GCC-H AIP Manual Migration

by | Mar 5, 2021 | Technology | 0 comments

This article is contributed. See the original author and article here.

Azure Information Protection (AIP) unified labeling in Microsoft 365 provides organizations an integrated and consistent approach to creating, configuring, and applying labels and policies to protect information worker data across all locations. Workloads that can leverage unified labeling such as AIP unified labeling client and scanner, Office 365 apps, Office for web, SharePoint, OneDrive, MCAS and many more can apply these policies in a consistent manner. The AIP classic client and label management in the AIP Portal will be deprecated for sovereign clouds on September 30, 2021, therefore it is highly encouraged that administrators move their environment to unified labeling.


 


AIP unified labeling is generally available to Government Community Cloud High (GCC-H) environments and this release brings data discovery, classification, and protection capabilities to government Microsoft 365 instances.  


 


Activating unified labeling for GCC-H is quite different from commercial and regular GCC environments. Commercial and regular GCC environments require administrators to navigate to the AIP blade in the Azure Portal to activate unified labeling. “Activating unified labeling” is not relevant to GCC-H tenants. All GCC-H tenants are already enabled for unified labeling; therefore, this step is not required.


 


Once unified labeling is enabled, commercial and GCC clouds can migrate their AIP classic client labels directly to the Security and Compliance Center, whereas this is not applicable to GCC-H tenants. GCC-H tenants require a manual migration of their AIP labels and protection templates to the Security and Compliance Center.  


 


The benefits of migrating your labels from one portal to the next provides continuity and consistency of labels from your AIP classic environment to your Microsoft Information Protection ecosystem. Ideally, your end users will be using the same label name, label template and (optionally) protection template.


 


This blog gives an end-to-end use case example on how a GCC-H admin can migrate their parent label and sublabel with its corresponding protection template from the AIP Portal to the Security and Compliance Center. Additional information about label migration can be found in our official documentation.


 


Note: For new GCC-H tenants, label migration is not applicable. Please create new labels directly in the Security and Compliance Center.


 


Label Migration at a High Level


 


At a high level, below are the following steps to migrate AIP labels from the AIP Portal to the Security and Compliance Center:


 


1. Retrieve label(s) properties from the AIP Portal
2. Migrate label(s) from the AIP Classic Portal to the Security Compliance Center
3. Verify labels has been migrated to the Security and Compliance Center


Retrieve Label Properties from the AIP Portal


 


In this exercise, we will be migrating the parent label “Highly Confidential” with its corresponding sub label “All Employees”. First, we will retrieve the label properties and settings from the AIP Portal.


 


Note: When doing this exercise, administrators can retrieve all labels policies at one time.


 


Instructions:



  1. Navigate to the AIP Management Page within the Azure Portal

  2. Under Classifications, select “Labels”

  3. Select the parent label that you want to migrate. In this example we are migrating the label “Highly Confidential”


 


alsteele_0-1614876204876.png


Figure 1: Selecting parent label to migrate


 



  1. Document parent label properties and settings using a spreadsheet, notepad, etc. This information will be used later in PowerShell


alsteele_1-1614876204890.png


Figure 2: Parent label properties and settings


 














































Parent Label Property

Value

Name (internal name; must be unique)

Highly Confidential

Tooltip

Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.

Display Name (displayed to end users)

Highly Confidential

Identity

06960349-c5b2-465e-8d31-1652e5969da4

Parent ID

 

EncryptionEnabled

 

EncryptionProtectionType

 

EncryptionTemplateId

 

EncryptionAipTemplateScopes

 

Table 1: Parent label settings and properties


 



  1. Under Classifications, select “Labels” again

  2. Select the sub label that you want to migrate. In this example we are migrating sub label “All Employees”


 


alsteele_2-1614876204901.png


Figure 3: Selecting sub label to migrate


 



  1. Document sub label properties and settings using a spreadsheet, notepad, etc. This information will be used later for PowerShell


 


 


alsteele_3-1614876204910.png


Figure 4: Sub label properties and settings


 



  1. (Optional) If your sub label has encryption, you will need to get the protection ID. Select Protection in your sub label properties.  


 


alsteele_4-1614876204914.png


Figure 5: Sub label protection selection


 


 



  1. (Optional) Document sub label protection template ID using a spreadsheet, notepad, etc. This information will be used later for PowerShell.


 


alsteele_5-1614876204919.png


Figure 5: Sub label protection template ID


 














































Sub Label Property

Value

Name (internal name; must be unique)

All Employees

Tooltip

Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.

Display Name (displayed to end users)

All Employees

Identity

d90363e7-f9a6-43b6-b83f-ac66df2c3c01

Parent ID

06960349-c5b2-465e-8d31-1652e5969da4

EncryptionEnabled

True

EncryptionProtectionType

Template

EncryptionTemplateId

19989161-dacd-409c-ab97-48d1433e1de7

EncryptionAipTemplateScopes

allcompany@contoso.onmicrosoft.com

Table 2: Parent label settings and properties


 


Migrate AIP Labels to the Security and Compliance Center


 


In this section, we will be connecting to the Security and Compliance Center PowerShell module to migrate our AIP labels to the new management portal. 


 



  1. Open PowerShell in administrative mode

  2. Import Security and Compliance PowerShell Module


 

Import-Module ExchangeOnlineManagement

 



  1. Connect to Security and Compliance Center for GCC-H


 

Connect-IPPSSession -UserPrincipalName -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/

 


Example:


 

Connect-IPPSSession -admin@contoso.onmicrosoft.com -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/

 



  1. Migrate parent Label from Azure Portal to Security and Compliance Center using New-Label cmdlt in PowerShell  


 

New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113'

 


Example: Migrate parent label “Highly Confidential” from Azure Portal to Compliance Center using the parent label properties.


 


















































Parent Label Property

Value

Name (internal name; must be unique)

Highly Confidential

Tooltip

Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.

Comment

Highly Confidential Parent Label

Display Name (displayed to end users)

Highly Confidential

Identity

06960349-c5b2-465e-8d31-1652e5969da4

Parent ID

 

EncryptionEnabled

 

EncryptionProtectionType

 

EncryptionTemplateId

 

EncryptionAipTemplateScopes

 

 

New-Label -Name 'Highly Confidential' -Tooltip 'Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.' -Comment 'High Confidential Parent Label' -DisplayName 'Highly Confidential' -Identity ‘06960349-c5b2-465e-8d31-1652e5969da4'

 



  1. Migrate sub label from Azure Portal to Security and Compliance Center using ‘New-Label’ cmdlt in PowerShell


 

New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId 'a32027d7-ea77-4ba8-b2a9-7101a4e44d89' -EncryptionAipTemplateScopes "['allcompany@labelaction.onmicrosoft.com','admin@labelaction.onmicrosoft.com']"

 


Example: Migrate sub label “All Employees” from Azure Portal to Compliance Center using the sub label properties.


 


















































Property

Value

Name (internal name; must be unique)

All Employees

Tooltip

Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.

Comment

Highly Confidential All Employees sub label

Display Name (displayed to end users)

All Employees

Identity

d90363e7-f9a6-43b6-b83f-ac66df2c3c01

ParentID

06960349-c5b2-465e-8d31-1652e5969da4

EncryptionEnabled

True

EncryptionProtectionType

Template

EncryptionTemplateId

19989161-dacd-409c-ab97-48d1433e1de7

EncryptionAipTemplateScopes

contoso@contoso.onmicrosoft.com

 

New-Label -Name 'Highly Confidential All Employees' -Tooltip ' Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.' -Comment 'Highly Confidential All Employees sub label' -DisplayName 'All Employees' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113'-ParentId ‘06960349-c5b2-465e-8d31-1652e5969da4’ -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId ‘19989161-dacd-409c-ab97-48d1433e1de7' -EncryptionAipTemplateScopes "['allcompany@contoso.onmicrosoft.com']"

 


 


Verify labels has been migrated to the Security and Compliance Center


 


Finally, we will verify that our labels have been migrated from the AIP Portal by navigating to the new label management portal, the Security and Compliance Center.


 



  1. Sign in to the Security and Compliance Center for GCC-H

  2. Go to your Information Protection tab

  3. Verify your new labels has been created


 

alsteele_8-1614876638214.png


 


Figure 6: Security and Compliance Center label management


 


Note: Policies are not migrated from the AIP Portal to the Security and Compliance Center. Administrators will have to create new label policies in the Security and Compliance Center.  


 


Sunsetting Label Management in the Azure Portal and AIP client (classic)


 


We have a plan to sunset label management in Azure Portal and AIP client (classic) for Government Cloud Customers.  Meanwhile, Government Cloud Customers who own licenses for AIP will receive continued support for the classic client for 12 months after the general availability of unified labeling for Government Cloud. Government Cloud Customers who may need features that are not yet in the latest release of the unified labeling client can ask for additional extended support for the classic client here before September 30, 2021.


 


Azure Information Protection’s classic client and Label Management in the Azure Portal will be deprecated on September 30, 2021 for Government Community Cloud customers. For information on admin experience post deprecation date, check out this blog.


 


Note: AIP UL scanner management will still be available on AIP portal and will not be deprecated.


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Submit a Comment