Tutorial: Migrating from the Azure Information Protection (AIP) classic client to unified labeling solution

Applies to: Azure Information Protection

Relevant for: Azure Information Protection classic client for Windows

Note

To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent update on the deprecation.

This tutorial describes how to migrate your organization's Azure Information Protection deployment from the classic client, and label/label policy management in the Azure portal, to the unified labeling solution and Microsoft 365 sensitivity labels.

Time required: The time required to complete a migration depends on how complex your policies are and the AIP features you use. You can continue to work with the classic client while you migrate in the background.

This tutorial provides a high-level description of each step, and then references to the relevant section elsewhere in Microsoft documentation for more details.

In this tutorial, you'll:

  • Learn about planning your migration
  • Migrate your labels to the unified labeling platform
  • Learn how to configure advanced settings in the Microsoft 365 compliance center
  • Copy your policies to the unified labeling platform
  • Deploy the unified labeling client

Why migrate to the unified labeling solution?

In addition to the planned classic client deprecation, migrating to the unified labeling solution enables you to effectively protect sensitive data across your digital estate. Once you've migrated, use Microsoft Information Protection (MIP) in Microsoft 365 cloud services, on-premises, in third-party SaaS applications, and more.

MIP supports built-in labeling services for many basic information protection features, enabling you to reserve client usage only for extra features not supported by built-in labeling.

  • Lower your maintenance costs, by deploying and maintaining less additional software
  • Increase Office performance, without the need for additional add-ins
  • Streamline your labeling and protection policy management across AIP, Office 365, and Windows, using the Microsoft 365 compliance center.

For more information, see the Understanding unified labeling migration blog.

Planning your migration

While most functionality available for the AIP classic client is also available for the unified labeling client, some features are not yet fully available, and some are configured differently for unified labeling.

Review the following articles to understand how the Information Protection features you use may differ when using the unified labeling client:

Tip

If there are documented differences between the clients that impact your end users' behavior, we recommend communicating these changes effectively to your users before deploying the unified labeling client and publishing your new policy.

Once you've planned your migration and understood the changes that will occur, continue with Migrating labels to the unified labeling platform.

Migrating labels to the unified labeling platform

Once you've planned you migration and considered how you will manage the differences in the clients, you're ready to activate unified labeling and migrate your labels.

While you migrate, you can continue to use the AIP classic client and the policies in the Azure Information Protection area in the Azure portal. The two clients can work side by side without any additional configuration.

  1. Sign in to the Azure portal as an administrator with one of the following roles:

    • Compliance administrator
    • Compliance data administrator
    • Security administrator
    • Global administrator
  2. On the Azure Information Protection area, under Manage on the left, select Unified labeling.

    At the top of the page, select Activate to activate unified labeling.

    Your labels are copied from Azure Information Protection to the unified labeling platform, and are now stored in both systems.

    Open the Microsoft 365 compliance center to compare the labels displayed there and in the Azure Information Protection area. The two lists should be identical. For example, when comparing to the Microsoft 365 Security & Compliance Center:

    Compare migrated labels between the Azure portal and the Security & Compliance Center

    Note

    If needed, continue using the labels in both systems until you finish migrating. For more information, see Synchronizing labeling edits.

Continue with Copy policies to the unified labeling platform.

Synchronizing labeling edits

Once you've migrated your labels to the Microsoft 365 compliance center, any edits you continue to make to the migrated labels in the Azure portal are automatically synchronized to the same label in the Microsoft 365 compliance center.

However, edits made to migrated labels in Microsoft 365 compliance center are not synchronized back to the Azure portal. If you make edits in the Microsoft 365 compliance center and need them updated in the Azure portal, return to the portal to publish the update.

To publish an updated label in the Azure portal:

  1. On the Azure Information Protection area, under Manage on the left, select Unified labeling.

  2. Select Publish.

Note

This step is only required if you've made edits to your migrated labels in the unified labeling platform, and need those edits synchronized back with the Azure portal.

Migrating labels via PowerShell

You can also use PowerShell to migrate your existing labels, such as for a GCC High environment.

Use the New-Label cmdlet to migrate your existing sensitivity labels.

For example, if your sensitivity label has encryption, you might use the New-Label cmdlet as follows:

New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId 'a32027d7-ea77-4ba8-b2a9-7101a4e44d89' -EncryptionAipTemplateScopes "['allcompany@labelaction.onmicrosoft.com','admin@labelaction.onmicrosoft.com']"

For more information about working in GCC, GCC-High, and DoD environments, see the Azure Information Protection Premium Government Service Description.

Copy policies to the unified labeling platform

Copy any policies you have stored in the Azure portal that you want to have available as they are in the unified labeling platform.

This feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Note

Copying policies has certain limitations. You can also start from scratch and create your policies manually in the Microsoft 365 compliance center. For more information, see the Microsoft 365 documentation.

To copy your policies:

  1. Consider the following items and confirm that you want to copy your policies at this time:

    Consideration Description
    Copying policies copies all your policies Copying policies does not support copying specific policies only - it's all of your policies, or none of them now.
    Copying automatically publishes your policies Copying your policies to the unified labeling client automatically publishes them to all unified labeling-supported clients.

    Important: Do not copy your policies if you don't want to publish them.
    Copying overwrites existing policies of the same name If you have a policy with the same name already existing in the Microsoft 365 compliance center, copying your policies will overwrite any settings defined in that policy.

    All policies copied from the Azure portal are named with the following syntax: AIP_<policy name>.
    Some client settings are not copied Some client settings are not copied to the unified labeling platform, and must be configured manually after migrating.

    For more information, see Configuring advanced labeling settings
  2. Sign in to the Azure portal as an administrator with one of the following roles:

    • Compliance administrator
    • Compliance data administrator
    • Security administrator
    • Global administrator
  3. On the Azure Information Protection area, under Manage on the left, select Unified labeling.

  4. Select Copy policies (preview). All of the policies you have stored in the Azure portal are copied to the Microsoft 365 compliance center.

    If there are any policies already in the Microsoft 365 compliance center with the same name, the policies are overwritten with the settings from the Azure portal.

    Important

    If you currently use Microsoft Cloud App Security and Azure Information Protection labels, verify that you have published at least one policy with a minimal set of labels to the Microsoft 365 compliance center, even if the policy is scoped to a single user.

    This policy is required for Microsoft Cloud App Security to identify all the labels in the Microsoft 365 compliance center, and show them in the Microsoft Cloud App Security portal.

Now that you've migrated both your labels and policies, continue with Configuring advanced labeling settings to cover any advanced configurations that were not migrated.

Configuring advanced labeling settings

As explained during the planning phase, some advanced labeling settings are not migrated automatically, and must be reconfigured for the unified labeling platform.

For more information, see:

Configure advanced labeling settings in PowerShell

  1. Connect to the Office 365 Security & Compliance Center PowerShell module. For more information, see Security & Compliance Center PowerShell documentation.

  2. To define an advanced label setting, use the Set-Label cmdlet, specifying the AdvancedSettings parameter, the label you want to apply the setting to, as well as key/value pairs to define your setting.

    Use the following syntax:

    Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{<Key>="<value1>,<value2>"}
    

    Where:

    • <LabelGUIDorName> identifies your label, using the label name or GUID
    • <Key> is the key, or name of the advanced setting you want to device
    • <Value> is the setting value you want to define. Surround your value in quotes, and separate multiple values by commas. White spaces are not supported.
  3. Get started by configuring the following advanced settings:

    For more information about advanced configurations available, see Admin Guide: Custom configurations for the Azure Information Protection unified labeling client.

Note

To leverage the settings you've defined for the unified labeling platform, end-users must have the unified labeling client installed on their machines.

These advanced settings are not available for users who have only built-in labeling provided by Office 365.

Define label conditions in the Microsoft 365 compliance center

Unified labeling conditions provide more flexibility and better accuracy than their counterparts that had been created in the Azure portal.

To leverage unified labeling condition features, create your labeling conditions manually in the Microsoft 365 compliance center.

For more information, see What sensitivity labels can do in the Microsoft 365 documentation.

Tip

If you have any custom sensitive information types created for use with Office 365 DLP or Microsoft Cloud App Security, apply them as-is to unified labeling. For more information, see the Microsoft 365 documentation.

Deploy a unified labeling client

Deploy a client that supports unified labeling across your users' machines to ensure that they will be able to use your unified labeling policies and labels.

Users must have a supported client that can connect to the Microsoft 365 compliance center and pull the unified labeling policy.

For more information, see:

Non-Windows platforms

For users on non-Windows platforms, unified labeling capabilities are integrated directly in the Office clients, and can use any labels you've published immediately.

Office clients with integrated unified labeling capabilities include:

  • Office clients for macOS
  • Office for the web (preview)
  • The Outlook Web App
  • Outlook for mobile

For more information about unified labeling in these platforms, see the Apply sensitivity labels to your files and email in Office on the Microsoft Support site.

Windows platforms

For Windows machines with Microsoft 365 Apps for Enterprise, use the built-in labeling support provided in Office versions 1910 and higher, or install the Azure Information Protection unified labeling client to extend AIP functionality to the File Explorer or PowerShell.

For more information, see:

The Azure Information Protection unified labeling client can be downloaded from the Microsoft Download Center.

Make sure that you use the AzInfoProtection_UL file to deploy the client. If you currently have the classic client installed on the machine, installing the unified labeling client performs an in-place upgrade.

Note

Consider the AIP functionality currently required by your organization when determining when to use built-in labeling and when to use the unified labeling client.

What changes for classic client end users?

The main, most visible difference for end users who have been using the Azure Information Protection classic client is that the Protect button in Office apps is replaced by the Sensitivity button.

Once you leverage the additional capabilities supported by sensitivity labels and unified labeling, end users will also see those changes in their Office apps.

For example:

  • Windows AIP classic client

    Protection button in the classic client

  • Windows AIP unified labeling client

    Sample button for the unified labeling client in Microsoft Office

Tip

If you have published your labels and the clients that have built-in support do not show the Sensitivity button, review the relevant troubleshooting guide as needed.

Next steps

Once you've migrated your labels, policies, and deployed clients as needed, continue by managing labels and labeling policies only in the Microsoft 365 compliance center.

With the unified labeling platform, you'll only need to return to the Azure Information Protection area in the Azure portal to:

We recommend that end-users leverage built-in labeling capabilities in the latest Office apps for web, Mac, iOS, and Android, as well as Microsoft 365 Apps for Enterprise.

To use additional AIP features not yet supported by built-in labeling, we recommend using the latest unified labeling client for Windows.