Unified Labeling — Migrating From AIP to Compliance Center

Microsoft has several tools available to make compliance easier. One of them is undergoing serious changes. The company has announced the end of life for Azure Information Protection classic. Most users only have until March 31st to migrate their information to the new unified labeling platform. In this post, we’ll help you understand why the change is happening and the steps you need to take to ensure migrating from AIP to Compliance Center is a smooth transition.

What’s Happening and Why

Microsoft’s goal is to provide a unified and extensible platform to protect sensitive data across all services. The new system, Microsoft Information Protection (MIP), extends protection beyond Office apps to include SharePoint, Exchange, Power BI, and other cloud-enabled Microsoft products. A single portal manages labeling and protection policies, known as Microsoft 365 Compliance Center. Anyone currently using the Azure portal in conjunction with Azure Information Protection (AIP) must migrate to MIP in order to maintain functionality.

The Benefits of Unified Labeling

When people must make changes, it’s often hard to get them on board. Often, such as the case now, you don’t have a choice. But it’s still helpful to understand the benefits of change in order to improve the mindset around those changes. In their announcement of the change, Microsoft listed 3 primary benefits for moving over to the new system.

  • Greater protection coverage — This is the reason we’ve already discussed, and the primary driver for the change. As a unified solution, MIP covers more services than AIP did.
  • Lower maintenance costs — Previously, in order to have coverage across disparate Microsoft products, separate solutions needed to be deployed. Because one portal manages everything, maintenance costs reduce.
  • Better performance — The old system required the use of add-ins, which slowed launch times and sometimes the running performance of Office applications. As an integrated solution, that problem doesn’t exist under the new system.

Timelines for Migration

When the Microsoft 365 Compliance Center reached feature parity with the Azure portal a year ago, Microsoft set a one-year time limit for migration from AIP to MIP.  That date is now rapidly approaching; on March 31st, 2021 the Azure portal will be shut down. Additionally, the AIP client (classic) will also see its end of life on that day. At the time of the announcement, Microsoft offered an extension period for those who were using features that aren’t ready for migration. However, the timeline to apply for that extension passed in September 2020. With time ticking down, anyone who has been procrastinating about the change must act now.

Special Note for Office 365 U.S. Government Community Services

In the introduction, you may have noticed that we said most users have until March 21st to perform the migration. U.S. Government Community services (GCC) users of Office 365 products were given an additional timeframe for migration. Because the new unified solution was not available to them until September 21, 2020, those users will not have their Azure portal or AIP classic client deprecated until September 21, 2021. This extended timeframe covers GCC users as well as GCC-H and DoD users.

Migration Guide

Microsoft has tried to make migrating from AIP to Compliance Center as easy as possible. In addition to waiting until there was feature parity between the two services before requiring migration, they have created some tools that make copying your policies and transferring your labels easy. Please be aware that not everything will migrate automatically. Furthermore, for some aspects of the system, maintaining both the new MIP solution and the old AIP solution until the cutoff date of March 31st, 2021 will require some additional steps.

Adapting Administrative Roles

Certain administrative roles do not function in Microsoft 365 Compliance Center the way they did in the Azure Portal. While Global Administrators continue managing both labels and policies in both systems after the conversion, the role of Azure Information Protection Administrator no longer exists in the new unified solution. You have two options for providing access to these users, otherwise they will not be able to configure Azure Information Protection after you’ve migrated your labels.

  • From the Microsoft 365 Security Center, Microsoft 365 Compliance Center, or Azure AD Portal, assign members who had the role of Azure Information Protection Administrator to one of the following roles: Compliance Administrator, Compliance Data Administrator, or Security Administrator
  • From those same administration centers, create a new role group for those users with a Sensitivity Label Administrator or Organization Configuration role.

Check Your Protection Templates

When we get to step for migrating labels, some of your protection templates will automatically migrate with them. If your template is part of a label configuration and it uses a cloud-based key, then you have nothing to worry about, it will migrate along with the label. Labels with predefined templates, however, are not supported in Compliance Center. You’ll need to set the permissions of those labels to match the ones in the predefined template manually.

Label Name Considerations

Before migrating, make sure that there will be no conflicting display names for your labels after migration. Any label that shares a parent with another cannot also share a display name. It is okay, however, for sub-labels with different parents to have the same display name. It’s helpful to think of this exactly like the folder structure on your local computer. Two files in the same folder can’t have the same name, but two files in separate folders can.

Activate Unified Labeling

The first step to migrating your data to the new unified labeling platform is to activate it. In order to do that, you must have one of the following roles: Compliance Administrator, Compliance Data Administrator, Security Administrator, or Global Administrator. Assuming you have the proper permissions, activating unified labeling can be easily accomplished from the Azure Portal.

  • Log into the Azure Portal
  • Go to the Information Protection pane. You can find it through the search box for resources, services, and documentation.
  • Open the Manage menu and select Unified Labeling
  • Look for a pane called Azure Information Protection — Unified Labeling and select Activate from that pane.
  • Onscreen instructions will guide you the rest of the way.

When you activate unified labeling, any labels that can be automatically migrated will be converted over to the new system.

Copy Your Policies to Compliance Center

After migrating your labeling, you’ll be asked if you want to copy your policies as well. Successfully copied policies will be automatically assigned to the users and groups that they were assigned to in the old system. Note that changes to your policies in AIP classic do not automatically synchronize with the new admin centers. If you haven’t fully made the switch to the unified labeling system, you’ll need to update them manually in both places.

Publishing Labels

Your labels were migrated in the activation step, however, for them to work you must perform a one-time operation to publish them. You do this from one of the new admin centers. For Compliance Center, the following instructions apply:

  • Open the Information Protection pane in the Solutions menu.
  • From there, select the Label Policies tab and select Publish Labels.
  • Select the sensitivity labels to publish and select Add
  • Follow the prompts

Editing Migrated Labels

After you’ve migrated your labels, they will automatically update in the new admin centers if you edit them from within Azure portal. However, the same thing does happen in reverse. If you edit your label in one of the admin centers, and want it to work in the classic AIP clients, you’ll need to go back to the Azure Portal, open the Azure Information Protection — Unified Labeling pane, and select Publish. Keep in mind that by March 31st, 2021, you should have ended your reliance on those classic clients.

Upgrade to a Unified Labeling Client if Needed

Depending on how you create your labels, you may need to upgrade to a client that supports the new unified system. Many of the Office 365 applications support the new system. Microsoft maintains a list of which Office 365 versions support unified labeling to make it easy for you to ensure you are using an up-to-date enough version. If you have been using the Azure Information Protection classic client then you’ll need to update to the new Azure Information Protection unified labeling client to ensure compatibility with the new system moving forward.

Train Users on the New Workflow

Unified Labeling — Migrating from AIP to Compliance Center Once you know which labeling and sensitivity features are available, train your users. Once everyone understands the new unified labeling system, consider your migration complete.

Learn More About Migrating From AIP to Compliance Center

Microsoft’s compliance functionality is vital for meeting the requirements of regulations such as CMMC, HIPPA, GDPR, and NIST 800-171. As the deadline approaches, if you find yourself needing help migrating from AIP to Compliance Center, or with taking advantage of other Microsoft 365 data security features, such as data loss prevention, please contact us to schedule a free consultation today.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.