GCC-H AIP Manual Migration

Azure Information Protection (AIP) unified labeling in Microsoft 365 provides organizations an integrated and consistent approach to creating, configuring, and applying labels and policies to protect information worker data across all locations. Workloads that can leverage unified labeling such as AIP unified labeling client and scanner, Office 365 apps, Office for web, SharePoint, OneDrive, MCAS and many more can apply these policies in a consistent manner. The AIP classic client and label management in the AIP Portal will be deprecated for sovereign clouds on September 30, 2021, therefore it is highly encouraged that administrators move their environment to unified labeling.

 

AIP unified labeling is generally available to Government Community Cloud High (GCC-H) environments and this release brings data discovery, classification, and protection capabilities to government Microsoft 365 instances.  

 

Activating unified labeling for GCC-H is quite different from commercial and regular GCC environments. Commercial and regular GCC environments require administrators to navigate to the AIP blade in the Azure Portal to activate unified labeling. “Activating unified labeling” is not relevant to GCC-H tenants. All GCC-H tenants are already enabled for unified labeling; therefore, this step is not required.

 

Once unified labeling is enabled, commercial and GCC clouds can migrate their AIP classic client labels directly to the Security and Compliance Center, whereas this is not applicable to GCC-H tenants. GCC-H tenants require a manual migration of their AIP labels and protection templates to the Security and Compliance Center.  

 

The benefits of migrating your labels from one portal to the next provides continuity and consistency of labels from your AIP classic environment to your Microsoft Information Protection ecosystem. Ideally, your end users will be using the same label name, label template and (optionally) protection template.

 

This blog gives an end-to-end use case example on how a GCC-H admin can migrate their parent label and sublabel with its corresponding protection template from the AIP Portal to the Security and Compliance Center. Additional information about label migration can be found in our official documentation.

 

Note: For new GCC-H tenants, label migration is not applicable. Please create new labels directly in the Security and Compliance Center.

 

Label Migration at a High Level

 

At a high level, below are the following steps to migrate AIP labels from the AIP Portal to the Security and Compliance Center:

 

1. Retrieve label(s) properties from the AIP Portal
2. Migrate label(s) from the AIP Classic Portal to the Security Compliance Center
3. Verify labels has been migrated to the Security and Compliance Center

Retrieve Label Properties from the AIP Portal

 

In this exercise, we will be migrating the parent label “Highly Confidential” with its corresponding sub label “All Employees”. First, we will retrieve the label properties and settings from the AIP Portal.

 

Note: When doing this exercise, administrators can retrieve all labels policies at one time.

 

Instructions:

1. Navigate to the AIP Management Page within the Azure Portal
2. Under Classifications, select “Labels”
3. Select the parent label that you want to migrate. In this example we are migrating the label “Highly Confidential”

 

Figure 1: Selecting parent label to migrate

 

4. Document parent label properties and settings using a spreadsheet, notepad, etc. This information will be used later in PowerShell

Figure 2: Parent label properties and settings

 

Parent Label Property	Value
Name (internal name; must be unique)	Highly Confidential
Tooltip	Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.
Display Name (displayed to end users)	Highly Confidential
Identity	06960349-c5b2-465e-8d31-1652e5969da4
Parent ID
EncryptionEnabled
EncryptionProtectionType
EncryptionTemplateId
EncryptionAipTemplateScopes

Table 1: Parent label settings and properties

 

5. Under Classifications, select “Labels” again
6. Select the sub label that you want to migrate. In this example we are migrating sub label “All Employees”

 

Figure 3: Selecting sub label to migrate

 

7. Document sub label properties and settings using a spreadsheet, notepad, etc. This information will be used later for PowerShell

 

 

Figure 4: Sub label properties and settings

 

8. (Optional) If your sub label has encryption, you will need to get the protection ID. Select Protection in your sub label properties.  

 

Figure 5: Sub label protection selection

 

 

9. (Optional) Document sub label protection template ID using a spreadsheet, notepad, etc. This information will be used later for PowerShell.

 

Figure 5: Sub label protection template ID

 

Sub Label Property	Value
Name (internal name; must be unique)	All Employees
Tooltip	Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.
Display Name (displayed to end users)	All Employees
Identity	d90363e7-f9a6-43b6-b83f-ac66df2c3c01
Parent ID	06960349-c5b2-465e-8d31-1652e5969da4
EncryptionEnabled	True
EncryptionProtectionType	Template
EncryptionTemplateId	19989161-dacd-409c-ab97-48d1433e1de7
EncryptionAipTemplateScopes	allcompany@contoso.onmicrosoft.com

Table 2: Parent label settings and properties

 

Migrate AIP Labels to the Security and Compliance Center

 

In this section, we will be connecting to the Security and Compliance Center PowerShell module to migrate our AIP labels to the new management portal. 

 

1. Open PowerShell in administrative mode
2. Import Security and Compliance PowerShell Module

 

Import-Module ExchangeOnlineManagement

 

3. Connect to Security and Compliance Center for GCC-H

 

Connect-IPPSSession -UserPrincipalName -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/

 

Example:

 

Connect-IPPSSession -admin@contoso.onmicrosoft.com -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/

 

4. Migrate parent Label from Azure Portal to Security and Compliance Center using ‘New-Label’ cmdlt in PowerShell  

 

New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113'

 

Example: Migrate parent label “Highly Confidential” from Azure Portal to Compliance Center using the parent label properties.

 

Parent Label Property	Value
Name (internal name; must be unique)	Highly Confidential
Tooltip	Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.
Comment	Highly Confidential Parent Label
Display Name (displayed to end users)	Highly Confidential
Identity	06960349-c5b2-465e-8d31-1652e5969da4
Parent ID
EncryptionEnabled
EncryptionProtectionType
EncryptionTemplateId
EncryptionAipTemplateScopes

 

New-Label -Name 'Highly Confidential' -Tooltip 'Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.' -Comment 'High Confidential Parent Label' -DisplayName 'Highly Confidential' -Identity ‘06960349-c5b2-465e-8d31-1652e5969da4'

 

5. Migrate sub label from Azure Portal to Security and Compliance Center using ‘New-Label’ cmdlt in PowerShell

 

New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId 'a32027d7-ea77-4ba8-b2a9-7101a4e44d89' -EncryptionAipTemplateScopes "['allcompany@labelaction.onmicrosoft.com','admin@labelaction.onmicrosoft.com']"

 

Example: Migrate sub label “All Employees” from Azure Portal to Compliance Center using the sub label properties.

 

Property	Value
Name (internal name; must be unique)	All Employees
Tooltip	Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.
Comment	Highly Confidential All Employees sub label
Display Name (displayed to end users)	All Employees
Identity	d90363e7-f9a6-43b6-b83f-ac66df2c3c01
ParentID	06960349-c5b2-465e-8d31-1652e5969da4
EncryptionEnabled	True
EncryptionProtectionType	Template
EncryptionTemplateId	19989161-dacd-409c-ab97-48d1433e1de7
EncryptionAipTemplateScopes	contoso@contoso.onmicrosoft.com

 

New-Label -Name 'Highly Confidential All Employees' -Tooltip ' Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.' -Comment 'Highly Confidential All Employees sub label' -DisplayName 'All Employees' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113'-ParentId ‘06960349-c5b2-465e-8d31-1652e5969da4’ -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId ‘19989161-dacd-409c-ab97-48d1433e1de7' -EncryptionAipTemplateScopes "['allcompany@contoso.onmicrosoft.com']"

 

 

Verify labels has been migrated to the Security and Compliance Center

 

Finally, we will verify that our labels have been migrated from the AIP Portal by navigating to the new label management portal, the Security and Compliance Center.

 

1. Sign in to the Security and Compliance Center for GCC-H
2. Go to your Information Protection tab
3. Verify your new labels has been created

 

Figure 6: Security and Compliance Center label management

 

Note: Policies are not migrated from the AIP Portal to the Security and Compliance Center. Administrators will have to create new label policies in the Security and Compliance Center.  

 

Sunsetting Label Management in the Azure Portal and AIP client (classic)

 

We have a plan to sunset label management in Azure Portal and AIP client (classic) for Government Cloud Customers.  Meanwhile, Government Cloud Customers who own licenses for AIP will receive continued support for the classic client for 12 months after the general availability of unified labeling for Government Cloud. Government Cloud Customers who may need features that are not yet in the latest release of the unified labeling client can ask for additional extended support for the classic client here before September 30, 2021.

 

Azure Information Protection's classic client and Label Management in the Azure Portal will be deprecated on September 30, 2021 for Government Community Cloud customers. For information on admin experience post deprecation date, check out this blog.

 

Note: AIP UL scanner management will still be available on AIP portal and will not be deprecated.