Unified Labeling in Azure Information Protection

Microsoft’s Rights Management Services (RMS) first debuted as a role in Windows Server 2003. It was then made available in Office 365 as Azure Rights Management, eliminating the hassle of hosting on-premises RMS server roles. When Microsoft acquired ‘Secure Islands’ in late 2015, that brought classification and labeling into the product, and so it was re-branded as Azure Information Protection. And then in 2018, support for both Mac OSX and Microsoft Windows required re-branding it into a more heterogenous name, as it is currently called Microsoft Information Protection.


The product is available in various license options:

  • Office E3 includes Rights Management for Office 365. This is the bare minimum RMS capabilities such as encrypting emails and documents, but it lacks customization and the latest bells and whistles.
  • EMS E3 includes Azure Information Protection, which adds the Secure Islands classification and labeling features, document tracking, revocation, and on-premises AIP Scanner functionality to scan and search for PII data in on-premises file shares and on-premises SharePoint.
  • EMS E5 adds the ‘Automatic Classification’ feature which will scan the content of a document and apply encryption, classification and labeling to a document. The AIP Scanner functionality is also extended to include encryption of data at rest that it finds in on-premises file shares and on-premises SharePoint.
  • M365 E5 which includes Windows 10 E5, is called “Microsoft Information Protection” because it extends protection to include data discovered on the Windows 10 endpoint. It can then prevent users from copying files to USB drives or unsanctioned locations. This feature also appears in the Office 365 Security and Compliance Center when configuring ‘Endpoint DLP’ as part of the DLP Policies. It leverages a combination of technologies including Windows Information Protection (WIP) and Mobile Application Management (MAM) policies on Windows 10.



On April 16th 2019, Microsoft announced (here) the general availability of the Unified Labeling Client. This is an MSI client software that can be distributed to Windows workstations that shows the labels found in the Security and Compliance Center’s Classification portal. Microsoft’s best practice is that if you have not yet deployed any of the legacy AIP labels, they suggestion you configure the new Unified Labels, distribute the new client (download here) (ending in *ul.exe) and be aware of the limitations that exist (here).


Join this free Microsoft webinar on Thursday, May 23rd at 7:00 AM PT to learn how to enable it, and the value that it brings to your organization: https://aka.ms/AIP-UL-Webinar