Differences between Azure Information Protection labels and Office 365 Sensitivity labelsAlex Fields
In the previous two posts, we looked at two capabilities of Azure Information Protection (AIP) P1, which is one of the many subscriptions bundled into Microsoft 365 Business:
Recent announcements have shifted the sands a bit here with so-called “Unified labeling“–which refers to a separate data classification system that is found within the Office 365 Security & Compliance center.
Through this UI, you can manage both Sensitivity and Retention labels.
- Sensitivity labels are used to apply encryption and protect content from being overshared (similar to AIP), for example you may want to label an email or document as Confidential and prevent accidental sharing with recipients external to the organization.
- Retention labels by contrast are used in situations where you want to preserve and/or delete content after a certain amount of time has passed (e.g. content expires and is removed after 7 years). We won’t cover these label types in this article–another time.
Along with the Unified labeling announcement came the news that your AIP labels can be carried over into the Office 365 Security & Compliance center’s Sensitivity labels. Soon in 2019, the Sensitivity button, which allows users to stamp individual files with these classifications, will be deployed into the Office applications (actually they are starting to show up in certain places already–such as Office 365 for macOS).
But there are still important differences between the AIP labels and the Office 365 “Sensitivity labels,” even though they can now be kept “in sync” with one another. As we move through this article, I will try to clear up the differences between these two label sets.
Migration from AIP to SCC Sensitivity labels
If you make the move to “Unified labeling,” you still need to use the AIP client for the time being. I know, wah-wah. Bummer. However, once the Office applications have native support for Sensitivity Labels, the AIP client will be optional–you would not need it in order to apply your labels/classification.
The migration feature is still in preview at the time of this writing but know that this process is also optional; there is no rush to move away from AIP.
Now if you are brand new to this, and have not configured labels in either portal yet, then completing this unification process with the default templates is pretty painless. Literally, it requires pressing just one button (see below).
Otherwise, see Microsoft’s article describing how to migrate existing labels from AIP to the SCC, for some other guidance and caveats.
With that in mind, once you complete the unification you are free to create your own labels in the Security & Compliance Center, and access them using the AIP client. To get started in the Security & Compliance Center, navigate to: Classifications > Labels.
Planning data classification
Similar to what we talked about with AIP labels, planning your data classification with the stakeholders in the business is a crucial step which is often neglected. As an IT Pro you should be transparent with the business owners and decision makers about your capabilities with this tool, and clearly define the meaning of each data classification label.
You have these options via the SCC (they are not 100% the same as AIP):
- Encryption – With the encryption option enabled, you can automatically expire access to shared content, allow or disallow offline access, and assign different permission levels to different groups of users. Templates include Co-Owner, Co-Author, Reviewer, Viewer, or, create Custom permissions.
- Content marking – Apply headers & footers, and/or watermarks that clearly label the nature of the content on the document.
- Endpoint Data Loss Prevention – As of today, you would need a higher subscription level such as E5 to take advantage of this feature, see pre-reqs here. We won’t describe this in much detail except to say that when enabled, it signals to Windows endpoints that this data is extra sensitive, and cannot be copied or moved to say a USB device or other unsanctioned location.
In planning your labels, you may for example choose to enable only a header or footer on classifications such as General. No other protections such as encryption would be necessary, most likely.
However, for more sensitive content, such as Confidential, you may choose to use a watermark, and require encryption, limiting the permissions so that recipients cannot modify or redistribute content outside the organization. Note: the data owner always maintains full control permissions.
Last note: the order in which these labels appear in the admin portal does matter–just like with AIP. Why they don’t show some sort of sensitivity scale or something along the side is odd, but in fact, the “top most” label on the list is the meant to be the least sensitive, while the labels down at the bottom of the list contain the most protection and the most restrictive settings.
Creating your own label
Let’s just say that you are going to create your own labels. I have migrated the default labels from AIP, but maybe I want to add an even more restrictive “Top Secret” label to the tail end of the labels list… because I have so much Top Secret data that I work with, and I’m feeling all Top Secret today. Like I’m in a Mission Impossible movie.
Let’s step through this process, by way of example. Click + Create a label to get stared.
It is required to provide just two things here—a Name, and a “Tooltip” which is the short description that shows up on the bar or banner at the top of a document or email message when the label has been applied. Next.
On the Encryption page, we need to make some choices.
- First of all, yes—we want this turned ON. It’s Top Secret, after all.
- Second, User access to content expires: We can force the content to expire after a period of time has passed, or not. I think, since we’re talking about Mission Impossible here, a self-destruction option feels best.
- The Allow offline access bit sounds scary to me. There is some black magic going on here which allows a user to authenticate once and then keep the token locally to re-open the document for a certain number of days without also re-authenticating, even if the endpoint goes offline, but I like the scenario where this is not allowed not happen much more. Given the Top Secret nature of my data and all.
- Last, click Assign permissions to assign various users, groups, domains, outside email addresses, etc. various permissions levels. For this example, I am allowing recipients who belong to my organization /tenant the Viewer permissions, which contain just enough access to read the content, but do nothing substantial with it—edit, export, copy, print, etc.—all disabled.
On the Content marking page, I am going to mark the crap out of this thing. Watermark? Check. Header? You bet, in Red text no less. Footer? Why not? One more reminder about the sensitivity of a document never hurt anyone when it came to TOP SECRET information.
Now, Endpoint Data Loss Prevention. As I mentioned, this would not apply to the Microsoft 365 Business subscription, at least today. Maybe things will change in the future, but right now this would require Windows Information Protection (WIP) and Windows Defender ATP—which are available only at the Enterprise E5 level. So do not configure this option and just Save and Close after reviewing your selections.
Next, if you want to verify that the marriage between your AIP labels and the Office 365 labels is working correctly, go check out the Azure portal.
Publishing the labels
Once you have your labels all defined, you will want to publish them to your end users. It is possible to publish different sets of labels to different people, but many small businesses will simply publish all the available labels to everyone. Click Publish labels to get started.
Click the link to Choose labels to publish. Select all the labels you want to publish and click Add. Next.
Choose users or groups to whom these labels will become available.
Next, on the Policy settings page, we find that it is possible to choose a default label which is applied to new documents or messages (or leave it set to None in case you do not want this behavior).
As well, we can require users to provide justification when removing or “downgrading” a classification. I would recommend this setting, certainly.
Last on this page, I don’t know that many small businesses would take the time to develop a custom help page for sensitivity labels, but maybe… and IT Providers… this might be a cool thing to develop and give to your customers.
Working with labels in Office
Now, if you have previously configured the Protect button in Outlook using PowerShell, then you will find that your new sensitivity label is already available to use in Outlook on the Web.
As mentioned previously, to label content in the other Office apps will require the Azure Information Protection client to be installed on the workstation, for now. The AIP client is available from Microsoft downloads. And yes. There is an MSI that you can deploy administratively.
Once installed, the next time you open your Office application, you should see the Protect button. When I label my document as Top Secret, the watermarking and permissions I expect are applied.
AIP labels vs. Sensitivity labels
If you decide to stick with AIP for now—that’s totally cool. But even though you can “unify” the two disparate label sets, it is important to remember that they are not the same. Azure Information Protection is a more advanced subscription with more capabilities than what exists using the Office 365 Security & Compliance center’s “Sensitivity labels”—again, at least for now.
The main difference to note is that AIP is better suited to hybrid environments. You can use the AIP client to encrypt documents on a traditional file server, for example, right in Windows Explorer.
Therefore, AIP works whether you have Office 365 or not—you could even buy it as a standalone subscription and use the client to classify content on any server, or in any cloud. Office 365 Sensitivity labels, by contrast, are specifically available with Office 365 apps.
Another notable difference: as we go to configure protection settings on a label in AIP, we will find an option to either Set permissions administratively, or, to Set user-defined permissions. There is no equivalent to the second option within the SCC wizard: In Word, Excel, PowerPoint and File Explorer prompt user for custom permissions.
That is to say, the Office 365 Sensitivity labels do not appear, at this time, to support user-defined “Custom” permissions, as the AIP client does.
Now if you were to choose ONLY the first checkmark box above: In Outlook apply Do Not Forward, then that would be equivalent to choosing the Only email message in Outlook option with the corresponding checkmark box for Do Not Forward in the SCC wizard. But again, the second option to allow the users to specify custom permissions within the other apps–doesn’t exist.
Now back in the Azure portal, if you assign permissions administratively, using Set Permissions on the Protection blade, then in specifying users and groups for the recipients of a labeled document we find an option called: Add any authenticated users – you know, people who might be outside of your tenant?
From Microsoft: This setting doesn’t restrict who can access the content that the label protects, while still encrypting the content and providing you with options to restrict how the content can be used (permissions), and accessed (expiry and offline access).
However, the application opening the protected content must be able to support the authentication being used. For this reason, federated social providers such as Google, and onetime passcode authentication should be used for email only, and only when you use Exchange Online and the new capabilities from Office 365 Message Encryption. Microsoft accounts can be used with the Azure Information Protection viewer and Office 2016 Click-to-Run.
Some typical scenarios for the any authenticated users setting:
- You don’t mind who views the content, but you want to restrict how it is used. For example, you do not want the content to be edited, copied, or printed.
- You don’t need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
- You have a requirement that the content must be encrypted at rest and in transit, but it doesn’t require access controls.
Again, there is no equivalent to this in the SCC. You can add external email addresses or domains (and this same capability is also present under the Enter details tab in the AIP blades), but the lack of the “Any authenticated user” option means that you, the administrator, would need to know in advance any potential external users that would fall under the scope of this label.
Handy for sharing with known partner organizations, but not very helpful for allowing users to distribute protected content to anyone (well, anyone with a Microsoft account and AIP viewer, anyway).
Last, as we go to publish our labels via a policy, in the SCC we will not find the toggles to control extra buttons that show up in the ribbon, including the Do Not Forward button, as well as the option for users to apply their own custom permissions.
This makes sense since, again, the SCC interface would not contain settings for the AIP client. Time will tell if the built-in Sensitivity functions will include support for extra buttons such as Do Not Forward (or Encrypt?) in the future.
And there are other differences. For example, in the P2 subscription of AIP (e.g. available in E5), you get access to auto-classifications–if certain sensitive data types are detected, content could be automatically classified based on conditions. There is also an on-premises scanner which can find and classify sensitive content on traditional file servers. But as pertains to the Microsoft 365 Business subscription, I think I have identified most of the significant differences here.
Hopefully these articles have given you some ideas about how to use the Azure Information Protection features with your subscription, and clarified the confusing new “Unified labels” thing as well.