How to migrate Azure Information Protection labels to unified sensitivity labels

Applies to: Azure Information Protection, Office 365

Relevant for Azure Information Protection clients for Windows

Note

To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.

Migrate Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels by clients and services that support unified labeling.

Note

If your Azure Information Protection subscription is fairly new, you might not need to migrate labels because your tenant is already on the unified labeling platform. For more information, see How can I determine if my tenant is on the unified labeling platform?

After you migrate your labels, you won't see any difference with the Azure Information Protection classic client, because this client continues to download the labels with the Azure Information Protection policy from the Azure portal. However, you can now use the labels with the Azure Information Protection unified labeling client and other clients and services that use sensitivity labels.

Before you read the instructions to migrate your labels, you might find the following frequently asked questions useful:

Administrative roles that support the unified labeling platform

If you use admin roles for delegated administration in your organization, you might need to do some changes for the unified labeling platform:

The Azure AD role of Azure Information Protection administrator (formerly Information Protection administrator) is not supported by the unified labeling platform. If this administrative role is used in your organization to manage Azure Information Protection, add the users who have this role to the Azure AD roles of Compliance administrator, Compliance data administrator, or Security administrator. If you need help with this step, see Give users access to the Microsoft 365 Security & Compliance Center. You can also assign these roles in the Azure AD portal and the Microsoft 365 compliance center.

Alternatively to using roles, in the Microsoft 365 compliance center, you can create a new role group for these users and add either Sensitivity Label Administrator or Organization Configuration roles to this group.

If you do not give these users access to the Microsoft 365 compliance center by using one of these configurations, they won't be able to configure Azure Information Protection in the Azure portal after your labels are migrated.

Global administrators for your tenant can continue to manage labels and policies in both the Azure portal and the Microsoft 365 compliance center after your labels are migrated.

Before you begin

Label migration has many benefits, but is irreversible. Before you migrate, make sure that you are aware of the following changes and considerations:

Client support for unified labeling

Make sure that you have clients that support unified labels and if necessary, be prepared for administration in both the Azure portal (for clients that don't support unified labels) and the Microsoft 365 compliance center (for client that do support unified labels).

Policy configuration

Policies, including policy settings and who has access to them (scoped policies), and all advanced client settings are not migrated. Your options to configure these settings after your label migration include the following:

Important

Not all settings from a migrated label are supported by the Microsoft 365 compliance center. Use the table in the Label settings that are not supported in the Microsoft 365 compliance center section to help you identify these settings and the recommended course of action.

Protection templates

  • Templates that use a cloud-based key and that are part of a label configuration are also migrated with the label. Other protection templates are not migrated.

  • If you have labels that are configured for a predefined template, edit these labels and select the Set permissions option to configure the same protection settings that you had in your template. Labels with predefined templates will not block label migration but this label configuration is not supported in the Microsoft 365 compliance center.

    Tip

    To help you reconfigure these labels, you might find it useful to have two browser windows: One window in which you select the Edit Template button for the label to view the protection settings, and the other window to configure the same settings when you select Set permissions.

  • After a label with cloud-based protection settings has been migrated, the resulting scope of the protection template is the scoped that is defined in the Azure portal (or by using the AIPService PowerShell module) and the scope that is defined in theMicrosoft 365 compliance center.

Display names

For each label, the Azure portal displays only the label display name, which you can edit. Users see this label name in their apps.

The Microsoft 365 compliance center shows both this display name for a label, and the label name. The label name is the initial name that you specify when the label is first created and this property is used by the back-end service for identification purposes. When you migrate your labels, the display name remains the same and the label name is renamed to the label ID from the Azure portal.

Conflicting display names

Before migrating, ensure that you would not have conflicting display names after migration is complete. Display names in the same place in the labeling hierarchy must be unique.

For example, consider the following list of labels:

  • Public
  • General
  • Confidential
    • Confidential\HR
    • Confidential\Finance
  • Secret
    • Secret\HR
    • Secret\Finance

In this list, Public, General, Confidential, and Secret are all parent labels, and cannot have duplicate names. Additionally, Confidential\HR and Confidential\Finance are at the same place in the hierarchy, and also cannot have duplicate names.

However, sub-labels across different parents, such as Confidential\HR and Secret\HR are not at the same place in the hierarchy, and therefore can have the same individual names.

Localized strings in labels

Any localized strings for the labels are not migrated. Define new localized strings for the migrated labels by using Office 365 Security & Compliance PowerShell and the LocaleSettings parameter for Set-Label.

Editing migrated labels in the Microsoft 365 compliance center

After the migration, when you edit a migrated label in the Azure portal, the same change is automatically reflected in the Microsoft 365 compliance center.

However, when you edit a migrated label in the Microsoft 365 compliance center, you must return to the Azure portal, Azure Information Protection - Unified labeling pane, and select Publish.

This additional action is needed for the Azure Information Protection clients (classic) to pick up the label changes.

Label settings that are not supported in the Microsoft 365 compliance center

Use the following table to identify which configuration settings of a migrated label are not supported by the Microsoft 365 compliance center. If you have labels with these settings, when the migration is complete, use the administration guidance in the final column before you publish your labels in the Microsoft 365 compliance center.

If you are not sure how your labels are configured, view their settings in the Azure portal. If you need help with this step, see Configuring the Azure Information Protection policy.

Azure Information Protection clients (classic) can use all label settings listed without any problems because they continue to download the labels from the Azure portal.

Label configuration Supported by unified labeling clients Guidance for the Microsoft 365 compliance center
Status of enabled or disabled

This status is not synchronized to the Microsoft 365 compliance center
Not applicable The equivalent is whether the label is published or not.
Label color that you select from list or specify by using RGB code Yes No configuration option for label colors. Instead, you can configure label colors in the Azure portal or use PowerShell.
Cloud-based protection or HYOK-based protection using a predefined template No No configuration option for predefined templates. We do not recommend you publish a label with this configuration.
Cloud-based protection using user-defined permissions for Word, Excel, and PowerPoint Yes The Microsoft 365 compliance center supports a configuration option for user-defined permissions.

If you publish a label with this configuration, check the results of applying the label from the following table.
HYOK-based protection using user-defined permissions for Outlook (Do Not Forward) No No configuration option for HYOK. We do not recommend you publish a label with this configuration. If you do, the results of applying the label are listed in the following table.
Custom font name, size, and custom font color by RGB code for visual markings (header, footer, watermark) Yes Configuration for visual markings is limited to a list of colors and font sizes. You can publish this label without changes although you cannot see the configured values in the Microsoft 365 compliance center.

To change these options, use the New-Label Office 365 Security & Compliance Center cmdlet. For easier administration, consider changing the color to one of the listed options in the Microsoft 365 compliance center.

Note: The Microsoft 365 compliance center supports a predefined list of font definitions. Custom fonts and colors are supported only via the New-Label cmdlet.

If you are working with the classic client, make these changes to your label in the Azure portal.
Variables in visual markings (header, footer) Yes This label configuration is supported by the AIP clients and Office built-in labeling for select apps.

If you are working with built-in labeling using an app that does not support this configuration and publish this label without changes, variables display as text on clients, instead of displaying the dynamic value.

For more information, see the Microsoft 365 documentation.
Visual markings per app Yes This label configuration is supported only by the AIP clients, and not by Office built-in labeling.

If you are working with built-in labeling, and publish this label without changes, the visual marking configuration displays as variable text instead of the visual markings you've configured to display in each app.
"Just for me" protection Yes The Microsoft 365 compliance center do not let you save encryption settings that you apply now, without specifying any users. In the Azure portal, this configuration results in a label that applies "Just for me" protection.

As an alternative, create a label that applies encryption and specify a user with any permissions, and then edit the associated protection template by using PowerShell. First, use the New-AipServiceRightsDefinition cmdlet (see Example 3), and then Set-AipServiceTemplateProperty with the RightsDefinitions parameter.
Conditions and associated settings

Includes automatic and recommended labeling, and their tooltips
Not applicable Reconfigure your conditions by using auto labeling as a separate configuration from label settings.

Comparing the behavior of protection settings for a label

Use the following table to identify how the same protection setting for a label behaves differently, depending on whether it's used by the Azure Information Protection classic client, the Azure Information Protection unified labeling client, or by Office apps that have labeling built in (also known as "native Office labeling"). The differences in label behavior might change your decision whether to publish the labels, especially when you have a mix of clients in your organization.

If you are not sure how your protection settings are configured, view their settings in the Protection pane, in the Azure portal. If you need help with this step, see To configure a label for protection settings.

Protection settings that behave the same way are not listed in the table, with the following exceptions:

  • When you use Office apps with built-in labeling, labels are not visible in File Explorer unless you also install the Azure Information Protection unified labeling client.
  • When you use Office apps with built-in labeling, if protection was previously applied independently from a label, that protection is preserved [1].
Protection setting for a label Azure Information Protection classic client Azure Information Protection unified labeling client Office apps with built-in labeling
HYOK (AD RMS) with a template: Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

When this label is applied:

- HYOK protection is applied to documents and emails
Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

When this label is applied:

- No protection is applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Word, Excel, PowerPoint, and Outlook

When this label is applied:

- No protection is applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved [1]
HYOK (AD RMS) with user-defined permissions for Word, Excel, PowerPoint, and File Explorer: Visible in Word, Excel, PowerPoint, and File Explorer

When this label is applied:

- HYOK protection is applied to documents and emails
Visible in Word, Excel, and PowerPoint

When this label is applied:

- Protection is not applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Word, Excel, and PowerPoint

When this label is applied:

- Protection is not applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
HYOK (AD RMS) with user-defined permissions for Outlook: Visible in Outlook

When this label is applied:

- Do Not Forward using HYOK protection is applied to emails
Visible in Outlook

When this label is applied:

- Protection is not applied and removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Outlook

When this label is applied:

- Protection is not applied and removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved [1]
Footnote 1

In Outlook, protection is preserved with one exception: When an email has been protected with the encrypt-only option (Encrypt), that protection is removed.

Footnote 2

Protection is removed if the user has a usage right or role that supports this action:

If the user doesn't have one of these usage rights or roles, the label is not applied and the original protection is preserved.

To migrate Azure Information Protection labels

Use the following instructions to migrate your tenant and Azure Information Protection labels to use the unified labeling store.

You must be a Compliance administrator, Compliance data administrator, Security administrator, or Global administrator to migrate your labels.

  1. If you haven't already done so, open a new browser window and sign in to the Azure portal. Then navigate to the Azure Information Protection pane.

    For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. From the Manage menu option, select Unified labeling.

  3. On the Azure Information Protection - Unified labeling pane, select Activate and follow the online instructions.

    If the option to activate is not available, check the Unified labeling status: If you see Activated, your tenant is already using the unified labeling store and there is no need to migrate your labels.

For the labels that successfully migrated, they can now be used by clients and services that support unified labeling. However, you must first publish these labels in the Microsoft 365 compliance center.

Important

If you edit the labels outside the Azure portal, for Azure Information Protection clients (classic), return to this Azure Information Protection - Unified labeling pane, and select Publish.

Copy policies

After you have migrated your labels, you can select an option to copy policies. If you select this option, a one-time copy of your policies with their policy settings and any advanced client settings is sent to the Microsoft 365 compliance center.

Successfully copied policies with their settings and labels are then automatically published to the users and groups that were assigned to the policies in the Azure portal. Note that for the Global policy, this means all users. If you're not ready for the migrated labels in the copied policies to be published, after the policies are copied, you can remove the labels from the label policies in your admin labeling center.

Before you select the Copy policies (preview) option on the Azure Information Protection - Unified labeling pane, be aware of the following:

  • The Copy policies (Preview) option is not available until unified labeling is activated for your tenant.

  • You cannot selectively choose policies and settings to copy. All policies (the Global policy and any scoped policies) are automatically selected to be copied, and all settings that are supported as label policy settings are copied. If you already have a label policy with the same name, it will be overwritten with the policy settings in the Azure portal.

  • Some advanced client settings are not copied because for the Azure Information Protection unified labeling client, these are supported as label advanced settings rather than policy settings. You can configure these label advanced settings with Microsoft 365 Security & Compliance Center PowerShell. The advanced client settings that are not copied:

  • Unlike label migration where subsequent changes to labels are synchronized, the Copy policies action doesn't synchronize any subsequent changes to your policies or policy settings. You can repeat the copy policy action after making changes in the Azure portal, and any existing policies and their settings will be overwritten again. Or, use the Set-LabelPolicy or Set-Label cmdlets with the AdvancedSettings parameter from Office 365 Security & Compliance Center PowerShell.

  • The Copy policies action verifies the following for each policy before it is copied:

    • Users and groups assigned to the policy are currently in Azure AD. If one or more account is missing, the policy is not copied. Group membership is not checked.

    • The Global policy contains at least one label. Because the admin labeling centers don't support label policies without labels, a Global policy without labels is not copied.

  • If you copy policies and then delete them from your admin labeling center, wait at least two hours before you use the Copy policies action again to ensure sufficient time for the deletion to replicate.

  • Policies copied from Azure Information Protection will not have the same name, they will instead be named with a prefix of AIP_. Policy names cannot be subsequently changed.

For more information about configuring the policy settings, advanced client settings, and label settings for the Azure Information Protection unified labeling client, see Custom configurations for the Azure Information Protection unified labeling client from the admin guide.

Note

Azure Information Protection support for copying policies is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Clients and services that support unified labeling

To confirm whether the clients and services you use support unified labeling, refer to their documentation to check whether they can use sensitivity labels that are published from the Microsoft 365 compliance center.

Clients that currently support unified labeling include:
Services that currently support unified labeling include:

Next steps

Guidance and tips from our Customer Experience team:

About sensitivity labels:

Deploy the AIP unified labeling client:

If you haven't already done so, install the Azure Information Protection unified labeling client.

For more information, see: