Azure Information Protection client and portal confusion

As many of you know there are now two places to create labels (Azure Portal and Office 365 Security portal) and we also have two different AIP clients. One client for each portal really, one of them is the good old AIP client that we know from earlier, and then there is another: The AIP client with Unified Labeling.

Update: The Unified Labeling client is now GA which should be considered when reading this post. (04.19)

Also, as many of you know, only the regular AIP client is in general availability, while the Unified labeling client is currently in public preview. 

The clients can be found here: 
Azure Information Protection Client  
Azure Information Protection unified labeling client (PREVIEW)

If you are a little confused by this, you are not alone. Many of the customers I talk to are uncertain about what to do with the Unified Labeling plan for AIP. I will use this blog post to try to explain my thoughts about this.

For more information about migrating to Unified labels, know that there are limitations. Se my previous blog post about this: Unified labeling and migration

First of all: Unified labels? AIP labels? Sensitivity labels? What are the differences?

Since you are here, I suspect you already know, but I will try to give a short explanation for those of you who are new to this. AIP labels and Sensitivity labels are ways to classify and protect your data, either automatically or manually. By classify and protect I mean that we create labels that we can apply to our content and those labels can contain protection settings (who can read?, what can they do to the content? etc.), and it can contain ways to apply content markings (watermark or header/footer etc.). My other blog posts go more into details about this. 

Unified labels are something that became necessary as Microsoft gave us the opportunity to create and configure labels in the Office 365 portal as well as the Azure portal. That lead to situations where we could have configured labels in two places, and they did not “know about each other” and this could create some confusion. Unifying the labels basically mean that these labels are now “aware” of each other and the settings we configure in one portal are “synchronized” to the other. This makes it possible for us to publish the settings we created in one of the portals, to users of the other. Which labels we receive depend on the client we use. To use labels from the AIP portal (in Azure), we use the classic AIP client (AzInfoProtection.exe) and to use labels from the Office 365 portal we use the UL (Unified labeling client) (AzInfoProtection_UL.exe). 

So why not just start working in the Office 365 portal, you ask? Do you really need to activate unified labels? Well, no. You don’t have to. But it is still recommended. One of the reasons is that the AIP scanner currently only works with the classic AIP client so if you want to use rules created in Office 365 portal, you need to have unification activated so that the scanner can reach the policies. 

This, and more will be available for the new client in the time to come and the sensitivity labels will be integrated into more and more services as time passes. You will be able to use the sensitivity labels on your libraries in Sharepoint Online for instance and you can find them when you are creating DLP rules in Office 365 (You can do that with AIP labels as well with a little work.). You may have noticed the retention labels and seen how they can be applied to different stuff in Sharepoint Online and Office 365. Now, we also have Sensitivity labels. 

Sensitivity and Retention labels in Office 365 Security portal

Should you use the Azure portal, or Office 365 Security portal? 

If you are just now starting your AIP setup, and you will be using labels in your Office apps, and Sharepoint for instance, I would suggest starting with sensitivity labels in the Office 365 portal, but what if you have already started? There really is no easy answer to that. It all depends on a few things and Microsoft has a great guide for this here: Choose which Azure Information Protection client to use but many people still find it difficult to find answers to a few things:
  • Why should I activate/migrate my labels to Unified labels?
  • Why should I not activate/migrate my labels to Unified labels?
  • Where should I create my labels?
  • What client should I use?

Why should I activate/migrate my labels to Unified labels?

Not sure that you should really. The activation or migration if you will is still in preview, and the unified labeling client also. But if you are keen to find out how Unified labels work, and how the client differs from the AIP client, you can migrate. Also, if you have a demo/lab setup where you want to play around with the settings. Also it depends on your current environment. If you have Mac clients, or want to use labeling on Android or iOS that could be another reason to activate Unified labels.

 Why should I not activate/migrate my labels to Unified labels?

  • Well, again, even though Unified labels are GA, the migration process and the Unified labeling client are not. They are still in preview.
  • You have a lot of custom permissions in your AIP labels.
  • You have a lot of scoped policies. (You can fix this after you have migrated, but scoping will disappear when you migrate.)  
  • You love the track and revokation feature. This is currently missing from the UL client.

What if I have done a lot of work with AIP already?

This is the more difficult scenario. Licenses are in place. The users may have been trained to use the AIP client, and they are familiar with the client as it is today. Why would you want to activate/migrate the labels to unified? In that scenario, unless you have Mac clients/Android/iOS users that want to start using labels, I would continue to use the AIP portal until something pops up that gives them advantages with Unified labels. But you should also know that when you one day decide to migrate to Unified labels, you may loose a few things from your configuration. 

And you could also migrate and still use the AIP client/Azure Portal. The AIP Client will collect its settings from the Azure Portal and you can basically go on with it as you have done before. The labels will be synced to the Office portal, and you can choose to publish them there if you like.
And again, as we have mentioned above, the migration itself is still in preview, so unless you want to do work in the Office portal, maybe you just want to wait and see. 


What if I have invested in licenses like EM+S E5 or AIP P2 mainly to use AIP?

Kind of the same as over. You can wait and see. Unified labeling is not for every scenario at the moment. What I mean by that is that although you can use the Unified labeling client, and see your sensitivity labels all across Office, there are still advantages with the AIP client and the Azure portal. Again, Microsoft has a great documentation of this here: Considerations for unified labels

Where should I create my labels?

There really isn’t one single answer for this, but I will try to give a few tips for when to use what. Let’s look at a couple of scenarios:

I have not activated/migrated my labels to Unified labels.

If you have not migrated you labels yet, Microsoft recommends that you do not start creating your labels in the Office 365 Security portal.

I have activated/migrated my labels to Unified labels.

If you have migrated your labels to Unified labels and can see them in the Office 365 Security portal, we have (at least) two scenarios:

a.       If you want to use the Unified labeling client even though it is still in preview:
      You can create labels in the Office 365 Security portal, and since you have a client that supports unified labels you should see them as soon as you have published the settings. (May have to restart Office to make them appear.)
b.       If you want to wait with the unified labeling client, and prefer to use the AIP client that is GA:

      If you have migrated, but still want to use the AIP client that is not in preview, you can still create stuff in the Office 365 Security portal, and then the settings will be synchronized to the Azure Portal. You will have to Publish the label, which you do from the AIP Unified labeling blade.
Publish your Unified label in the Azure Portal

This also works the other way around (although the same limitations as with the migration itself, applies). 

Now what if you are using both the unified labeling client and the classic client? You can then choose which portal you want to work in, but remember what we talked about over in b. The unified labels needs to be published in the Azure portal.

So, what client should I use?

As you can see, many of the questions asked over, will help answer this question. First of all: The unified labeling client is in public preview, so strictly speaking we should use the regular AIP client for our production environments. That is the only client that is GA at the moment.  But if you are the kind of person who feels adventurous, you may still want to use one of the preview clients. I can tell you from experience, that in most cases you will be fine, but know that they are not always bug free.
If you have invested in AIP licenses, and you want to continue to work in the Azure portal, keep using the AIP client. Know also that Microsoft are working on native support for sensitivity labels in their Office apps. This means we will no longer need to install the Unified labeling client.


Still confused? 

I hope this was a little helpful at least. Hopefully Microsoft will come with more information as they continue to evolve and improve AIP. No matter what you choose, I still recommend getting started with AIP as soon as possible, if you have not started already. There are many benefits with securing your information, and you can save yourself and your users from putting the company’s info in danger.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label