Close up shot of hand putting post-it notes on a whiteboard

Blog | 7-minute Read

How and why to move to Azure Information Protection (AIP) unified labeling

David Guest

Solution Architect & Technology Evangelist

Published: 06 July 2020

Streamlined document classification and label management – here’s how AIP is evolving to better control and protect your files.

Azure Information Protection is changing.

When AIP was first released in June 2016, it was based on the technology acquired when the purchase of Secure Islands took place in 2015. This was then integrated with Azure and RMS and deployed as part of the EMS suite.

Since then, there have been many changes within AIP, with a bigger change on the way when the classic AIP client and portal will be deactivated in March 2021.

This change is due to the introduction of new unified labeling (UL) capabilities.

This blog will cover these changes and look to the future of AIP with unified labeling and what needs to happen for a smooth migration from the older version to the unified future.

tag icon

Free Guide

The Ultimate Guide to Microsoft Security [New for 2024]

The most comprehensive guide to Microsoft Security. Over 50 pages. Microsoft licensing and pricing simplified.

Discover technologies that:

  • Detect and disrupt advanced attacks at machine-speed
  • Tap into the world’s largest threat intelligence network
  • Protect identities, devices, and data with ease

What does Azure Information Protection (AIP) do?

As a reminder, Azure Information Protection allows for the classification and labeling of unstructured documents.

Think of it as the digital equivalent of applying a stamp to a physical file to inform the user of the sensitivity of the contents.

In Word, for example, the AIP toolbar appears at the top of the document.

Once a classification and sensitivity label has been assigned it will appear in the ‘Properties’ section of the file.

Because the sensitivity is held as part of the document (whether that’s Word, PowerPoint, Excel or email message), it can be used as part of a set of security controls.

So, if a user tries to send a sensitive email outside of the organisation, it can be blocked – or an advisory message can be sent to the user or admin.

When a classified document is saved to a SharePoint location, the system can tell if it has been misfiled and report appropriately.

By adding the correct label, we can gain more control over what happens to it. If we add encryption to protect the file, then we are sealing it against inadvertent opening.

If we think about what we want to control based on what classification the file has, things become easier.

Using AIP to label the file allows the other Microsoft tools to work together to help with data protection compliance – whether that be GDPR or some other regulation.

Tools like Data Loss Prevention (DLP) or Cloud Application Security operating in conjunction with the Security and Compliance tools, go a long way to ensuring that sensitive data is kept as secure as possible.

What’s changed in AIP?

In the past four years, many elements of AIP have changed.

Once upon a time, AIP could only be applied through apps running on Windows. Now, sensitivity labels can now be applied to documents using Office on Windows, Mac, Android, iOS and iPadOS.

AIP functionality is also now available within the browser-based versions too.

When the AIP client was first introduced, a new icon was added to the Office ribbon. This was identified as “Protect” and showed a blue padlock.

The labeling functionality is now built into the Office applications as standard and does not require any additional software to be installed.

The new icon is a stamp and is identified as “Sensitivity”. This better reflects the function as not all documents that are labelled require protection.

The latest versions of Office for Windows include this sensitivity functionality and will appear as soon as any labels have been defined. Though this does require the user to have the Click-To-Run installation dated 1909 or later.

The labeling bar that appears above the document is still there and allows a user to choose the relevant sensitivity of a document.

Labels can be assigned automatically to a document based on specific content being found.

A recommended label can even be suggested to the user, again based on the content of the document.

Managing AIP labels

So far so good, the functionality seems to match up well, in fact, it is now easier to get the users to start to label documents as there is no requirement to install any additional software.

The main change lies with how the labels themselves are managed. With the older AIP, administration was handled by the AIP blade within the Azure portal.

This had separate blades for labels and for the policies that published the labels to specific sets of users.

These functions have now been moved to the Security and Compliance portal.

Under the ‘Classification’ heading there is a section for ‘Sensitivity labels’ and this is used to configure the label and the publication policy.

The labels are very similar and are configured individually. Sub-labels are created by clicking on the ellipsis to the right of the top-level label.

Once the labels have been configured, they must be published to the relevant users. This is done using the ‘Label policies’ tab on the same page. This is where the first big difference comes in.

How to move to unified labeling in AIP

With the older AIP publication, a label could only be associated with one policy.

This meant that the publication of multiple labels to multiple sets of users could become complicated.

With unified labeling (UL) a single label can be associated with multiple policies.

This means that publication policies for each user set includes all of the relevant labels required rather than having to be constructed by adding labels to global and scoped policies.

The migration from AIP to UL is handled in the Azure portal from within the AIP blade.

In the screenshot above, the labels have already been copied to UL by clicking on the ‘Activate’ option. This is why it is shown as greyed out.

The option to copy the current publication policies has now been added as a preview function.

But if you have a complex label structure within your previous AIP configuration, it may be simpler to re-create the required policies within the new label policies.

The new unified labels work well and many of the old AIP functions are fully supported by the new system.

What’s not currently supported in unified labeling?

There is some functionality not currently supported in UL. If these are particularly important to an organisation, then the move to UL may have to be postponed.

The functions that are missing are:

Hold Your Own Key

Hold Your Own Key (HYOK) is a feature that enables an organisation to protect data in a way where they hold the encryption key.

HYOK has the organisation operating its own AD, its own RMS server, and its own HSMs for key retention. With this in place, the only keys that can be used to decrypt each document are owned and managed by the organisation.

This functionality is not widely used so should not cause too much concern with the migration.

Track and Revoke

Track and Revoke is a function that uses the document protection functions to allow a user to track who has accessed a protected file. If necessary, a user can also revoke access to these documents if people should no longer be able to read them.

This is all accomplished from the document tracking site which can be accessed from Windows computers, Mac computers, and even from tablets and phones. Before it can be tracked and access revoked the functionality must be enabled within the document.

The Track and Revoke functionality is not currently available within the UL implementation but is expected to be released shortly.

Windows event log support

The classic AIP client logs user activity to the local Windows event log.

Specifically, in the Applications and Services Logs > Azure Information Protection. This functionality is moved with the newer UL client.

Conclusion

The AIP classic client and portal will be being turned off at the end of March 2021.

Before then the newer unified labeling should have been configured, tested and be ready to roll out to the user population.

If you are not going to be ready to do this, then contact Microsoft and register for extended support so that you can continue to operate correctly.

Key takeaways

  • Classic AIP comes to an end in March 2021.

  • You should begin testing and configuring unified labeling.

  • Unified labeling in AIP will make classifying and controlling documents much easier.

  • Check what’s not currently supported in case it’s functionality you need support to carry over.

tag icon

Free Guide

The Ultimate Guide to Microsoft Security [New for 2024]

The most comprehensive guide to Microsoft Security. Over 50 pages. Microsoft licensing and pricing simplified.

Discover technologies that:

  • Detect and disrupt advanced attacks at machine-speed
  • Tap into the world’s largest threat intelligence network
  • Protect identities, devices, and data with ease
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image

Author

David Guest

Solution Architect & Technology Evangelist

David is responsible for developing identity, Microsoft 365 security, and other cloud service solutions – and keeping our clients abreast of the latest technology trends.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.