How to re-label documents classified with a deprecated sensitivity label

by Contributed | Mar 17, 2021 | Technology

This article is contributed. See the original author and article here.

We have a guest post today from @thibaudcolas from our Services Team.

Disclaimer: With the introduction of cross platform co-auth support announced recently at Ignite (Announcing co-authoring on Microsoft Information Protection-encrypted documents and labeling updates), this capability will change in the future as the metadata location used to store the sensitivity label will change and not be readable by this approach, once co-auth support is enabled in your tenant (which is not the case by default). 

The purpose of this process is to allow the re-classification of existing documents classified with a deprecated sensitivity label to a new one. This process mainly aims to reclassify files which have been manually classified and which are not reachable by the AIP scanner. Files not matching these criteria can also be addressed, but other solutions exist (e.g. MCAS).  

A deprecated label is a label which cannot be used anymore for technical reasons. An example could be when a label used to classify documents becomes a top label (sub-labels have been introduced). Then, as documents cannot be classified with a top label, these legacy items may fail some mechanisms (e.g. attachment’s inheritance to mail or sensitivity labels as a condition with M365 DLP). 

Notes:  

1. When possible, renaming the display name of a label should be preferred as it does not imply any significant configuration changes while still allowing changing the user interface. 

1. Keep in mind, Microsoft recommends implementing in production a classification taxonomy the most tailored to organizations’ needs from Day 1, avoiding having to deal with such situations. 

Context:  

Contoso had the following classification taxonomy: 

Contoso used to have a label “Confidential” which was set as a default label for all new documents. Therefore, a significant amount of newly created and edited documents has been classified as “Confidential”.  

Then, the classification has been updated by the introduction of two sub-labels:

To ensure “Confidential” documents can still be protected by M365 DLP or benefit the attachment’s inheritance to mail, they must be reclassified to “Confidential – All Employees”. 

Requirements: 

• Compliance admin role 


• PowerShell module to access SCC 


• Access to Microsoft Compliance portal 


• Information in the matrix below 


• AIP UL client 
  
  
  
  • This process is not supported with Office built-in labeling feature (Windows, Mac, Mobile devices, and Web). 
  
  
  
  

* : Open a “Confidential” document > click File > Info > Properties > Advanced Properties > Custom 

** : Use “Get-Label -Identity “Confidential-new” | fl” 

Note: This process relies on the utilization of the advanced setting “LabelByCustomProperties”. This one only works with properties it “does not know”, which includes metadata applied by the client. As long as the deprecated label will exist in the tenant, the advanced setting will not work as it “knows” its associated custom properties. For this reason, the deprecated label must be deleted. 

Solution: 

We will recreate the “Confidential” label and sub-labels structure with a new label which will looks identical for end-users. 

Note: This process should be transparent for end-users if no one opens a new Office app during the process. However if it happens, the user will receive the policy as it is at this moment. Once the process completed, sensitivity labels will look identical for end-users. 

1. In SCC portal, change the display name of label “Confidential” to “Confidential.”
   
   
   
   • This is to make the display name “Confidential” available again and minimizing impact on user experience.
   
   
   
   


2. In SCC portal, create a new label “Confidential-new” with “Confidential” as Display name.
   
   
   
   • All future mentions of labels in this process refers to Name and not DisplayName.
   
   
   
   


3. In SCC portal, adjust the order of “Confidential-new” label to be located between “General” and “Confidential” labels.
   
   
   
   • Click of the “…” button of the label “Confidential-new” and “move up or down”).
   
   
   
   


4. In SCC portal, select the appropriate label policy(ies) and add the new label “Confidential” for publication.
   
   
   
   • This is required to migrate sub-labels which are already published.
   
   
   
   


5. Change the parent label of sub-labels “All Employees” and “User-Defined Permissions” from “Confidential” to “Confidential-new”.
   
   
   
   • In a PowerShell session, connect to SCC and run below commands:
     
     
     
     • Set-Label -Identity “All Employees” -ParentId $null
     
     
     • Set-Label -Identity “All Employees” -ParentId <Confidential-new_ImmutableID>
     
     
     • Set-Label -Identity “User-Defined Permissions” -ParentId $null
     
     
     • Set-Label -Identity “User-Defined Permissions” -ParentId <Confidential-new_ImmutableID>
     
     
     
     
   
   
   
   


6. In SCC portal, unpublish label “Confidential” from all policies.


7. In SCC portal, delete the label “Confidential”.
   
   
   
   • Before moving forward, ensure with below PowerShell cmd the label has correctly been deleted. It can take few minutes for a label to disappear
     
     
     
     • Get-Label
     
     
     
     
   
   
   
   


8. Set the advanced setting “LabelByCustomProperties” to automatically reclassified “Confidential” documents as “Confidential-new / All Employees” when opened.
   
   
   
   • Set-Label -Identity “All Employees” -AdvancedSettings @{LabelByCustomProperties=“reclassificationrule,MSIP_Label_<Confidential_ImmutableID>_Name,Confidential”}
   
   
   
   


9. Verify the advanced setting has correctly been set
   
   
   
   • (Get-Label -Identity “All Employees”).Settings
   
   
   • The setting “labelbycustomproperties” should be listed.
   
   
   
   


10. Try to consume a “Confidential” document in new Word session
    
    
    
    • The label should be automatically updated to “Confidential-new / All Employees”, and it will work the same way for any documents classified “Confidential” and which be consumed with AIP UL client in future.
    
    
    • If ever it does not work, it may be the client did not download the last policy version. In that case, try following options:
      
      
      
      • Restart Word.
      
      
      • Reset AIP UL client settings (Sensitivity > Help and Feedback > Reset Settings).
      
      
      
      
    
    
    
    

Note: This process should be transparent for end-users if no one opens a new Office app during the process. However if it happens, the user will receive the policy as it is at this moment. Once the process completed, sensitivity labels will look identical for end-users. 

Thanks for reading and we hope you find this useful! If you haven’t already, don’t forget to check out our resources available on the Tech Community.

Thanks!

@Robin_Baldwin on behalf of the MIP and Compliance CXE team