Microsoft Purview – Information Protection – Clients

Posted by

Estimated reading time: 5 minutes

Some time ago Microsoft released the integrated client for Azure Information Protection. It allows your users to use labels and apply them to Office documents, by having this functionality built into the Office apps. This means that you no longer will need to install the so-called Unified Labeling client for these functions.

And this makes sense, on one level. Many people create and change documents in Microsoft Office. Either online or using the apps. And having basic information protection features build-in (which some were already) is logical. But bear with me….

As of 1/1/2022, Microsoft has placed this Unified Labeling client in what’s called a “Maintenance mode”. This means that no new functionality will be developed for this client and all efforts will go towards the integrated client.

So do you still need this Unified Labeling client or are there any caveats? Let’s take a look.

Unified Labeling client components

One of the things you need to consider is that the Unified Labeling client isn’t just an Office add-in that’s being installed when you deploy the client to the Windows endpoints. In addition, you will be provided with the File Explorer integration, a PowerShell module for Azure Information Protection, and a viewer for encrypted documents. In addition, the client is required for the Azure Information Protection Scanner – which is the basis for the on-premises DLP scanner as well.

Unified Labeling client – File Explorer integration

Let’s take a look at the viewer for a brief second. Why would you need that? That’s because of the encryption function. When documents are labeled and encrypted, the documents are changed. For Office and PDF documents, this is transparent. I.e.: the document extension will not change and you can open these documents in their clients. Although for PDF: you will need the Adobe add-in.

AIP Viewer opening protected JPG file

But other documents will be treated differently. Take a PNG file for example. When you label this file and the file is encrypted, then the PNG becomes a PPNG. And this goes for all other filetypes as well. And this is where the viewer comes in. These types of files (including PDFs) can be opened by the viewer.

Extention change for protected PNG file

So, this Unified Labeling client does still have merits. The features described above are not offered by the built-in client. So what about this client?

Build-in client

The build-in client offers feature-parity with the Unified Labeling client. To some degree, as already mentioned. However, the build-in client also comes with features that are not supported by the Unified Labeling client. And this is somewhat confusing. But let’s take a look at the features offered by the integrated client that are not supported by this Unified Labeling client.

  • Automatic and recommend labeling based on trainable classifiers, EDM, and names entities;
  • Detection of certain sensitive information;
  • Review and remove identified sensitive content in Word;
  • User assigned permissions granted to users or groups;
  • Encrypt-Only for emails;
  • Status bar showing label information;
  • Account switching;
  • Labeling cannot be disabled.

Especially the Encrypt-Only for emails function is very relevant. As you can select this option in the labeling portal, admins and users expect this option to work. However, it only works for this integrated client in Outlook.

User assigned permissions for a label

In addition to the functions provided by the Unified Labeling client (above – which are not part of the integrated client), these functions are not part of the integrated client. Some are in development or under review by Microsoft:

  • Label inheritance from e-mail (Outlook);
  • Custom permissions independently from the label;
  • The toolbar in Office;
  • BYOK/Double Key encryption;
  • Usage logging event viewer;
  • Do not forward button Outlook;
  • Document tracking/revoking;
  • Protection only mode;
  • Disabling labeling by admins;
  • Colors for labels;
  • Org-wide custom permissions by specifying domains (Office).

Use-cases for the Unified Labeling client

Are there still use-cases for the Unified Labeling client, as Microsoft is working towards this (new) integrated client? I would dare to say: yes.

If you still want to use specific custom configurations (for example – Outlook integration, specific warnings – see below), you do need the Unified Labeling client. Another very clear requirement might be the option to classify and label documents from the Windows File Explorer. As labeling for specific filetypes (PDF is a great example) is not supported by the native clients, using the File Explorer is the only option left.

Custom message based on labeled attachments in Outlook

Can these clients co-exist?

Let’s say you do want that new integrated client. Some features might suit your requirements and you don’t have the hassle of maintaining this client. But you do need the File Explorer integration (for example) and therefore the Unified Labeling client. Can these clients co-exist?

Yes, they can. In my opinion, this is not a recommended approach as it does complicate the management of your endpoint. But it is possible; You can disable the client from Office, and use the integrated client. The client itself can then still be used for the File Explorer integration and the Viewer function.

Unified Labeling client integration Word

In the end

Just to make this clear: the Unified Labeling client is not deprecated or being discontinued. It has entered maintenance mode and still functions as expected. (Bug) fixes will still be released, but new functionality will not.

But when implementing Microsoft Information Protection functions, you will need to take these two types of clients into consideration. And yes: two types. In this article, I did not address the classic Azure Information Protection (version 1.x) client – as this client has been deprecated and should not be used.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s