Blog Post: 3 minute read.
Have you been tasked with implementing Azure Information Protection (AIP) in your organization? If the KISS principle ever applied to anything in the O365 service, it definitely applies to the AIP world of classification and labeling. Get too complicated and your users will hate the control “IT” is forcing upon them and will look to other tools to “get the job done”.
What is Azure Information Protection (AIP)? It lets organizations classify, label, and protect data at the time of creation or modification. With AIP, users can:
- Classify data based on sensitivity, and add labels – manually or automatically
- Protect data using encryption, authentication and use rights
- Enable intuitive, non-intrusive experience for end-users
-Microsoft Azure Information Protection team
In AIP, you use labels to apply classification to documents and emails. The labels are stored in clear text as either metadata in files (you’ll see the label as a sensitivity property in Advanced properties) or in email headers to allow other services (DLP, custom solutions, etc.) to identify the classification and take appropriate action.
What are some strategies you can use to keep your AIP deployment simple? Read on.
#1 – Keep labels simple, unambiguous and obvious
To come up with an organization’s labels, IT should work closely with the Information Management (IM) team. Adhering to Microsoft’s label recommendations is a sound approach and you should only deviate from it if there is a very good reason to do so. These recommendations are based on Microsoft’s experience working with many customers and real-world use-cases and have proven to be the most successful for end-user adoption and understanding. Ensure you communicate this message to your organization’s IM team.
I can’t stress enough the importance of the words chosen for your labels – keep them simple, plain, and obvious. After all, it’s the end-user sitting in front of the keyboard that really needs to understand them. It’s not enough for only the IM team to understand them.
You can see Microsoft’s default label recommendations in the Azure Information Protection service within the Azure portal:
These labels will appear in the Information Protection Bar at the top of the following client apps: Word, Excel, PowerPoint, Outlook.
Note: you must install the Azure Information Protection unified client in order to classify documents from the client and to see the Information Protection bar.

#2 – Apply sub-labels for “special” departments
Let’s face it, there are departments within most organizations that deal with more sensitive information than most. We call these “special”. 😉 To accommodate those scenarios in AIP, you create sub-labels. I would caution against creating a sub-label for every department in your organization – only do it for those that deal with information requiring a unique classification. Remember, we want to keep this simple to ensure maximum adoption.
Here’s what a sub-label definition looks like in the Azure Information Protection service in the Azure Portal. In this case I’ve created a new sub-label, Legal Team, to accommodate the confidential information the Legal Team works with. I’ve also chosen to insert a custom header in the document when the label is selected (you can choose a header, footer, or watermark):
In the client, when this sub-label is selected from the Information Protection bar(1), it will insert a custom header in the document(2), and apply the appropriate sensitivity label to the document(3) as follows:
#3 – Top Secret (Hidden) labels
If you have a need to provide labels for some specialized teams in your organization but you don’t want everyone to see the labels (for #2 above – everyone will still see the Legal Team label even if they aren’t in the Legal Team) then you can create a scoped policy. This is a good idea to minimize the options for users when labeling their content. Again, you will want to control the proliferation of these types of labels to keep the options clear and well-defined for the users in your organization.
In the Azure portal, you define a secret label by setting up a new Policy, adding the labels within the policy and secure it to users/groups in your organization that should see it. Only those defined will see the label(s).
In this example, there is a top secret project in my organization called ‘Project Joanne’ and I want to classify all content within it as Highly Confidential. I’ve created a new policy called ‘Joanne’s Secret Policy’ (it will inherit all labels defined in the Global policy) and added a label within ‘Highly Confidential’ to include it. Additionally, I’ve set the security at the ‘Joanne’s Secret Project’ policy level to only show for user’s in a specific security group:
Within the Office client, only those people in the security group associated with the scoped policy will see the ‘Project Joanne’ option as follows:
#4 – Descriptions are important!
When creating labels/sub-labels you should enter a good description of what the label means as well as examples of content that would fall within that label’s classification. Why are these so important? The description can sometimes be all the end-user has to go on if they are unsure which label should be used to classify their content.
The description will show up when you hover over the label in the client application (Word, Excel, PowerPoint, Outlook) as follows:
Spend a fair amount of time ensuring you have worded your label descriptions clearly and with relevant examples.
In this post I’ve only scratched the surface of the options available in AIP for classifying and securing content. You can add more functionality as users across your organization become comfortable with the concept of labeling their content and incorporating it into their daily work. My message to you is to start simple and incrementally build on your success.
Remember, Rome wasn’t built in a day.
Thanks for reading.
-JCK
How can we use the AIP labels in the DLP policies (in security & compliance admin) , before May 2017 you could select document properties but now you can only select under conditions sensitivity and then MS predefined categories (creditcard, id carts, social security numbers,…) but nothing related to AIP labels