Frequently asked questions about classification and labeling in Azure Information Protection

Applies to: Azure Information Protection, Office 365

Relevant for: AIP unified labeling client and classic client. For more information, see also the FAQs for the classic client only.


To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. No further support is provided for the classic client, and maintenance versions will no longer be released.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.

Have a question about Azure Information Protection that is specifically about classification and labeling? See if it's answered here.

Which client do I install for testing new functionality?

We recommend installing the Azure Information Protection unified labeling client. The unified labeling client downloads labels and policy settings from the Microsoft 365 compliance center.

This client is in general availability, and might have a preview version for you to test additional functionality for a future release.

If you still configured labels in the Azure portal that you haven't yet migrated to the unified labeling store, use the Azure Information Protection classic client instead.

For more information, including a feature and functionality comparison table, see Choose your Windows labeling solution.


The Azure Information Protection client is supported on Windows only.

To classify and protect documents and emails on iOS, Android, macOS, and the web, use Office apps that support built-in labeling.

Where can I find information about using sensitivity labels for Office apps?

See the following documentation resources:

For information about other scenarios that support sensitivity labels, see Common scenarios for sensitivity labels.

How do I prevent somebody from removing or changing a label?

To prevent users from removing or changing a label, the content must already be protected and the protection permissions do not grant the user the Export or Full Control usage right.

When an email is labeled, do any attachments automatically get the same labeling?

No. When you label an email message that has attachments, those attachments do not inherit the same label. The attachments remain either without a label or retain a separately applied label. However, if the label for the email applies protection, that protection is applied to Office attachments.

How can DLP solutions and other applications integrate with Azure Information Protection?

Because Azure Information Protection uses persistent metadata for classification, which includes a clear-text label, this information can be read by DLP solutions and other applications.

For examples of using this metadata with Exchange Online mail flow rules, see Configuring Exchange Online mail flow rules for Azure Information Protection labels.