Azure Information Protection and Unified labeling

If you are working with Microsoft Information Protection (MIP) chances are you have heard the term Unified labeling. If you have been working with AIP, you have probably heard or seen references to activating unified labeling. 

Maybe you have even seen the option to activate Unified labeling or gone as far as to activate Unified labeling.
Click to enlarge picture

It may be clear to many of you, but just to explain: What we are talking about here is not a label type that is called unified label. We are talking about Office 365 sensitivity labels and more specifically activating the connection between Azure Information Protection labels and Office 365 sensitivity labels.
(Figure by P. E. Winther)

As of now Azure Information Protection labels and Office 365 sensitivity labels are fully compatible with each other but moving forward it seems clear that Microsoft will move their label configuration to the Office 365 portal and stop using the Azure portal for this. The feature list is getting more and more complete in the Office portal, but it is not yet quite there.

Sensitivity labels

So, what are these sensitivity labels and what are we gaining here? There seems to be a lot of information on how to get started, and how to configure rules etc. but not a lot of info on what it actually is and where it can be used. Microsoft have told us that sensitivity labels can be used across Office 365 services and SharePoint, but that seems vague. First of all, we will get this out of the way:
Office 365 sensitivity labels work in pretty much the same way as you are used to if you have been using Azure Information Protection labels. We can protect content, set watermarks and also have labels that just works as a “tag” for our data without adding any form of protection. What I was looking for was information about where these labels would appear and I thought I had found it when I saw this Where sensitivity labels can appear:

but that just tells us what subscription we need and how it appears in different Office clients. What I wanted to know was stuff like: Can I use it in SharePoint for instance? Will it replace IRM? Even though I, like many of you am a fairly decent Googler, I was unable to find this easily explained anywhere.

Sensitivity labels in SharePoint

First, just let me tell you that I am not a SharePoint consultant. I do not plan, configure or even use SharePoint much, but it is a question I get from my customers, so I kind of need to know a little about it. Previously (and until now) we have used IRM to set Rights Management protection on content in SharePoint, but with the new sensitivity labels I was hoping to be allowed to use them in SharePoint instead of IRM. Like how we use retention labels in SharePoint Online (Secure SharePoint Online sites and files) For those of you who followed Microsoft's MIP presentations on Ignite last year, this was something that was presented as "on it's way". I decided to check how this looks today (april 2019).

When we publish retention labels, we have this view:  

Allowing us to publish our (retention) labels to SharePoint sites. But when we want to publish sensitivity labels, we see this:

I was hoping we would have the same opportunities as with retention labels, but at least not yet.

After I had activated unified labeling and published my sensitivity labels for the first time, I tried to look for them by going to Library settings in SharePoint:

There, where we set retention labels to our lists and/or libraries, seemed like a logical place to add our sensitivity labels (to me at least): Apply label to items in this list or library:

 As mentioned over, this is where we apply retention labels to our content, and looking at the explanation here there has been no change:

So, it seems like we are still using this method: Protect SharePoint Online files with Azure Information Protection or the good old IRM setting. 

So, what do we actually gain by moving over to sensitivity labels?

I have asked this question before in other blog posts, and the answer hasn't changed: Right now? Not much. A different place to create our labels, some differences in how we create them and how we work with them, but if you are expecting a lot of new functionality, you might be disappointed. The best news as I see it is the possibility to use labels in the Android and iOS client. We even lack the ability to track and revoke our content (which is possible with classic AIP), so if that is a big feature for you, you will have to wait. But I still advice people who are starting out with information protection to do their configuration in the Office 365 portal and create sensitivity labels instead of the Azure portal. Not because it is a lot better in any way, but because Microsoft are moving the configuration to the Office portal and it will save you from having to do any extra work the day you move over.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label