Unified Labeling, and migration of labels to the Office 365 Security and Compliance center.

After Ignite, there has been some interest around changing the way we work with labels and protection. Many of us may want to to do our work in Office 365 Security & Compliance Center, which may seem to be where Microsoft is putting in their effort.



Note: Some of the content below is outdated. The Unified labeling client is GA (04.19), and other changes has been made. If you want to know more about unified labeling I suggest some of my newer blog posts.  

There has been a few questions about Unified labeling, and one I have received quite a few times is: Do we have to wait to get our labels and protection unified or can we do some sort of migration? The answer is: You can do a migration, sort of, and I will write a quick guide about how in a short while. Just be aware that there are some limitations and I will try to tell you a little about those in this blog post. 

There are also a lot of questions on licensing, and to be fair, at the moment it is kind of difficult to wrap our heads around. The latest info I have received says:

As we start using Office 365 SCC to work on our unified labels, we can label and protect content in Office 365 services, like SharePoint Online, OneDrive for Business and Exchange Online with Office 365 E3/E5 licenses. Seem confusing? When do we need the AIP/EMS licenses? Can we label stuff in SharePoint with just Office 365 licenses? Good question. It seems like it. BUT, it is also said that all MS clients that can apply labels and are in GA requires AIP P1\P2 licenses. Confused? You are not alone. For now let's just say that you can continue as before with the AIP P1/P2 and EMS E3/E5 licenses, but according to Microsoft we can expect some clarification on this point in the nearest month.

So what do we need to think about, and which limitations do we have, as we migrate our work to the Office 365 Security and Compliance portal?


First of all: Make sure you have the proper administrator roles. You may be using the Global admin account, and in that case, you’ll be fine, but know that you cannot use the Azure AD roles of Security Administrator and Information Protection Administrator. Instead you will need Compliance Administrator or Organization management role groups. 

There are also some other considerations:

  • Not all clients support Unified labels. If you are using anything other than the supported clients (The Azure Information protection UL client (Public preview), Apps from the Office Insiders program and clients from software vendor and developers that use the MIP SDK) be prepared to work both in the Azure portal and the Office 365 SCC portal.
  • Your policies, including policy settings and who has access to them (scoped policies) and all advanced client settings are NOT migrated and will have to be configured in SCC after the migration.

-         Other things that are supported in the Azure portal, but not in the SCC portal is: 

  • If you have disabled policies in the Azure Portal, that status will not be synchronized to the Office 365 SCC.
  • Label colors are not supported in the Office 365 SCC.
  • Protection using User-Defined permissions
  • Custom font and custom color by RGB code for your visual markings (Not a deal breaker for most of us I think.) 
So, if you, after reading this, still want to migrate your settings from the Azure Portal to the Office 365 Security & Compliance center, you may want to read my next blog post that will show a step-by-step migrationof labels and more. Should be published soon. Just working on some minor tweaks.

Comments

Popular posts from this blog

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label