How to migrate Azure Information Protection labels to unified sensitivity labels

Applies to: Azure Information Protection, Office 365

Instructions for: Azure Information Protection client for Windows

Migrate Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels by clients and services that support unified labeling.

Note

If your Azure Information Protection subscription is fairly new, you might not need to migrate labels because your tenant is already on the unified labeling platform. For more information, see How can I determine if my tenant is on the unified labeling platform?

After you migrate your labels, you won't see any difference with the Azure Information Protection client (classic) because this client continues to download the labels with the Azure Information Protection policy from the Azure portal. However, you can now use the labels with the Azure Information Protection unified labeling client and other clients and services that use sensitivity labels.

Before you read the instructions to migrate your labels, you might find the following frequently asked questions useful:

Administrative roles that support the unified labeling platform

If you use admin roles for delegated administration in your organization, you might need to do some changes for the unified labeling platform:

The Azure AD roles of Azure Information Protection administrator (formerly Information Protection administrator) and Global reader are not supported by the unified labeling platform. If either of these administrative roles are used in your organization to manage Azure Information Protection, add the users who have this role to the Azure AD roles of Compliance administrator, Compliance data administrator, or Security administrator. If you need help with this step, see Give users access to the Office 365 Security & Compliance Center. You can also assign these roles in the Azure AD portal, the Microsoft 365 security center, and the Microsoft 365 compliance center.

Alternatively to using roles, in the admin centers, you can create a new role group for these users and add either Sensitivity Label Administrator or Organization Configuration roles to this group.

If you do not give these users access to the admin centers by using one of these configurations, they won't be able to configure Azure Information Protection in the Azure portal after your labels are migrated.

Global administrators for your tenant can continue to manage labels and policies in both the Azure portal and the admin centers after your labels are migrated.

Before you begin

Label migration has many benefits but is irreversible, so make sure that you are aware of the following changes and considerations:

  • Make sure that you have clients that support unified labels and if necessary, be prepared for administration in both the Azure portal (for clients that don't support unified labels) and the admin centers (for client that do support unified labels).

  • Policies, including policy settings and who has access to them (scoped policies), and all advanced client settings are not migrated. Your options to configure these settings after your label migration include the following:

  • Not all settings from a migrated label are supported by the admin centers. Use the table in the Label settings that are not supported in the admin centers section to help you identify these settings and the recommended course of action.

  • Protection templates:

    • Templates that use a cloud-based key and that are part of a label configuration are also migrated with the label. Other protection templates are not migrated.

    • If you have labels that are configured for a predefined template, edit these labels and select the Set permissions option to configure the same protection settings that you had in your template. Labels with predefined templates will not block label migration but this label configuration is not supported in the admin centers.

      Tip: To help you reconfigure these labels, you might find it useful to have two browser windows: One window in which you select the Edit Template button for the label to view the protection settings, and the other window to configure the same settings when you select Set permissions.

    • After a label with cloud-based protection settings has been migrated, the resulting scope of the protection template is the scoped that is defined in the Azure portal (or by using the AIPService PowerShell module) and the scope that is defined in the admin centers.

  • For each label, the Azure portal displays only the label display name, which you can edit. Users see this label name in their apps. The admin centers show both this display name for a label, and the label name. The label name is the initial name that you specify when the label is first created and this property is used by the back-end service for identification purposes. When you migrate your labels, the display name remains the same and the label name is renamed to the label ID from the Azure portal.

  • Any localized strings for the labels are not migrated. Define new localized strings for the migrated labels by using Office 365 Security & Compliance PowerShell and the LocaleSettings parameter for Set-Label.

  • After the migration, when you edit a migrated label in the Azure portal, the same change is automatically reflected in the admin centers. However, when you edit a migrated label in one of the admin centers, you must return to the Azure portal, Azure Information Protection - Unified labeling pane, and select Publish. This additional action is needed for the Azure Information Protection clients (classic) to pick up the label changes.

Label settings that are not supported in the admin centers

Use the following table to identify which configuration settings of a migrated label are not supported by the Office 365 Security & Compliance Center, the Microsoft 365 security center, or the Microsoft compliance center. If you have labels with these settings, when the migration is complete, use the administration guidance in the final column before you publish your labels in one of the referenced admin centers.

If you are not sure how your labels are configured, view their settings in the Azure portal. If you need help with this step, see Configuring the Azure Information Protection policy.

Azure Information Protection clients (classic) can use all label settings listed without any problems because they continue to download the labels from the Azure portal.

Label configuration Supported by unified labeling clients Guidance for the admin centers
Status of enabled or disabled

This status is not synchronized to the admin centers
Not applicable The equivalent is whether the label is published or not.
Label color that you select from list or specify by using RGB code Yes No configuration option for label colors. Instead, you can configure label colors in the Azure portal or use PowerShell.
Cloud-based protection or HYOK-based protection using a predefined template No No configuration option for predefined templates. We do not recommend you publish a label with this configuration.
Cloud-based protection using user-defined permissions for Word, Excel, and PowerPoint Yes The admin centers now have a configuration option for user-defined permissions.

If you publish a label with this configuration, check the results of applying the label from the following table.
HYOK-based protection using user-defined permissions for Outlook (Do Not Forward) No No configuration option for HYOK. We do not recommend you publish a label with this configuration. If you do, the results of applying the label are listed in the following table.
Remove protection No No configuration option to remove protection. We do not recommend you publish a label with this configuration.

If you do publish a label with this configuration, when it is applied, protection is always removed, whether the protection was previously applied by a label or independently from a label.
Any authenticated user protection setting Yes No configuration option to select this protection setting. Publish a label with this configuration when this setting has been migrated or you configure it in the Azure portal.
Custom font and custom font color by RGB code for visual markings (header, footer, watermark) Yes Configuration for visual markings is limited to a list of colors and font sizes. You can publish this label without changes although you cannot see the configured values in the admin centers.

To change these options, you can use the Azure portal. However, for easier administration, consider changing the color to one of the listed options in the admin centers.
Variables in visual markings (header, footer) No If you publish this label without changes, variables display as text on clients rather than display the dynamic values. Before you publish the label, edit the strings to remove the variables.
Visual markings per app No If you publish this label without changes, the app variables display as text on clients in all apps rather than display your text strings on chosen apps. Publish this label only if it is suitable for all apps, and edit the strings to remove the app variables.
Conditions and associated settings

Includes automatic and recommended labeling, and their tooltips
Not applicable Reconfigure your conditions by using auto labeling as a separate configuration from label settings.

Comparing the behavior of protection settings for a label

Use the following table to identify how the same protection setting for a label behaves differently, depending on whether it's used by the Azure Information Protection client (classic), the Azure Information Protection unified labeling client, or by Office apps that have labeling built in (also known as "native Office labeling"). The differences in label behavior might change your decision whether to publish the labels, especially when you have a mix of clients in your organization.

If you are not sure how your protection settings are configured, view their settings in the Protection pane, in the Azure portal. If you need help with this step, see To configure a label for protection settings.

Protection settings that behave the same way are not listed in the table, with the following exceptions:

  • When you use Office apps with built-in labeling, labels are not visible in File Explorer unless you also install the Azure Information Protection unified labeling client.
  • When you use Office apps with built-in labeling, if protection was previously applied independently from a label, that protection is preserved [1].
Protection setting for a label Azure Information Protection client (classic) Azure Information Protection unified labeling client Office apps with built-in labeling
Azure (cloud key) with user-defined permissions for Word, Excel, PowerPoint, and File Explorer: Visible in Word, Excel, PowerPoint, and File Explorer

When the label is applied:

- Users are prompted for custom permissions that are then applied as protection using a cloud-based key
Visible in Word, Excel, PowerPoint, and File Explorer

When the label is applied:

- Users are prompted for custom permissions that are then applied as protection using a cloud-based key
Visible in Word, Excel, PowerPoint, and Outlook:

When the label is applied:

- Users are not prompted for custom permissions and no protection is applied

- If protection was previously applied independently from a label, that protection is preserved [1]
HYOK (AD RMS) with a template: Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

When this label is applied:

- HYOK protection is applied to documents and emails
Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

When this label is applied:

- No protection is applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Word, Excel, PowerPoint, and Outlook

When this label is applied:

- No protection is applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved [1]
HYOK (AD RMS) with user-defined permissions for Word, Excel, PowerPoint, and File Explorer: Visible in Word, Excel, PowerPoint, and File Explorer

When this label is applied:

- HYOK protection is applied to documents and emails
Visible in Word, Excel, and PowerPoint

When this label is applied:

- Protection is not applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Word, Excel, and PowerPoint

When this label is applied:

- Protection is not applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
HYOK (AD RMS) with user-defined permissions for Outlook: Visible in Outlook

When this label is applied:

- Do Not Forward using HYOK protection is applied to emails
Visible in Outlook

When this label is applied:

- Protection is not applied and removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Outlook

When this label is applied:

- Protection is not applied and removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved [1]
Footnote 1

In Outlook, protection is preserved with one exception: When an email has been protected with the Encrypt-Only option, that protection is removed.

Footnote 2

Protection is removed if the user has a usage right or role that supports this action:

If the user doesn't have one of these usage rights or roles, the label is not applied and the original protection is preserved.

To migrate Azure Information Protection labels

Use the following instructions to migrate your tenant and Azure Information Protection labels to use the unified labeling store.

You must be a Compliance administrator, Compliance data administrator, Security administrator, or Global administrator to migrate your labels.

  1. If you haven't already done so, open a new browser window and sign in to the Azure portal. Then navigate to the Azure Information Protection pane.

    For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. From the Manage menu option, select Unified labeling.

  3. On the Azure Information Protection - Unified labeling pane, select Activate and follow the online instructions.

    If the option to activate is not available, check the Unified labeling status: If you see Activated, your tenant is already using the unified labeling store and there is no need to migrate your labels.

For the labels that successfully migrated, they can now be used by clients and services that support unified labeling. However, you must first publish these labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

Important

If you edit the labels outside the Azure portal, for Azure Information Protection clients (classic), return to this Azure Information Protection - Unified labeling pane, and select Publish.

Copy policies

Note

This option is gradually rolling out to tenants. It is also in preview and subject to change.

After you have migrated your labels, you can select an option to copy policies. If you select this option, a one-time copy of your policies with their policy settings and any advanced client settings is sent to the admin center where you manage your labels: Office 365 Security & Compliance Center, Microsoft 365 security center, Microsoft 365 compliance center.

Before you select the Copy policies (preview) option on the Azure Information Protection - Unified labeling pane, be aware of the following:

  • You cannot selectively choose policies and settings to copy. All policies (the Global policy and any scoped policies) are copied, and all settings that are supported as label policy settings are copied. If you already have a label policy with the same name, it will be overwritten with the policy settings in the Azure portal.

  • Some advanced client settings are not copied because for the Azure Information Protection unified labeling client, these are supported as label advanced settings rather than policy settings. You can configure these label advanced settings with Office 365 Security & Compliance Center PowerShell. The advanced client settings that are not copied:

  • Unlike label migration where subsequent changes to labels are synchronized, the copy policies action doesn't synchronize any subsequent changes to your policies or policy settings. You can repeat the copy policy action after making changes in the Azure portal, and any existing policies and their settings will be overwritten again. Or, use the Set-LabelPolicy or Set-Label cmdlets with the AdvancedSettings parameter from Office 365 Security & Compliance Center PowerShell.

  • The Copy policies (Preview) option is not available until unified labeling is activated for your tenant.

For more information about configuring the policy settings, advanced client settings, and label settings for the Azure Information Protection unified labeling client, see Custom configurations for the Azure Information Protection unified labeling client from the admin guide.

Clients and services that support unified labeling

To confirm whether the clients and services you use support unified labeling, refer to their documentation to check whether they can use sensitivity labels that are published from one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

Clients that currently support unified labeling include:
Services that currently support unified labeling include:

Next steps

For additional guidance and tips from our Customer Experience team, see the following blog post: Understanding Unified Labeling Migration.

For more information about your migrated labels that can now be configured and published in one of the admin centers, see Overview of sensitivity labels.

If you haven't already done so, install the Azure Information Protection unified labeling client. For release information, an admin guide, and user guide, see Azure Information Protection unified labeling client for Windows.