Migrate labels from the Azure Portal to Office 365 Security & Compliance Center

For those of us who has done a lot of AIP work in the Azure Portal, or just want to move labels from the Azure portal to Unified labels in the Security & Compliance Center, this might help to do the actual migration.

First of all: Know that this should not be considered 100% production ready, there are some limitations to this (See previous blogpost here), and there are some requirements as well. Most notably you need to be using the correct clients. As of now you will have to use the Azure Information Protection unified labeling client for Windows which at the moment is in preview and can be found here: Azure Information Protection Unified Label client (Preview)

You can also use apps from the Office insiders’ program which is available for Office 365 subscribers. If this makes you think that this may not be quite mature yet, you could be right.
So, onto the migration. It is not what we would characterize as technically demanding, but I want to show you how the process works, and what the result will look like.
I start by logging into my tenant. This is a demo tenant that I have created from https://demos.microsoft.com and it has not been changed in any way, so it looks like this:

Labels in the Azure Portal

If I move over to the Security & Compliance portal, and look at Classifications and then Labels, it looks like this: 
The labels option under Classifications in SCC

Completely empty in other words. However, that is not what we are looking for now. We want to see that we have the “Sensitivity” tab in our portal, and as you can see: 

The Sensitivity tab

We do. This means that our tenant is ready for editing and publishing sensitivity labels. 

This link is supposed to open the Migration activation blade, but in my case I just saw this for a while:


I let this be and checked back after a little while. Now I see this: 
More waiting?

Seems familiar? I check the SCC portal, and see the same empty nothing. I give up trying to do this with a non-Microsoft browser, and try with Edge. This brings up the migration activation blade right away.

Activation blade

I am asked to confirm the activation, and as you can see: You cannot deactivate unified labeling after this is done:


And the activation starts.
Activation in Progress

As we can see, this can take a few minutes. In my case, with my default labels it went pretty fast. I am presented with a list of what is done:

The labels to migrate

A couple of warnings tell me that there are duplicate labels with different GUIDs detected. I go back to the SCC portal, and select refresh under the Sensitivity tab:

And what do you know? A list of labels has appeared.

Labels now visible in the SCC portal

I select the Publish labels button, and the “New sensitivity label policy” wizard appears.
Here we just select Next

Here we need to choose labels to publish. The amount of labels at the moment is 0.

0 labels are shown

So we choose to Add and our labels appear
The labels to migrate

Then select the labels you want to migrate and choose "Done" on the bottom of the page. You now have a last opportunity to Edit if you do not want all labels to be migrated. If not, select Next.  As you can see in the picture under, when the labels are published they will be available to specified users Office apps as well as SharePoint and Teams sites, and Office 365 Groups. Pretty cool huh?

Edit or just select Next

In the next step, we can select who the labels should be available for. Default is All, and here we will keep the default. 
Who should see the migrated labels?

The next one is interesting for several reasons. Here we have a couple of well-known options from the Azure Portal. We can choose to have a default label, mandatory label or require users to justify actions on their end. It is a great feature, but what licensing does this require? From what Microsoft have said it is not 100% decided yet, but we should expect it to be fairly consistent with the current model in that when labeling content in Office 365, you need Office 365 E3 for manual labeling and Office 365 E5 for automated labeling. And for other locations, Azure Information Protection P1 for manual labeling and Azure Information Protection P2 for automated labeling.
To use default labels or not. That is the question.

You will need to give the policy a name.

Our unified policy

When we have made all our choices we will see a summary of our selections and we can edit things like name and description.
Now our new unified policy is ready to use.

Our migrated policy
So, basically that is it. Now we have "migrated" our labels to the SCC portal. There will be some interesting changes in the coming months as all this move from previews and insider versions to GA versions of the software. One very interesting feature is the full labeling functionality built into Office without the need for a separate client. I will cover this more as we get closer to release.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label