Unified labeling in Microsoft 365 provides organizations an integrated and consistent approach to creating, configuring, and applying policies to protect information worker data across all locations. The introduction of centralized label management allows IT professionals to administer all these capabilities in one place and not have to configure them across solutions, clouds, and premises. Workloads that can leverage unified labeling such as Azure Information Protection Unified Labeling client and scanner, Office 365 apps, Office for web, SharePoint, OneDrive, MCAS and many more can apply these policies in a consistent manner. Unified labeling was exclusively available for commercial cloud tenants.
Unified labeling is now generally available (GA) for Government Community Cloud (GCC/GCC-H) environments. This release brings data discovery, classification, and protection capabilities to government Microsoft 365 instances.
GCC and GCC-H customers are now able to migrate sensitivity labels and label policies in the Azure Information Protection blade to the new label management portal, Microsoft 365 Compliance Center. Migration of labels is only valid for moving from one label management portal (Azure) to another (Microsoft 365 Compliance Center) within the same tenant. Migration in this case does not include moving labels and labels policies from one tenant (commercial) to another (GCC/GCC-H).
Unified labeling is fully aligned with the 100+ sensitive information types that can be found in the Microsoft 365 Compliance center and also supports custom sensitive information types, keyword dictionaries and complex conditions.
At the time of writing this blog, only the Azure Information Protection Unified Labeling client (AIP UL client) and Azure Information Protection Unified Labeling scanner (AIP UL scanner) are available to GCC and GCC-H environments. Other unified labeling workloads such as Office 365 apps, Office for web, SharePoint, OneDrive etc. will be available later.
New GCC and GCC-H customers: are already enabled for unified labeling; therefore, no action is required.
Existing Azure Information Protection customers: will have to review their business requirements and supported features for unified labeling. Once your requirements are confirmed, administrators will have to activate unified labeling and migrate their label and label policies from the Azure Information Protection Blade in the Azure Portal to the Microsoft 365 Compliance Center, re-create their label condition and deploy a unified supported client.
Note: Only Azure Information Protection Unified Labeling client and Azure Information Protection Unified Labeling scanner is only supported for GCC and GCC-H environments at this time.
Figure 1: Activate Unified Labeling in the Azure Information Protection blade in the Azure Portal
GCC-H Only: Label and Label Policy Migration
Existing GCC-H cloud environments require a manual migration of labels and label policies using PowerShell. Commercial and GCC migration methods are not applicable for GCC-H customers. Administrators will have to use the New-Label cmdlet to migrate existing sensitivity labels to the Microsoft 365 Compliance center.
Figure 2: Label ID in the Azure Information Protection blade for sensitivity label “Highly Confidential”
Figure 3: Protection template ID in the Azure Information Protection blade for sensitivity label “Highly Confidential"
New-Label -Name 'Highly Confidential' -Tooltip 'Highly confidential sensitive information' -Comment 'Highly confidential sensitive information’ -DisplayName 'Highly Confidential' -Identity ‘e554622f-b485-412a-9c99-aa08c5856df8' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId ‘0d9619a-2b0b-41f3-a478-50c8e8ac66eb’ -EncryptionAipTemplateScopes "['firstname.lastname@example.org','email@example.com']"
Azure Information Protection Unified Labeling Client and Scanner
Once you enable unified labeling in your organization, you can deploy or upgrade to the new AIP UL client and scanner for Windows to receive unified labeling policies and labels. Upgrading to the AIP UL client has minimal impact as the user interface is practically identical except for the change in the ribbon name from “Protect” to “Sensitivity”. The AIP UL client and AIP UL scanner are at feature parity with commercial cloud releases.
AIP requires a special configuration for sovereign clouds. Administrators will have to deploy a new registry key to their Windows machines for the AIP UL clients to point to the right sovereign cloud.
Figure 4: Registry settings for Azure Information Protection UL clients
Sunsetting Label Management in the Azure Portal and AIP Client (classic)
We have a plan to sunset label management in Azure portal and AIP client (classic) for Government cloud customers. Meanwhile, Government cloud customers who own licenses for AIP will receive continued support for the classic client for 12 months after the general availability of unified labeling for Government cloud. Government cloud customers who may need features that are not yet in the latest release of the unified labeling client can ask for additional extended support for the classic client here before Sept 30 2020.
Azure Information Protection's classic client and Label Management in the Azure Portal will be deprecated on September 30, 2021 for Government Community Cloud customers.
Note: AIP UL scanner management will still be available on AIP portal and will not be deprecated.
- Learn about Sensitivity Labels
- Azure Information Protection Unified Labeling Deployment Acceleration Guide
- Azure Information Protection Premium Government Service Description
- Unified Labeling Client Admin Guide
- AIP unified labeling scanner installation