Reading time: 5 minutes
Microsoft just released a newsletter on Microsoft Purview Information Protection. An important part of this newsletter was the use of the required client. In this blog I want to elaborate on this a bit more.
Whenever I do a presentation or session on Microsoft Purview Information Protection, I always include a section on the use of the client. Because this is an important subject that is sometimes not well understood or appreciated.
In January 2023 Microsoft published a newsletter on Microsoft Purview Information Protection topics, including some roadmap items. The newsletter also includes information on working with different clients. In the meantime, I was planning to write this blog article 🙂
Information Protection clients
In a nutshell, Microsoft Purview Information Protection [MIP] comes with three clients. Yes, bare with me on this. First, there is the classic and deprecated Azure Information Protection client. This is recognizable by its version: 1.x. But again – this one has been deprecated for some time and should not be used!
This 1.x version of the client has been replaced by the so-called Unified Labeling client for some time. And this replacement was not just on the client side. If you were still using Azure Information Protection, the Information Protection backend needed to be migrated too. When using this client, the version number would be 2.x. Microsoft now refers to the client as the bold-on client.
This Unified Labeling client is now in maintenance mode and is soon to be replaced by the built-in client for M365 apps. Maintenance mode does not mean that the client is deprecated. But any new features will only be released for the M365 Apps client. An example of this is the feature for inheriting the label in Word to the exported version in PDF. This only works when using the M365 Apps client.
The M365 Apps client, also called the built-in client, is directly integrated into M365 apps. You don’t have to install or configure this client. It comes in your apps. Which is very convenient from an administrator’s perspective.
Build-in becomes mandatory
The main reason for writing this article was a section on the Microsoft Learn page on these clients. In addition to much important information on the clients, it also contained this message.
Please note the “the AIP add-in is disabled by default” section. Yes – Microsoft will deactivate the Unified Labeling client (or the AIP add-in as it’s called here) by default when the built-in version is available. By the way – Microsoft does offer you the option to override this. Please refer to this page for more information.
As you can see on the screenshot, this change is not immediate. Microsoft will wait for the appropriate M365 Apps version when making this change. But it will be important to look at the differences between clients – so you can make your own assessment of the possible impact.
To be fair – the M365 Apps built-in version for Information Protection has come a long way. And a lot of features offered by the Unified Labeling client are also available in this built-in version.
But there are differences. And let’s take a look at these. And we’ll look at the features only offered by the built-in client and the Unified Labeling client. But first of all – features that are on the roadmap. These are features that are currently in preview. So we can expect these to become available any time:
- Visibility of labels on a toolbar (something that does help with the adoption of the labels);
- Label colors (you can set these in the portal already);
- User-defined permissions (not a big fan, but still part of the Unified Labeling client);
- Setting a default sublabel.
Unified Labeling client only
Because the built-in client does not require any installable components, it is not integrated into the Windows operating system. This means that only the Unified Labeling client offers these functions:
- Applying labels to different types of files using the Windows (File) Explorer right-click function;
- The AIP Viewer client for opening and displaying encrypted files that cannot be opened using their respective clients (for example an encrypted PNG);
- The AIP PowerShell module with cmdlets;
- The installable client for the AIP Scanner;
- Double Key Encryption.
You still can use both clients if you need these functions. But in Office, the Unified Labeling client will be deactivated. And for the AIP Scanner (which is also used for Microsoft Purview on-premises DLP), the client is still required.
The more complex use of Double Key Encryption [DKE] is only supported by the Unified Labeling client. Although this function offers very stringent encryption for documents, it comes with other limitations as well. It only works in M365 Apps (with the Unified Labeling client, as mentioned) and breaks any co-authoring and auto-save options.
Unified Labeling client – advanced customizations
Another component for the Unified Labeling client is the option to set specific advanced customizations. These work only with this client and can be used to set specific pop-up messages in Outlook (for example). Most of these customizations can now be set either in MIP or by using DLP rules. But there is still something left over. These customizations only work for the Unified Labeling client:
- Label inheritance for email attachments;
- Pop-up messaging in Outlook;
- Removing external content markings (for PowerPoint).
If you are still using these features or are planning to use them, beware: these only work with the Unified Labeling client. Anyone wanting to use these features, needs this client installed.
M365 Apps build-in features only
This will become the default client. It is integrated into the M365 Apps, so you can use the MIP labels in Word, PowerPoint, Excel, and Outlook. What about PDFs? Well, Adobe has integrated the MIP functions into its products. And opening labeled PDFs is also possible in Microsoft Edge. Microsoft also has integration partners that integrate the MIP functions into their products.
The built-in client is to be the default client for knowledge workers, working mostly on Office and PDF documents. Any new functions will only become available for this client. To name a view:
- Automatic classification using trainable classifiers, exact data match, and named entities;
- Real-time detection of sensitive information;
- Reviewing and removing sensitive content;
- Encrypt-only for email messages;
- Protecting meeting invites (Teams Premium – now in preview);
- Inhertic label when “save as PDF”;
- Support for account switching;
Some of these features will become available, whilst others are already here. Some of the features will be nearly identical to the ones in the Unified Labeling client, whilst others will look different. The “sensitivity bar” in Office is not coming back. It will be represented as displayed here:
But beware. The built-in client also acts differently sometimes. A good example of this is the mandatory label setting. When using the unified labeling client, this check for a mandatory label is done when the document is saved or closed. But the built-in client checks when the document is opened (or saved)!
Microsoft has published a very nice playbook for working with different clients. I do encourage you to take a look. The two points I do want to make clear:
- Change is coming – the M365 Apps build-in client will become the standard and the Unified Labeling client will be deactivated from Office Apps by default;
- If you still need some of the specific functions, install and use the Unified Labeling client on specific machines;
- Inform your people of this change. Although the clients do look similar, this is not the case. Perhaps you have specific adoption material that needs to be revised. Look into this. You still have time 🙂