Unifying Office 365 Sensitivity Labels with Azure Information Protection

Posted on by Tony Redmond in Exchange Online, Office, Office 365, and SharePoint Online with 1 Comment

Sensitivity Labels

Extending Office 365 Labels to Encryption

At the Ignite 2016 conference, Microsoft revealed a new data governance strategy for Office 365. The first practical implementation of parts of the new strategy appeared in April 2017 and Microsoft has been building out other pieces since, notably by adding retention policies for Teams.

The Office 365 data governance story lacked the ability to encrypt sensitive content. Tenants could use rights management to protect email (and rights management is enabled automatically for all tenants), but applying encryption to protect SharePoint Online content was rudimentary compared to the out-of-the-box protection features available for email, like Encrypt-Only.

In this article, I cover the introduction of sensitivity labels to Office 365 and the migration from Azure Information Protection. In part 2, we’ll look at using sensitivity labels to protect Office 365 content.

Azure Information Protection

Azure Information Protection (AIP) offers a solution for documents, spreadsheets, and presentations. Its labels link to rights management templates to protect documents that users labeled and offered the ability to apply other visual markings to highlight the sensitivity of content such as watermarks, headers, and footers. But AIP isn’t part of Office 365 and its labels were different to the labels used in Office 365.

Label Unification

Now, Microsoft is “unifying” labels within Office 365. The first steps along the way are the general availability of sensitivity labels and a preview of the migration process to move AIP labels into Office 365.

On a technical level, unification involves a mixture of new objects and renaming. The older labels, which used to be called classification labels, are renamed to be retention labels. This name better reflects what these labels do, including event-based retention and disposition reviews.

Sensitivity Labels

The new objects are sensitivity labels, an Office 365 implementation of the functionality previously available through AIP labels. Sensitivity labels and AIP labels are objects managed independently through the Security and Compliance Center and Azure portal, but the two sets of labels share a common base. Like an AIP label, a sensitivity label can encrypt a message or document by invoking a rights management protection template. A label can also apply watermarks or adding headers and footers to highlight the sensitivity and importance of an item. A document or message can only ever have a single sensitivity label.

The introduction of sensitivity labels into Office 365 removes the need for tenants to buy Azure Information Protection licenses, unless you intend continuing to use AIP to protect content stored outside Office 365. All Office 365 E3 and E5 tenants are licensed and enabled for rights management, so they can use sensitivity labels to apply protection without any further charge. It’s a pleasant change to see Microsoft removing the need for add-on licenses. Sensitivity labels are not yet available in the sovereign Office 365 clouds.

Unification also means that Office 365 tenants can manage sensitivity labels through the Security and Compliance Center without having to go near the Azure portal to manage protection templates. The templates are still there and can be managed through the AIP blade because they can also be used with the AIP client and applications like the AIP Scanner to protect files stored outside Office 365.

Because they share the same base, Office 365 sensitivity labels interoperate with AIP labels. If you have items with AIP labels, you don’t need to reclassify them because the same metadata is written into files.

Label Migration

Tenants can now migrate existing AIP labels to Office 365. The migration creates new label objects inside Office 365 using the properties of the existing labels. Only AIP labels that use cloud-based keys can be migrated as Office 365 doesn’t support HYOK (encryption using on-premises rights management) for its labels. In addition, some properties, such as label colors including custom colors used for document marking, are not migrated.

Items that already have AIP labels aren’t affected by the migration because both sensitivity and AIP labels insert the same metadata into document and email properties. The same label name will appear in applications.

A One-Way Process

Migration is a one-way, one-time process that cannot be reversed. Because label migration is in preview, you can expect to hit migration errors without a lot of explanation why. When I migrated labels in my tenant, I had problems with AIP labels that had white space at the end of their display names. However, you can restart the migration and the process will pick up from the last label until it eventually completes, and all your AIP labels are moved across to Office 365 (Figure 1).

Figure 1: Migrating AIP labels to Office 365 (image credit: Tony Redmond)

It’s sensible to review the set of AIP labels before starting the migration to remove any that are unused to simplify the migration and reduce the chance of any hiccups when creating the Office 365 objects.

Migration Glitches

After the migration, you should check the labels copied across from AIP to ensure that they work as expected and the same settings exist in both sets of labels. Unsurprisingly, there were more little holes to fill here. For instance, if you edit the Encryption settings for a label that uses one of the default rights management templates created in each tenant, Office 365 notices that rights are not assigned to any group or user and demands that you address the problem. The only problem is that you can’t amend the rights for default templates like “Confidential View Only,” so Microsoft might need to look at how it deals with labels that use these templates. The set of known migration gotchas is documented online.

Another minor glitch is that the marking settings for some labels were all turned on, even if only one (like footer text) was defined in the AIP label. Finally, the custom text for footers and headers to insert values in AIP labels doesn’t work for sensitivity labels. If you have something like the code below defined for a header or footer in an AIP label, the variables are not populated when Office 365 inserts the text after application of the migrated sensitivity label.

${If.App.WXO}This content is Confidential. ${If.End}${If.App.PowerPoint}This presentation is confidential. ${If.End} Set: ${Event.DateTime}

The biggest issue to consider is that Office 365 and Azure use a background process to synchronize changes between the sets of sensitivity and AIP labels. The process works from Azure to Office 365, but not in the reverse. Until Microsoft updates the process and bidirectional synchronization is possible, always make important changes in Azure. For instance, if you need to change the permissions assigned in a template, do it in Azure.

Prepare to Migrate

Like any other migration, the secret of a smooth move of labels from Azure Information Protection to Office 365 is preparation. Review your labels, know how they are used, and identify any likely problems or known issues such as custom text before starting. And while you’re at it, read up about the experiences that other people have had in moving their AIP labels across to Office 365. There’s no point in running into the same hole others have just managed to climb out of.


Don't have a login but want to join the conversation? Sign up for a Petri Account