Azure Information Protection (AIP) is Microsoft’s cloud-based solution for classifying and, optionally, protecting sensitive documents and emails in both cloud and on-prem environments. AIP is a powerful tool (that we’ve discussed before) that can automatically apply labels and encrypt files based on admin-defined rules, and even protect documents after they’ve left an organization’s network.
Changes to AIP Administration
AIP was released in 2016, however, the product received a major update in 2018 to have two versions:
- Azure Information Protection client (classic)
- Azure Information Protection unified labeling client
The classic client is managed through an Azure portal and will be officially deprecated by Microsoft on March 31, 2021. This means Microsoft’s focus will be on the unified labeling client moving forward, which can be managed from the following admin centers:
- Office 365 Security & Compliance Center
- Microsoft 365 security center
- Microsoft 365 compliance center
What does this mean for organizations still using the original AIP (classic), as well as labels and policies created through that portal? The good news is that Microsoft has a migration plan, which allows the continued use of existing AIP classic labels as unified labels.
If a subscription for Azure Information Protection was obtained in June 2019 or later, then that tenant is already on the unified labeling platform and no further action is needed.
Client Use of Unified Labels
For those familiar with AIP classic labels, unified labels function similarly from a client perspective. With an AIP client installed, right-click a file, click Classify and protect, and the AIP client window opens. From there, select a label to apply to the file, and click Apply.
After a successful label application and/or file encryption, the user receives a confirmation message: Work finished. Completed successfully. As with classic labels, unified labels also have direct integration in Microsoft Office products, other qualified applications (such as Power BI), and the AIP scanner.
As of the date of this blog post, Microsoft offers two separate client installers for the use of classic and unified labels.
- AzInfoProtection.exe (classic labels)
- AzInfoProtection_UL.exe (unified labels)
The classic label client can be identified by having a 1.x version number once installed. As of the time of this blog post, the unified labeling client uses 2.x version numbers. Both should not be installed simultaneously on one client.
Cross Compatibility Between Classic & Unified Labels
There is cross-compatibility between classic and unified labels once the migration has been performed.
After migration to unified labels, changes made in the classic admin interface will be reflected in unified label admin centers. However, for classic clients to pick up label changes made in unified label admin centers, admins must return to the Azure portal interface for classic label management.
In the left sidebar select Unified labeling, then click Publish at the top of that menu to import new unified labels.
With that said, the best practice for this migration is to move all clients to unified labels simultaneously, rather than keeping a mix of classic and unified label clients (and admin centers). However, it’s possible to have a mixed environment if necessary, understanding there are some caveats and differences between client and label types.
In an Azure tenant, a user must have one of the following roles in order to migrate labels:
- Compliance administrator
- Compliance data administrator
- Security administrator
- Global administrator
Before proceeding, verify there are no unified labels already created that have the same name as a classic label. If so, change one of the label names so there’s no conflict.
As one of those user roles, navigate to Azure Information Protection from within the Azure portal. In the left sidebar of Azure Information Protection, click Unified labeling. In that menu, click Activate and follow the displayed instructions.
In the example screenshot, Unified labeling has already been activated. Your menu will look like this after migration.
If Unified labeling status is already Activated, then the tenant is already using unified labels and no additional steps are necessary for migration.
Once unified labels have been activated, unified label clients can start using them. As with classic labels, an admin must first publish the migrated labels in one of the unified label admin centers (Office 365 Security & Compliance Center, Microsoft 365 security center, Microsoft 365 compliance center).
Overall, the migration really is that painless and simple. If you’ve been following along then you’re all set to start creating, publishing, and applying unified labels. This is also an inherently risk-free process, as the migration doesn’t make changes to files already labeled (via classic or unified labels).
While AIP and Unified Labels are good tools for discovering and protecting sensitive information, there’s still room for improvement within an organization’s Data Access Governance strategy. By integrating Stealthbits’ StealthAUDIT platform into existing AIP and Unified Label workflows, sensitive data discovery can be enhanced to include:
- More supported file types, including files with no extensions and image files (leveraging OCR).
- More supported data platforms, including non-Microsoft based structured and unstructured data repositories.
- Scalable architecture support, including support for wide area networks while circumventing network latency.
- Expanded reporting and analysis, including additional context for permissions, access, and activity.
Stealthbits’ StealthAUDIT platform is a full-fledged DAG solution, which includes all these enhancements and more. StealthAUDIT integrates with AIP and Unified Labels, in addition to helping organizations discover who is accessing sensitive files, what users are doing with those files, and additional context for permissions and effective access. Learn more about Stealthbits’ Data Access Governance solutions here.
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in StealthAUDIT. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, data storage, and automation. He has a Bachelor’s degree from Bryant University, and outside of tech he enjoys running, tennis, and snowboarding.