Microsoft Purview – Information Protection – Clients

Estimated reading time: 5 minutes

Some time ago Microsoft released the integrated client for Azure Information Protection. It allows your users to use labels and apply them to Office documents, by having this functionality built into the Office apps. This means that you no longer will need to install the so-called Unified Labeling client for these functions.

And this makes sense, on one level. Many people create and change documents in Microsoft Office. Either online or using the apps. And having basic information protection features build-in (which some were already) is logical. But bear with me….

As of 1/1/2022, Microsoft has placed this Unified Labeling client in what’s called a “Maintenance mode”. This means that no new functionality will be developed for this client and all efforts will go towards the integrated client.

So do you still need this Unified Labeling client or are there any caveats? Let’s take a look.

Unified Labeling client components

One of the things you need to consider is that the Unified Labeling client isn’t just an Office add-in that’s being installed when you deploy the client to the Windows endpoints. In addition, you will be provided with the File Explorer integration, a PowerShell module for Azure Information Protection, and a viewer for encrypted documents. In addition, the client is required for the Azure Information Protection Scanner – which is the basis for the on-premises DLP scanner as well.

Let’s take a look at the viewer for a brief second. Why would you need that? That’s because of the encryption function. When documents are labeled and encrypted, the documents are changed. For Office and PDF documents, this is transparent. I.e.: the document extension will not change and you can open these documents in their clients. Although for PDF: you will need the Adobe add-in.

But other documents will be treated differently. Take a PNG file for example. When you label this file and the file is encrypted, then the PNG becomes a PPNG. And this goes for all other filetypes as well. And this is where the viewer comes in. These types of files (including PDFs) can be opened by the viewer.

So, this Unified Labeling client does still have merits. The features described above are not offered by the built-in client. So what about this client?

Build-in client

The build-in client offers feature-parity with the Unified Labeling client. To some degree, as already mentioned. However, the build-in client also comes with features that are not supported by the Unified Labeling client. And this is somewhat confusing. But let’s take a look at the features offered by the integrated client that are not supported by this Unified Labeling client.

• Automatic and recommend labeling based on trainable classifiers, EDM, and names entities;
• Detection of certain sensitive information;
• Review and remove identified sensitive content in Word;
• User assigned permissions granted to users or groups;
• Encrypt-Only for emails;
• Status bar showing label information;
• Account switching;
• Labeling cannot be disabled.

Especially the Encrypt-Only for emails function is very relevant. As you can select this option in the labeling portal, admins and users expect this option to work. However, it only works for this integrated client in Outlook.

In addition to the functions provided by the Unified Labeling client (above – which are not part of the integrated client), these functions are not part of the integrated client. Some are in development or under review by Microsoft:

• Label inheritance from e-mail (Outlook);
• Custom permissions independently from the label;
• The toolbar in Office;
• BYOK/Double Key encryption;
• Usage logging event viewer;
• Do not forward button Outlook;
• Document tracking/revoking;
• Protection only mode;
• Disabling labeling by admins;
• Colors for labels;
• Org-wide custom permissions by specifying domains (Office).

Use-cases for the Unified Labeling client

Are there still use-cases for the Unified Labeling client, as Microsoft is working towards this (new) integrated client? I would dare to say: yes.

If you still want to use specific custom configurations (for example – Outlook integration, specific warnings – see below), you do need the Unified Labeling client. Another very clear requirement might be the option to classify and label documents from the Windows File Explorer. As labeling for specific filetypes (PDF is a great example) is not supported by the native clients, using the File Explorer is the only option left.

Can these clients co-exist?

Let’s say you do want that new integrated client. Some features might suit your requirements and you don’t have the hassle of maintaining this client. But you do need the File Explorer integration (for example) and therefore the Unified Labeling client. Can these clients co-exist?

Yes, they can. In my opinion, this is not a recommended approach as it does complicate the management of your endpoint. But it is possible; You can disable the client from Office, and use the integrated client. The client itself can then still be used for the File Explorer integration and the Viewer function.

In the end

Just to make this clear: the Unified Labeling client is not deprecated or being discontinued. It has entered maintenance mode and still functions as expected. (Bug) fixes will still be released, but new functionality will not.

But when implementing Microsoft Information Protection functions, you will need to take these two types of clients into consideration. And yes: two types. In this article, I did not address the classic Azure Information Protection (version 1.x) client – as this client has been deprecated and should not be used.