Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Use of AIP scanner on-premises with classic labels now with future path to UL possible?

Brass Contributor

following on from @Chuck99 post - AIP scanner still only works with classic labels and not UL. The article
https://techcommunity.microsoft.com/t5/Azure-Information-Protection/AIP-Scanner-for-Unified-Labels-p...
states that this isn't a blocker 'As of today (August 2019), the Azure Information Protection scanner supports only labels from Azure Information Protection blade but this is not a blocker as the Azure Information Protection label metadata is identical to unified labels.'

Can anyone advise, does this mean we can scan on-prem sources using current AIP scanner which doesn't support UL? Presumably once its integrated, we can then migrate AIP labels to UL and carry on seamlessly or are there some pitfalls or alternative approach to consider? Is there any update on when we can expect scanner to support UL?

9 Replies

@Chris Johnston  Activating/migrating Unified labels does not prevent you from using configuration in the classic portal. It makes the two configurations "aware" of eachother and the work you do in one of them will be visible in the other, also making it possible for you to publish the label configuration in the other portal if that makes any sense? If you for instance need to use the AIP scanner, or you need features that is only possible in the classic portal (for instance track and revoke), you can still migrate to unified labels. The client used (classic client vs UL client) will decide where you get your configuration from. The classic client will retrieve data from the classic portal and the UL client from the Office 365 portal.

@Pål Winther Thanks for the info - so would the label applied to an on-prem doc using AIP scanner essentially be agnostic of whether UL or AIP was in use on the tenant? 

The issue is that we would ideally want to be using UL for the tenant but we would have a constraint of having to use classic labelling for on-prem whilst AIP scanner only supports classic. Presumably we'd have to keep AIP in classic running on tenant and then cut-over to UL once AIP scanner supports UL?  I guess what I'm after here is the sequencing and any issues (presumably having a UL label same as AIP would be one which is why I'm thinking it would be classic AIP on tenant with a future cut-over to UL rather than trying to use UL and classic in parallel)  

That is correct@Chris Johnston. Unified labeling vs classic labeling is all about the method used to label the content and not the label it self. They are both using the same base protection (RMS), and that is how a document protected by the classic client can be read when you have migrated to unified labeling. You can also use the unified labeling client to protect content and this can be read by people who only use the classic client (if that makes sense?). The protection is all about identities and the RMS service, and not about which client you use. Did I understand you correctly? :)

Thanks @Pål Winther its' getting much clearer :)

My remaining confusion is around how to configure the labelling in the tenant, Azure Portal for classic AIP vs unified labelling in security & compliance. Assuming AIP scanner can only consume classic, I will need Azure configured labels in the tenant whilst I am using the current AIP scanner which does not support UL. Will I be able to have identical UL labels configured for labelling the online content at the same time? (I suspect not) What happens once scanner then supports UL - do I migrate the classic labels in the tenant to UL? Essentially I'm after reassurance that we can start on a path now using AIP scanner for on-prem that will be compatible with current and future state of labelling config on the tenant (where ideally we'd want to use UL right now).

best response confirmed by Chris Johnston (Brass Contributor)
Solution

@Chris JohnstonI am glad I can help. At the moment you activate the unified labeling the configuration you do in either portal will be available in the other. This means you do not have to recreate the settings from UL to classic or from classic to UL, (but from classic to UL you do need to publish them in a policy for users to see the labels, and for the UL labels to be seen by the classic portal you publish them from the unified labeling blade.).

Example:

1. You create a sensitivity label in the Office 365 portal. Almost immediately you will see the same label in your AIP portal. For the clients to pick up the changes you use the Publish option from the Unified labeling blade in the AIP portal.

 

2. You create a label in your Azure portal. Almost immediately you will see the label in your Office 365 portal.

 

This means you can do the work in the Office portal and still use the classic client to reach the same settings from the classic portal. The configuration is syncronized. That does not however mean that all settings are synchronized, but that is because at the moment there isn't what we call feature parity between the two, but this a matter of time. But, to answer your question: You can (depending on what configuration you have) use the exact same settings for a label that exists in both portals.

 

It can seem quite complex, and I am sorry if I am unable to make it clearer.

@Pål Winther thanks for taking the time to explain labelling in depth, its much appreciated and gives me the steer that we are ok to proceed along the lines we were thinking. I think the next step is for us to set up a PoC to run through the config and steps. 

It is my pleasure@Chris Johnston. That sounds like a good place to start. Best of luck. :)

Just a little update @Chris Johnston The Unified labeling scanner is now in public preview!

great news - thanks for letting me know
1 best response

Accepted Solutions
best response confirmed by Chris Johnston (Brass Contributor)
Solution

@Chris JohnstonI am glad I can help. At the moment you activate the unified labeling the configuration you do in either portal will be available in the other. This means you do not have to recreate the settings from UL to classic or from classic to UL, (but from classic to UL you do need to publish them in a policy for users to see the labels, and for the UL labels to be seen by the classic portal you publish them from the unified labeling blade.).

Example:

1. You create a sensitivity label in the Office 365 portal. Almost immediately you will see the same label in your AIP portal. For the clients to pick up the changes you use the Publish option from the Unified labeling blade in the AIP portal.

 

2. You create a label in your Azure portal. Almost immediately you will see the label in your Office 365 portal.

 

This means you can do the work in the Office portal and still use the classic client to reach the same settings from the classic portal. The configuration is syncronized. That does not however mean that all settings are synchronized, but that is because at the moment there isn't what we call feature parity between the two, but this a matter of time. But, to answer your question: You can (depending on what configuration you have) use the exact same settings for a label that exists in both portals.

 

It can seem quite complex, and I am sorry if I am unable to make it clearer.

View solution in original post