How to migrate Azure Information Protection labels to Office 365 sensitivity labels

Applies to: Azure Information Protection, Office 365

Instructions for: Azure Information Protection client for Windows

Important

This feature is in preview, and migrates your tenant to a new platform. The migration cannot be reversed. The new platform supports unified labeling so that labels that you create and manage can be used by clients and services that support Microsoft Information Protection solutions.

Migrate your labels if you want to be able to use them as Office 365 sensitivity labels by clients and services that support unified labeling. You manage and publish these labels from the Office 365 Security & Compliance Center, or the Microsoft 365 security center and the Microsoft 365 compliance center. After the migration, the Azure Information Protection client continues to download the labels with their Azure Information Protection policy from the Azure portal.

Before you read detailed instructions about how to migrate your labels, you might find the following frequently asked questions useful:

Important information about administrative roles

The Azure AD role of Information Protection administrator is not supported by the unified labeling platform. If this administrative role is used in your organization, before you migrate your labels, add the users who have this role to the Azure AD roles of Security administrator or Compliance administrator. If you need help with this step, see Give users access to the Office 365 Security & Compliance Center. You can also assign these roles in the Azure AD portal, the Microsoft 365 security center, and the Microsoft 365 compliance center.

Alternatively to using roles, in the admin centers, you can create a new role group for these users and add either Sensitivity Label Administrator or Organization Configuration roles to this group.

If you do not give these users access to the admin centers by using one of these configurations, they won't be able to configure Azure Information Protection in the Azure portal after your labels are migrated.

Global administrators for your tenant can continue to manage labels and policies in both the Azure portal and the admin centers after your labels are migrated.

Considerations for unified labels

Before you migrate your labels, make sure that you are aware of the following changes and considerations:

  • Not all clients currently support unified labels. Make sure that you have supported clients and be prepared for administration in both the Azure portal (for clients that don't support unified labels) and the admin centers (for client that do support unified labels).

  • If you are in the middle of defining and configuring the labels that you want to use, we recommend that you complete this process by using the Azure portal, and then migrate the labels. This strategy avoids duplicating labels during the migration process, that will then need to be edited in the admin centers.

  • Policies, including policy settings and who has access to them (scoped policies), and all advanced client settings are not migrated. For these changes that are not migrated, you will need to configure the relevant options in the admin centers after the labels are migrated.

    For a more consistent user experience, we recommend you publish the same labels in the same scopes in the admin centers.

  • Not all settings from a migrated label are supported by the admin centers. Use the table in the Label settings that are not supported in the admin centers section to help you identify these settings and the recommended course of action.

  • Protection templates:

    • Templates that use a cloud-based key and that are part of a label configuration are also migrated with the label. Other protection templates are not migrated.

    • If you have labels that are configured for a predefined template, edit these labels and select the Set permissions option to configure the same protection settings that you had in your template. Labels with predefined templates will not block label migration but this label configuration is not supported in the admin centers.

      Tip: To help you reconfigure these labels, you might find it useful to have two browser windows: One window in which you select the Edit Template button for the label to view the protection settings, and the other window to configure the same settings when you select Set permissions.

    • After a label with cloud-based protection settings has been migrated, the resulting scope of the protection template is the scoped that is defined in the Azure portal (or by using the AADRM PowerShell module) and the scope that is defined in the admin centers.

  • When you migrate your labels, you will see the migration results display whether a label was created, updated, or renamed because of duplication:

    • When a label is created, you must then publish it in one of the admin centers to make it available to applications and services.

    • When a label is renamed, you must then edit it, which you can do in one of the admin centers or the Azure portal.

  • For each label, the Azure portal displays only the label display name, which you can edit. The admin centers show both this display name for a label, and the label name. The label name is the initial name that you specified when the label was first created and this property is used by the back-end service for identification purposes.

  • Any localized strings for the labels are not migrated. You must define new localized strings for the migrated labels in the admin centers.

  • After the migration, when you edit a migrated label in the Azure portal, the same change is automatically reflected in the admin centers. However, when you edit a migrated label in one of the admin centers, you must return to the Azure portal, Azure Information Protection - Unified labeling blade, and select Publish. This additional action is needed for Azure Information Protection clients to pick up the label changes.

Label settings that are not supported in the admin centers

Use the following table to identify which configuration settings of a migrated label are not supported by the Office 365 Security & Compliance Center, the Microsoft 365 security center, or the Microsoft compliance center. If you have labels with these settings, when the migration is complete, use the administration guidance in the final column before you publish your labels in one of the admin centers.

If you are not sure how your labels are configured, view their settings in the Azure portal. If you need help with this step, see Configuring the Azure Information Protection policy.

Azure Information Protection clients can use all label settings listed without any problems because they continue to download the labels from the Azure portal.

Label configuration Supported by unified labeling clients Guidance for the admin centers
Status of enabled or disabled

Notes: Not synchronized to the admin centers
Not applicable The equivalent is whether the label is published or not.
Label color that you select from list or specify by using RGB code Yes No configuration option for label colors. Instead, you can configure label colors in the Azure portal.
Cloud-based protection or HYOK-based protection using a predefined template No No configuration option for predefined templates. We do not recommend you publish a label with this configuration.
Cloud-based protection using user-defined permissions for Word, Excel, and PowerPoint No No configuration option for user-defined permissions for these Office apps. We do not recommend you publish a label with this configuration. If you do, the results of applying the label are listed in the following table.
HYOK-based protection using user-defined permissions for Outlook (Do Not Forward) No No configuration option for HYOK. We do not recommend you publish a label with this configuration. If you do, the results of applying the label are listed in the following table.
Remove protection No No configuration option to remove protection. We do not recommend you publish a label with this configuration.

If you do publish this label, when it is applied, protection will be removed if it was previously applied by a label. If protection was previously applied independently from a label, the protection is preserved.
Custom font and custom font color by RGB code for visual markings (header, footer, watermark) Yes Configuration for visual markings is limited to a list of colors and font sizes. You can publish this label without changes although you cannot see the configured values in the admin centers.

To change these options, you can use the Azure portal. However, for easier administration, consider changing the color to one of the listed options in the admin centers.
Variables in visual markings (header, footer) No If you publish this label without changes, variables display as text on clients rather than display the dynamic values. Before you publish the label, edit the strings to remove the variables.
Visual markings per app No If you publish this label without changes, the app variables display as text on clients in all apps rather than display your text strings on chosen apps. Publish this label only if it is suitable for all apps, and edit the strings to remove the app variables.
Conditions and associated settings

Notes: Includes automatic and recommended labeling, and their tooltips
Not applicable Reconfigure your conditions by using auto labeling as a separate configuration from label settings.

Comparing the behavior of protection settings for a label

Use the following table to identify how the same protection setting for a label behaves differently, depending on whether it's used by the Azure Information Protection client, the Azure Information Protection unified labeling client, or by Office apps that have labeling built in (also known as "native Office

If you are not sure how your protection settings are configured, view their settings in the Protection blade, in the Azure portal. If you need help with this step, see To configure a label for protection settings.

Protection settings that behave the same way are not listed in the table, with the following exceptions:

  • When you use Office apps with built-in labeling, labels are not visible in File Explorer unless you also install the Azure Information Protection unified labeling client.
  • When you use Office apps with built-in labeling, if protection was previously applied independently from a label, that protection is preserved [1].
Protection setting for a label Azure Information Protection client Azure Information Protection unified labeling client Office apps with built-in labeling
Azure (cloud key) with user-defined permissions for Word, Excel, PowerPoint, and File Explorer: Visible in Word, Excel, PowerPoint, and File Explorer

When the label is applied:

- Users are prompted for custom permissions that are then applied as protection using a cloud-based key
Not visible Visible in Word, Excel, PowerPoint, and Outlook:

When the label is applied:

- Users are not prompted for custom permissions and no protection is applied

- If protection was previously applied independently from a label, that protection is preserved [1]
HYOK (AD RMS) with a template: Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

When this label is applied:

- HYOK protection is applied to documents and emails
Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

When this label is applied:

- No protection is applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Word, Excel, PowerPoint, and Outlook

When this label is applied:

- No protection is applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved [1]
HYOK (AD RMS) with user-defined permissions for Word, Excel, PowerPoint, and File Explorer: Visible in Word, Excel, PowerPoint and File Explorer

When this label is applied:

- HYOK protection is applied to documents and emails
Visible in Word, Excel, and PowerPoint

When this label is applied:

- Protection is not applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Word, Excel, and PowerPoint

When this label is applied:

- Protection is not applied and protection is removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
HYOK (AD RMS) with user-defined permissions for Outlook: Visible in Outlook

When this label is applied:

- Do Not Forward using HYOK protection is applied to emails
Visible in Outlook

When this label is applied:

- Protection is not applied and removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved
Visible in Outlook

When this label is applied:

- Protection is not applied and removed [2] if it was previously applied by a label

- If protection was previously applied independently from a label, that protection is preserved [1]
Footnote 1

In Outlook for Mac, protection is preserved with one exception: When an email has been protected with the Encrypt-Only option, that protection is removed.

Footnote 2

Protection is removed if the user has a usage right or role that supports this action:

If the user doesn't have one of these usage rights or roles, the label is not applied and the original protection is preserved.

To migrate Azure Information Protection labels

Use the following instructions to migrate your tenant and Azure Information Protection labels to use the new unified labeling store.

You must be a Compliance administrator, Security administrator, or Global administrator to migrate your labels.

  1. If you haven't already done so, open a new browser window and sign in to the Azure portal. Then navigate to the Azure Information Protection blade.

    For example, on the hub menu, click All services and start typing Information in the Filter box. Select Azure Information Protection.

  2. From the Manage menu option, select Unified labeling (Preview).

  3. On the Azure Information Protection - Unified labeling blade, select Activate and follow the online instructions.

    If the option to activate is not available, check the Unified labeling status: If you see Activated, your tenant is already using the unified labeling store and there is no need to migrate your labels.

For the labels that successfully migrated, they can now be used by clients and services that support unified labeling. However, you must first publish these labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

Important

If you edit the labels outside the Azure portal, for Azure Information Protection clients, return to this Azure Information Protection - Unified labeling blade, and select Publish.

Clients and services that support unified labeling

To confirm whether the clients and services you use support unified labeling, refer to their documentation to check whether they can use sensitivity labels that are published from one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

Clients that currently support unified labeling include:
Services that currently support unified labeling include:
  • Windows Defender Azure Threat Protection

  • Microsoft Cloud App Security

    This service supports labels both before the migration to the unified labeling store, and after the migration, using the following logic:

    • If the admin centers have the same labels as those in the Azure portal: Unified labels are retrieved from the admin centers. To select these labels in Cloud App Security, at least one label must be published to at least one user.

    • If the admin centers don't have the same labels as those in the Azure portal: Unified labels are not used from the admin centers, and instead, labels are retrieved from the Azure portal.

  • Services from software vendors and developers that use the Microsoft Information Protection SDK.

Next steps

For more information about your migrated labels that can now be configured and published in one of the admin centers, see Overview of sensitivity labels.

To read the announcement blog post: Announcing the availability of unified labeling management in the Security & Compliance Center.