SOLVED

AIP phased deployment

%3CLINGO-SUB%20id%3D%22lingo-sub-890573%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20phased%20deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890573%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158376%22%20target%3D%22_blank%22%3E%40janet%20sleiman%3C%2FA%3E%20%3A%20You%20are%20correct%3A%20The%20onboarding%20controls%20are%20there%20for%20just%20such%20a%20case.%20Making%20sure%20you%20are%20onboarding%20only%20the%20specified%20users.%20And%20I%20understand%20why%20you%20ask%2C%20since%20the%20article%20isn't%20really%20clear%20on%20this%20(just%20says%20that%20other%20users%20won't%20be%20able%20to%20%3CEM%3Eprotect%3C%2FEM%3E).%20I%20haven't%20tried%20this%20for%20a%20while%20but%20last%20time%20I%20did%20this%20the%20users%20who%20were%20not%20in%20the%20onboarding%20policy%20would%20still%20see%20the%20protection%20templates%2C%20but%20would%20not%20be%20able%20to%20apply.%20If%20they%20selected%20a%20template%2C%20they%20would%20see%20the%20following%20message%3A%20%3CSTRONG%3EAzure%20Information%20Protection%20cannot%20apply%20this%20label.%20If%20this%20problem%20persists%2C%20contact%20your%20administrator.%20%3C%2FSTRONG%3EAnd%20it%20didn't%20matter%20if%20it%20was%20a%20scoped%20policy%20or%20not.%20The%20labels%20however%20should%20be%20hidden.%20And%20if%20you%20want%20to%20be%20sure%2C%20you%20could%20publish%20only%20to%20the%20pilot%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-890321%22%20slang%3D%22en-US%22%3EAIP%20phased%20deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890321%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20working%20on%20deploying%20AIP%20for%20a%20pilot%20group.%20I%20followed%20this%20article%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Factivate-service%23configuring-onboarding-controls-for-a-phased-deployment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Factivate-service%23configuring-onboarding-controls-for-a-phased-deployment%3C%2FA%3E%3C%2FP%3E%3CP%3Eand%20used%20a%20security%20group%20that%20contains%20all%20my%20pilot%20users.%20Now%2C%20I'm%20at%20the%20point%20where%20I'm%20ready%20to%20publish%20my%20labels%2C%20if%20I%20publish%20to%20ALL%20users%20in%20tenant%2C%20will%20only%20the%20users%20in%20my%20security%20group%20see%20the%20labels%3F%20is%20that%20how%20this%20works%3F%20or%20should%20I%20only%20publish%20labels%20to%20the%20security%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-890321%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20%26amp%3B%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

I'm working on deploying AIP for a pilot group. I followed this article

https://docs.microsoft.com/en-us/azure/information-protection/activate-service#configuring-onboardin...

and used a security group that contains all my pilot users. Now, I'm at the point where I'm ready to publish my labels, if I publish to ALL users in tenant, will only the users in my security group see the labels? is that how this works? or should I only publish labels to the security group?

 

 

 

1 Reply
best response confirmed by JSlei (Contributor)
Solution

Hi@JSlei : You are correct: The onboarding controls are there for just such a case. Making sure you are onboarding only the specified users. And I understand why you ask, since the article isn't really clear on this (just says that other users won't be able to protect). I haven't tried this for a while but last time I did this the users who were not in the onboarding policy would still see the protection templates, but would not be able to apply. If they selected a template, they would see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator. And it didn't matter if it was a scoped policy or not. The labels however should be hidden. And if you want to be sure, you could publish only to the pilot group.