Azure Information Protection (AIP) is Microsoft’s cloud-based solution for classifying and, optionally, protecting sensitive documents and emails in both cloud and on-prem environments. AIP is a powerful tool (that we’ve discussed before) that can automatically apply labels and encrypt files based on admin-defined rules, and even protect documents after they’ve left an organization’s network.
AIP was released in 2016, however, the product received a major update in 2018 to have two versions:
The classic client is managed through an Azure portal and will be officially deprecated by Microsoft on March 31, 2021. This means Microsoft’s focus will be on the unified labeling client moving forward, which can be managed from the following admin centers:
What does this mean for organizations still using the original AIP (classic), as well as labels and policies created through that portal? The good news is that Microsoft has a migration plan, which allows the continued use of existing AIP classic labels as unified labels.
If a subscription for Azure Information Protection was obtained in June 2019 or later, then that tenant is already on the unified labeling platform and no further action is needed.
For those familiar with AIP classic labels, unified labels function similarly from a client perspective. With an AIP client installed, right-click a file, click Classify and protect, and the AIP client window opens. From there, select a label to apply to the file, and click Apply.
After a successful label application and/or file encryption, the user receives a confirmation message: Work finished. Completed successfully. As with classic labels, unified labels also have direct integration in Microsoft Office products, other qualified applications (such as Power BI), and the AIP scanner.
As of the date of this blog post, Microsoft offers two separate client installers for the use of classic and unified labels.
The classic label client can be identified by having a 1.x version number once installed. As of the time of this blog post, the unified labeling client uses 2.x version numbers. Both should not be installed simultaneously on one client.
There is cross-compatibility between classic and unified labels once the migration has been performed.
After migration to unified labels, changes made in the classic admin interface will be reflected in unified label admin centers. However, for classic clients to pick up label changes made in unified label admin centers, admins must return to the Azure portal interface for classic label management.
In the left sidebar select Unified labeling, then click Publish at the top of that menu to import new unified labels.
With that said, the best practice for this migration is to move all clients to unified labels simultaneously, rather than keeping a mix of classic and unified label clients (and admin centers). However, it’s possible to have a mixed environment if necessary, understanding there are some caveats and differences between client and label types.
In an Azure tenant, a user must have one of the following roles in order to migrate labels:
Before proceeding, verify there are no unified labels already created that have the same name as a classic label. If so, change one of the label names so there’s no conflict.
As one of those user roles, navigate to Azure Information Protection from within the Azure portal. In the left sidebar of Azure Information Protection, click Unified labeling. In that menu, click Activate and follow the displayed instructions.
In the example screenshot, Unified labeling has already been activated. Your menu will look like this after migration.
If Unified labeling status is already Activated, then the tenant is already using unified labels and no additional steps are necessary for migration.
Once unified labels have been activated, unified label clients can start using them. As with classic labels, an admin must first publish the migrated labels in one of the unified label admin centers (Office 365 Security & Compliance Center, Microsoft 365 security center, Microsoft 365 compliance center).
Overall, the migration really is that painless and simple. If you’ve been following along then you’re all set to start creating, publishing, and applying unified labels. This is also an inherently risk-free process, as the migration doesn’t make changes to files already labeled (via classic or unified labels).
While AIP and Unified Labels are good tools for discovering and protecting sensitive information, there’s still room for improvement within an organization’s Data Access Governance strategy. By integrating Stealthbits’ StealthAUDIT platform into existing AIP and Unified Label workflows, sensitive data discovery can be enhanced to include:
Stealthbits’ StealthAUDIT platform is a full-fledged DAG solution, which includes all these enhancements and more. StealthAUDIT integrates with AIP and Unified Labels, in addition to helping organizations discover who is accessing sensitive files, what users are doing with those files, and additional context for permissions and effective access. Learn more about Stealthbits’ Data Access Governance solutions here.
Dan Piazza is a Technical Product Manager at Stealthbits, now part of Netwrix, responsible for PAM, file systems auditing and sensitive data auditing solutions. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, automation, and code. Prior to his current role he worked as a Product Manager and Systems Engineer for a data storage software company, managing and implementing both software and hardware B2B solutions.
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.