Walkthrough for AIP labelByCustomProperties Advanced Feature

Published 05-24-2021 12:00 PM 881 Views
Microsoft

In the Information Protection world there are several technologies customers could choose to deploy. Ultimately, decisions will also be made to migrate away from them to other vendor products. When this happens, customers generally want to maintain a mapping from the older labels to newer labels, ensuring that they can easily apply new labels without the need for additional manual work.

 

This document will walk through how to leverage the labelByCustomProperties advanced feature for the cmdlet Set-Label included in the Security and Compliance PowerShell. This will enable us to create a mapping from one label to another, and is useful for use cases of moving from another labeling technology to Sensitivity labels, Secure Islands to Sensitivity labels, Sensitivity labels in Commercial tenants to Sensitivity labels in GCCH tenant, and much more.

 

Please keep in mind that the mapping is limited to labeling only, meaning that protection capabilities cannot be maintained during this mapping. There is also a potential for performance issues regarding its use with labeled emails.

 

  1. Connect to the Security and Compliance Center (SCC) PowerShell. This enables you to leverage many of the advanced settings for sensitivity labeling. Ensure that the Module ExchangeOnlineManagement is installed. You can either use Windows PowerShell in admin mode and run the following command:

 

 

 

 

Install-Module -Name ExchangeOnlineManagement

 

 

 

 

 

Or https://www.powershellgallery.com/packages/ExchangeOnlineManagement/2.0.5 to manually download the module and then use it. After doing this, go ahead and import the module using the following command:

 

 

 

 

Import-Module ExchangeOnlineManagement

 

 

 

 

 

2. Connect to the PowerShell for your organization. You can specifically use this for organizations in Commercial M365 and M365 GCC:

 

 

 

 

Connect-IPPSSession -UserPrincipalName navin@contoso.com

 

 

 

 

 

Make sure to change the UPN that is tailored for your use case. For other endpoints such as GCCH organizations and more see here

 

3. Now you will be able to use the advanced settings by leveraging the SCC PowerShell. We will start by demonstrating one mapping of an AIP label in tenant A to an AIP label in tenant B. The example is demonstrated below:

 

 

Set-Label -Identity YOURTENANTBLABELNAME -AdvancedSettings @{labelByCustomProperties="description of rule,MSIP_Label_fc45349f-e0b8-4318-8dac-6a12a9c611fd_Enabled,true"}  

 

 

The advanced setting key is defined as labelByCustomProperties and the value is entered using the following format:

 

“Description of rule, Label Property, metadata”

 

To unpack the example some more, we start by using Set-Label as the command to set up the mapping of one label to another. To create more mappings, you create more instances of this Set-Label command.

 

For the -Identity parameter, you want to input what the resulting label name should be. I.e. if you were taking a document in Tenant A with “x” label and wanted it to display “y” label in Tenant B, you would want to input “y” for the -Identity parameter.

 

The -AdvancedSettings parameter has the key and value described earlier but let’s break down the value format further. For “Description of rule” you can input any string that would help you describe the mapping. For “Label Property” this would be the custom metadata property specific to our use case. In the example above we have an MSIP_Label that is indicative of the label from Tenant A which is “x”. Finally, we have the “metadata” and here we used “true” in the example to denote the scenario when this label metadata is present in Tenant B.

 

Thus, this label essentially allows us to go from one label in a tenant to another label in another tenant. There are other potential permutations of this, but we hope you understand how you can use this for your own use cases moving forward.

1 Comment
Senior Member

Any guidance for migrating sensitivity labels with protection to another O365 tenant?

%3CLINGO-SUB%20id%3D%22lingo-sub-2376527%22%20slang%3D%22en-US%22%3EWalkthrough%20for%20AIP%20labelByCustomProperties%20Advanced%20Feature%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2376527%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20Information%20Protection%20world%20there%20are%20several%20technologies%20customers%20could%20choose%20to%20deploy.%20Ultimately%2C%20decisions%20will%20also%20be%20made%20to%20migrate%20away%20from%20them%20to%20other%20vendor%20products.%20When%20this%20happens%2C%20customers%20generally%20want%20to%20maintain%20a%20mapping%20from%20the%20older%20labels%20to%20newer%20labels%2C%20ensuring%20that%20they%20can%20easily%20apply%20new%20labels%20without%20the%20need%20for%20additional%20manual%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20document%20will%20walk%20through%20how%20to%20leverage%20the%20labelByCustomProperties%20advanced%20feature%20for%20the%20cmdlet%20Set-Label%20included%20in%20the%20Security%20and%20Compliance%20PowerShell.%20This%20will%20enable%20us%20to%20create%20a%20mapping%20from%20one%20label%20to%20another%2C%20and%20is%20useful%20for%20use%20cases%20of%20moving%20from%20another%20labeling%20technology%20to%20Sensitivity%20labels%2C%20Secure%20Islands%20to%20Sensitivity%20labels%2C%20Sensitivity%20labels%20in%20Commercial%20tenants%20to%20Sensitivity%20labels%20in%20GCCH%20tenant%2C%20and%20much%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20keep%20in%20mind%20that%20the%20mapping%20is%20limited%20to%20labeling%20only%2C%20meaning%20that%20protection%20capabilities%20cannot%20be%20maintained%20during%20this%20mapping.%20There%20is%20also%20a%20potential%20for%20performance%20issues%20regarding%20its%20use%20with%20labeled%20emails.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EConnect%20to%20the%20Security%20and%20Compliance%20Center%20(SCC)%20PowerShell.%20This%20enables%20you%20to%20leverage%20many%20of%20the%20advanced%20settings%20for%20sensitivity%20labeling.%20Ensure%20that%20the%20Module%20ExchangeOnlineManagement%20is%20installed.%20You%20can%20either%20use%20Windows%20PowerShell%20in%20admin%20mode%20and%20run%20the%20following%20command%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EInstall-Module%20-Name%20ExchangeOnlineManagement%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EOr%20%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FExchangeOnlineManagement%2F2.0.5%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FExchangeOnlineManagement%2F2.0.5%3C%2FA%3E%20to%20manually%20download%20the%20module%20and%20then%20use%20it.%20After%20doing%20this%2C%20go%20ahead%20and%20import%20the%20module%20using%20the%20following%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EImport-Module%20ExchangeOnlineManagement%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E2.%20Connect%20to%20the%20PowerShell%20for%20your%20organization.%20You%20can%20specifically%20use%20this%20for%20organizations%20in%20Commercial%20M365%20and%20M365%20GCC%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EConnect-IPPSSession%20-UserPrincipalName%20navin%40contoso.com%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EMake%20sure%20to%20change%20the%20UPN%20that%20is%20tailored%20for%20your%20use%20case.%20For%20other%20endpoints%20such%20as%20GCCH%20organizations%20and%20more%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fconnect-to-scc-powershell%3Fview%3Dexchange-ps%23connect-to-security--compliance-powershell-using-mfa-and-modern-authentication%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E3.%20Now%20you%20will%20be%20able%20to%20use%20the%20advanced%20settings%20by%20leveraging%20the%20SCC%20PowerShell.%20We%20will%20start%20by%20demonstrating%20one%20mapping%20of%20an%20AIP%20label%20in%20tenant%20A%20to%20an%20AIP%20label%20in%20tenant%20B.%20The%20example%20is%20demonstrated%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESet-Label%20-Identity%20YOURTENANTBLABELNAME%20-AdvancedSettings%20%40%7BlabelByCustomProperties%3D%22description%20of%20rule%2CMSIP_Label_fc45349f-e0b8-4318-8dac-6a12a9c611fd_Enabled%2Ctrue%22%7D%20%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20advanced%20setting%20key%20is%20defined%20as%20labelByCustomProperties%20and%20the%20value%20is%20entered%20using%20the%20following%20format%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%E2%80%9CDescription%20of%20rule%2C%20Label%20Property%2C%20metadata%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20unpack%20the%20example%20some%20more%2C%20we%20start%20by%20using%20Set-Label%20as%20the%20command%20to%20set%20up%20the%20mapping%20of%20one%20label%20to%20another.%20To%20create%20more%20mappings%2C%20you%20create%20more%20instances%20of%20this%20Set-Label%20command.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20-Identity%20parameter%2C%20you%20want%20to%20input%20what%20the%20resulting%20label%20name%20should%20be.%20I.e.%20if%20you%20were%20taking%20a%20document%20in%20Tenant%20A%20with%20%E2%80%9Cx%E2%80%9D%20label%20and%20wanted%20it%20to%20display%20%E2%80%9Cy%E2%80%9D%20label%20in%20Tenant%20B%2C%20you%20would%20want%20to%20input%20%E2%80%9Cy%E2%80%9D%20for%20the%20-Identity%20parameter.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20-AdvancedSettings%20parameter%20has%20the%20key%20and%20value%20described%20earlier%20but%20let%E2%80%99s%20break%20down%20the%20value%20format%20further.%20For%20%E2%80%9CDescription%20of%20rule%E2%80%9D%20you%20can%20input%20any%20string%20that%20would%20help%20you%20describe%20the%20mapping.%20For%20%E2%80%9CLabel%20Property%E2%80%9D%20this%20would%20be%20the%20custom%20metadata%20property%20specific%20to%20our%20use%20case.%20In%20the%20example%20above%20we%20have%20an%20MSIP_Label%20that%20is%20indicative%20of%20the%20label%20from%20Tenant%20A%20which%20is%20%E2%80%9Cx%E2%80%9D.%20Finally%2C%20we%20have%20the%20%E2%80%9Cmetadata%E2%80%9D%20and%20here%20we%20used%20%E2%80%9Ctrue%E2%80%9D%20in%20the%20example%20to%20denote%20the%20scenario%20when%20this%20label%20metadata%20is%20present%20in%20Tenant%20B.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThus%2C%20this%20label%20essentially%20allows%20us%20to%20go%20from%20one%20label%20in%20a%20tenant%20to%20another%20label%20in%20another%20tenant.%20There%20are%20other%20potential%20permutations%20of%20this%2C%20but%20we%20hope%20you%20understand%20how%20you%20can%20use%20this%20for%20your%20own%20use%20cases%20moving%20forward.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2376527%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20Information%20Protection%20world%20there%20are%20several%20technologies%20customers%20could%20choose%20to%20deploy.%20Ultimately%2C%20decisions%20will%20also%20be%20made%20to%20migrate%20away%20from%20them%20to%20other%20vendor%20products.%20When%20this%20happens%2C%20customers%20generally%20want%20to%20maintain%20a%20mapping%20from%20the%20older%20labels%20to%20newer%20labels%2C%20ensuring%20that%20they%20can%20easily%20apply%20new%20labels%20without%20the%20need%20for%20additional%20manual%20work.%20We%20will%20walk%20through%20how%20to%20do%20this%20with%20AIP%20advanced%20settings.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2376527%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInformation%20Protection%20and%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Compliance%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%20Developers%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2382358%22%20slang%3D%22en-US%22%3ERe%3A%20Walkthrough%20for%20AIP%20labelByCustomProperties%20Advanced%20Feature%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2382358%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20guidance%20for%20migrating%20sensitivity%20labels%20with%20protection%20to%20another%20O365%20tenant%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎May 24 2021 09:02 AM
Updated by: