Sensitivity labeling and AIP

Posted by

In my previous article I briefly described the new unified/sensitivity labels in Office 365. This new part of the Office 365 platform aims at bridging the gap between Office 365 and Azure Information Protection. Those are my words 🙂

This has been a highly requested feature the last couple of years. And now it’s available.

There’s already a ton of information available on the workings of these labels. But I wanted to look and the similarities and differences between these platforms. And that’s exactly what I did…. Please do note that this platform is still evolving and things I noticed at this moment might be different tomorrow…..

Management console

Because the sensitivity labels are to be used by users in the Office 365 environment, the labels are managed from the security and compliance center, in the Classification. Your admins will need at least the Compliance Administrator role for this. Which means that they will also be able to manage settings for device management, data loss prevention, reports, and preservation (see here).

management consoles

Azure Information Protection labels are still managed from the Azure blade. And admins will require the at least the Information Protection Administrator role for this. This blade offers us a nice dashboard, including label statistics and information on the scanner.

Managing labels

The process of creating and managing labels is somewhat different. Azure Information Protection works with a policy. This policy contains generic settings and has users assigned. Labels are created and then added to a policy.

The sensitivity labels are created and published to groups/users. This is also called a policy and contains, like Azure Information Protection, some generic settings.

Publish label 1

Publish label 2

This does make sense. You can now have an Office Group named “Human Resources”, have this group populated with identities and when needed, grant this group access to specific HR sensitivity labels.

Some settings which are available in the Azure Information Protection policy cannot be set using the Office 365 publication mechanism. For example, you don’t have the option for managing the client buttons, like you have in Azure.

AIP-settings not SSC 1

Configuring a label

Label configuration is really easy in both consoles. And the sensitivity labels even include one additional option. You can now have WIndows 10 endpoint data loss prevention, based on the document’s label. Very cool indeed. This does require a specific Windows 10 version and Intune…..

sensitive label 1

sensitive label 3

sensitive label 2



Again, there are some differences. For one – I really like the custom visual markings. In Azure Information Protection you can set properties of the document in the visual markings. For example, the name and label of the document.

Although you can configure this in the sensitivity label, this is considered as plain text by Word. which looks like this.

sensitive label 5





In Azure Information Protection we also have the option to choose a color for the label. That’s not possible. But perhaps more important, the new sensitivity labels don’t support a Hold Your Own Key scenario or automatic detection and labeling of sensitive content.

Working with the client

The client looks slightly different, but works like expected.

sensitive label bar

One thing I did notice: where’s the “Delete Label” option? It’s not available from the Office client. Which is somewhat weird, as this option is available in the Windows Explorer interface.

sensitive label 4

This client also offers us the “Custom permissions” option. This cannot be configured in the admin console – something which is possible in Azure Information Protection.

Not again????

So, all-in-all, it’s looking great. Weirdly enough I don’t see the site-classification part anymore in the sensitivity labels. This was present in the private preview. But there’s just one thing I was certain would work with these new labels….

Word Online error

But alas…… The encryption technology/technologies behind Azure Information Protection and SharePoint Online still clash. Ok, I must admit that you’re informed on this when configuring a sensitivity label.

Still no sharepoint integration

But let’s be honest. This platform aims to close the gap between Office 365 and Azure INformation Protection. So this needs to work 🙂 And according to the Microsoft roadmap, this is coming.


For organisations using or contemplating using Azure Information Protection and are also using Office 365 – please start (migrating and) using the new sensitivity labels. As the required new client does not work with Azure Information Protection, you’ll probably have to.

The sensitivity labels work, but there’s still some quirks to work out by Microsoft. I hope this blog provides you with some information on this.



  1. Hi, thanks for this useful post. Please could your clarify the statement at the end? “As the required new client does not work with Azure Information Protection, you’ll probably have to”. What’s the required new client that’s referred to here? Thanks!

    1. Hi Ben,

      In order to use the new sensitivity labels, you need a new client. This client (which shows up in Office as a “Sensitivity” button) can be found here:

      Microsoft is clear that the client used for Azure Information Protection cannot connect to the new sensitivity labels. So in a nutshell:

      Azure Information Protection =
      Sensitivity Labels =

      There is a new client available for Azure Information Protection (version 1.45.32). Check it out.
      The client for the sensitivity labels is always a version 2.x.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s