Migrating Azure Information Protection (AIP) Classic Labels to Unified Labels

Migrating Azure Information Protection (AIP) Classic Labels to Unified Labels

Azure Information Protection (AIP) is Microsoft’s cloud-based solution for classifying and, optionally, protecting sensitive documents and emails in both cloud and on-prem environments. AIP is a powerful tool (that we’ve discussed before) that can automatically apply labels and encrypt files based on admin-defined rules, and even protect documents after they’ve left an organization’s network.

Changes to AIP Administration

AIP was released in 2016, however, the product received a major update in 2018 to have two versions:

  • Azure Information Protection client (classic)
  • Azure Information Protection unified labeling client

The classic client is managed through an Azure portal and will be officially deprecated by Microsoft on March 31, 2021. This means Microsoft’s focus will be on the unified labeling client moving forward, which can be managed from the following admin centers:

  •     Office 365 Security & Compliance Center
  •     Microsoft 365 security center
  •     Microsoft 365 compliance center

What does this mean for organizations still using the original AIP (classic), as well as labels and policies created through that portal? The good news is that Microsoft has a migration plan, which allows the continued use of existing AIP classic labels as unified labels.

If a subscription for Azure Information Protection was obtained in June 2019 or later, then that tenant is already on the unified labeling platform and no further action is needed.

Client Use of Unified Labels

For those familiar with AIP classic labels, unified labels function similarly from a client perspective. With an AIP client installed, right-click a file, click Classify and protect, and the AIP client window opens. From there, select a label to apply to the file, and click Apply.

Azure Information Protection Unified Labels

After a successful label application and/or file encryption, the user receives a confirmation message: Work finished. Completed successfully. As with classic labels, unified labels also have direct integration in Microsoft Office products, other qualified applications (such as Power BI), and the AIP scanner.

As of the date of this blog post, Microsoft offers two separate client installers for the use of classic and unified labels.

  • AzInfoProtection.exe (classic labels)
  • AzInfoProtection_UL.exe (unified labels)

The classic label client can be identified by having a 1.x version number once installed. As of the time of this blog post, the unified labeling client uses 2.x version numbers. Both should not be installed simultaneously on one client.

Cross Compatibility Between Classic & Unified Labels

There is cross-compatibility between classic and unified labels once the migration has been performed.

After migration to unified labels, changes made in the classic admin interface will be reflected in unified label admin centers. However, for classic clients to pick up label changes made in unified label admin centers, admins must return to the Azure portal interface for classic label management.

In the left sidebar select Unified labeling, then click Publish at the top of that menu to import new unified labels.

Azure Information Protection | Unified Labeling

With that said, the best practice for this migration is to move all clients to unified labels simultaneously, rather than keeping a mix of classic and unified label clients (and admin centers). However, it’s possible to have a mixed environment if necessary, understanding there are some caveats and differences between client and label types.

Migrating Labels

In an Azure tenant, a user must have one of the following roles in order to migrate labels:

  • Compliance administrator
  • Compliance data administrator
  • Security administrator
  • Global administrator

Before proceeding, verify there are no unified labels already created that have the same name as a classic label. If so, change one of the label names so there’s no conflict.

As one of those user roles, navigate to Azure Information Protection from within the Azure portal. In the left sidebar of Azure Information Protection, click Unified labeling. In that menu, click Activate and follow the displayed instructions.

Azure Information Protection | Unified Labeling 2

In the example screenshot, Unified labeling has already been activated. Your menu will look like this after migration.

If Unified labeling status is already Activated, then the tenant is already using unified labels and no additional steps are necessary for migration.

Once unified labels have been activated, unified label clients can start using them. As with classic labels, an admin must first publish the migrated labels in one of the unified label admin centers (Office 365 Security & Compliance Center, Microsoft 365 security center, Microsoft 365 compliance center).

Overall, the migration really is that painless and simple. If you’ve been following along then you’re all set to start creating, publishing, and applying unified labels. This is also an inherently risk-free process, as the migration doesn’t make changes to files already labeled (via classic or unified labels).

In Closing

While AIP and Unified Labels are good tools for discovering and protecting sensitive information, there’s still room for improvement within an organization’s Data Access Governance strategy. By integrating Stealthbits’ StealthAUDIT platform into existing AIP and Unified Label workflows, sensitive data discovery can be enhanced to include:

  • More supported file types, including files with no extensions and image files (leveraging OCR).
  • More supported data platforms, including non-Microsoft based structured and unstructured data repositories.
  • Scalable architecture support, including support for wide area networks while circumventing network latency.
  • Expanded reporting and analysis, including additional context for permissions, access, and activity.

Stealthbits’ StealthAUDIT platform is a full-fledged DAG solution, which includes all these enhancements and more. StealthAUDIT integrates with AIP and Unified Labels, in addition to helping organizations discover who is accessing sensitive files, what users are doing with those files, and additional context for permissions and effective access. Learn more about Stealthbits’ Data Access Governance solutions here.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.