Things you may want to consider as you “migrate” your AIP labels to sensitivity labels.

I have done a few posts on Unified labeling, and after reading this amazing blog post from Microsoft, I was left with a feeling that there was nothing more to say about Unified labeling. This post covered so much. Still, there are a couple of things you might want to consider before migrating your labels to sensitivity labels.

Explanation of the current Microsoft Information Protection landscape.

I do understand that people not used to working with information protection will be confused. Not that it used to be so straight forward either, but since we are at this stage we have not landed 100% in the new labeling solution, so we might have one leg in each camp so to speak.

We now have two different places to configure our labels:
  • The Azure Information Protection portal in Azure.
  • The Office 365 Portal (Security & Compliance) (or The Microsoft 365 Security Center and the Microsoft 365 Compliance Center).  
 We now have two different clients that we can install and use:
  •  The Azure Information Protection Client
  • The Azure Information Protection Unified Labeling Client

The clients can be downloaded here: Azure Information Protection clients and you would download the AzInfoProtection_UL.exe for Unified labeling or the AzInfoProtection.exe if you want the classic client.

I have tried to give you a visual representation of how the clients get their config in the drawing under.

The different services using Azure Information Protection service.
Of course, this drawing is not the correct view of the service and portals. It is just a way to show that both AIP and Office 365 sensitivity labels are using the AIP service to add protection to content. It also shows that since Unified Labeling has been enabled, the things you do in either portal will be visible and available for publishing in the other. The client you have installed will decide where the configuration is collected from. Office 365 Message Encryption, however, does not need a separate client, but can be found integrated into for instance the Outlook App if you have the needed license. (E3 and above). (New Email → Options → Encrypt)

So, what do we need to know?

First of all: There is a lot of work going on by Microsoft when it comes to Information Protection. They are getting new features into the Office 365 portal and when they reach feature parity the AIP portal will be removed. (Know that feature parity does not mean that they will get exactly the same features in the new portal.)

The Unified labeling client is no longer in preview, the configuration of labels in The Office 365 portal is smooth and flexible, and a lot of the features that were available in the Azure Information Protection part of the Azure portal can now be configured in the Office 365 portal.

So, the question is: Are there any reasons not to migrate? And the answer is no. There are no reasons not to migrate. Why, you ask? No matter what kind of scenario I have in my AIP setup? Well, the answer is simple: You can migrate your labels and still continue working in the AIP portal. The work you do will be visible in the Office 365 portal, and you can create label policies in the new portal and publish the labels you create in the AIP portal. Also, you can use a mix of the classic client and the unified labeling client if you like, although it means you will work in two portals. The classic client gets the config from the Azure portal, while the UL client gets config from the Office 365 portal.
And here we are near the purpose of this blog.

Why would you still want to do work in the AIP portal?

Isn’t the Office 365 portal with sensitivity labels the place to work now? The more modern and flexible solution? Yes, in many ways it is. But as of august 2019 there are still a few things that is missing and some of these are not planned to be in the UL client. The list from the aforementioned blog post:

Features not planned to be in the Azure Information Protection unified labeling client

Although the Azure Information Protection unified labeling client is still under development, the following features and behavior differences from the classic client are not currently planned to be available in future releases for the unified labeling client:

•    Support Office apps for disconnected computers with manual policy file management
•    Custom permissions as a separate option that users can select in Office apps: Word, Excel, and PowerPoint
•    Track and revoke from Office apps and File Explorer
•    Information Protection bar title and tooltip
•    Protection-only mode (no labels) using templates
•    Protect PDF document as .ppdf format
•    Display the Do Not Forward button in Outlook
•    Demo policy
•    Justification for removing protection
•    Confirmation prompt Do you want to delete this label? for users when you don't use the policy setting for justification
•    Label an Office document by using an existing custom property (SyncPropertyName and SyncPropertyState advanced client settings)
•    Separate PowerShell cmdlets to connect to a Rights Management service

So, what is important here? That depends on your current setup. The things I have heard the most from my customers are the missing track and revoke from Office apps and File Explorer. Also, even though this is a feature that is planned for the Office 365 portal soon:  Azure Information Protection Scanner.

Track and revoke

This has been a selling feature for me. When I have talked about AIP, I have always used the track and revoke feature to show how we can gain insight into how our shared files are being accessed, from where they are being accessed, and by whom. Also, it has been a great way to see if someone is trying to access our content without permission. The option to revoke access, either instantly or after a defined amount of time has also been pretty cool.

And yes, it is true: You cannot use the track and revoke feature with the Unified labeling client. This feature is only available in the AIP client, and if this feature is important to you, know that it is not planned for the Unified client as of now.

What does this mean? Will I be unable to track the usage of my shared documents? At this moment yes. Microsoft has told us they are working on a new track and revoke portal, but there is no ETA at the moment.

The AIP Scanner

The AIP scanner is not yet available, but it is planned, and Microsoft says it is coming soon. No date is set, so if you are using the AIP scanner today, you still need the AIP portal. (Edit: It is now in public preview as of 09.19. Read more here: Unified labeling AIP scanner preview brings scaling out and more! )


This is mentioned in the list above, but justification is listed as a feature in the Unified Labeling client Version 2.0.778.0. I need to test this.



Of course, there could be other things that is important to you, but that could be different from company to company. Just be aware that Microsoft are working on adding the missing features to the UL client/Sensitivity labels. They may not be exactly as they have been before, but we expect feature parity before they remove the AIP option from the Azure portal.

In the meantime, you can activate Unified labeling, and publish some policies to see how it works. You can install the Unified Labeling client on one or more computers and still keep using classic on others so as to not disrupt any of the users while you test.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label