client (classic) deployed, installing the unified labeling client will perform an in-place upgrade.
See the following screenshots (Fig. 9) that describe the experience across multiple platforms. You can also see this in the latest official documentation.
If you published your labels and the clients that have built-in support do not show the “Sensitivity” button, review the troubleshooting guide that covers this topic.
The main differences for end users who use the classic client for Azure Information Protection today and move to use the unified labeling client is the new “Sensitivity” button that replaces the “Protect” button (Fig. 10). The functionality and experience to apply labels remains the same with the vertical bar across all platforms and with the horizontal bar which is exclusive to the Azure Information Protection unified labeling client in Windows.
That’s it! Once you have performed the steps mentioned above, you have completed your migration to unified labeling and are now ready for the future and the exciting updates that will be available soon across the Microsoft 365 platform!
You can manage labels in one place which is the unified labeling console in Office 365 Security & Compliance Center. The only reason you may still need to use the Azure Portal for Azure Information Protection, is to manage the Azure Information Protection scanner and to monitor label activities using Azure Information Protection analytics.
If you have questions or want to follow up on the latest updates from Microsoft Information Protection, please review these resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.