How to create an Azure Information Protection Label

Azure information Protection (AIP) is a cloud-based classification system that offers organizations the ability to set an array of protection limits to documents and emails by applying labels. Please refer to Microsoft's documentation for more information on AIP and AIP labels.

All AIP labels are created and managed in the Microsoft Compliance center. Do note that your tenant must have either Azure Information Protection P1 license or Office 365 E3/E5 licenses (you do not need both).

Note: There are labels; that define which resources have restricted, protected access, and there are label policies; where you define who can see and apply the labels you have created. The label policy pushes out the restrictions configured in the label to certain M365 Groups

Creating and configuring a label

1. Locate information protection

Once at the home screen of the Microsoft Compliance center, click on the Information Protection located on the left side of the screen. You are now in the correct location to begin creating labels for your organization (Figure 1).

  Figure 1

2. Name and create tooltip for label

You will need to create a name and tooltip for the label. You'll be required to enter the following information (Figure 2):

• Name: For admins in the Compliance center
• Display name: What your users will see when the label is pushed out via Label Policy
• Admin description: An explanation of the label intended for admin use
• User description: An explanation of the label intended for users

  Figure 2

3. Define the scope for your label

Once the tooltip and label are created, you will need to define the scope for your label. The purpose of this step is to define what type of content the label can be applied to (Figure 3). The two available options are:

1. Files & emails
   1. Office application documents
   2. Outlook emails
2. Groups & sites
   1. Teams
   2. SharePoint site

In this tutorial, we are going to focus on the Files & emails definition.

  Figure 3

4. Configure encryption settings

Next, you will be configuring the settings for encrypting files & emails. Additionally, this step accounts for setting contenting marking (watermark, header, footer) should your organization require the settings (Figure 4).
Note: content marking is optional, but may be recommended for highly confidential data.

  Figure 4

5. Additional encryption settings

You can leave your Configure encryption settings as default for most cases unless you need any of the following:

• Assign permissions now or let users decide: Allows users to determine the permissions when applying the label to content
• User access if content expires: Define the duration of user-access to the document the label is being applied to. If a date is specified, the time begins when the label is being applied to the document
• Allow offline access: Determine if offline access is enabled. If disabled, users must be authenticated and their access is logged
• Assign permissions to users and groups: Define which groups or users have access when this specific label is applied to content
  
  • Choose permissions: Determine the type of permissions the group or users have access to

  Figure 5

6. Configure policy settings

This step allows for the configuration of content marketing policy settings. The settings can be configured either by watermark, header, or footer (Figure 6).

  Figure 6

7. Conditional label application

After policy settings have been set, you will be prompted to set permissions on labels to either:

• Apply labels to Office files if certain content conditions are matched
• Display a recommendation that users apply a label if certain content conditions are matched

For example, the screenshot below shows the settings in a highly confidential protection label recommending the user of the label because a US bank account number was found within the document (Figure 7).

  Figure 7

8. Review settings and submit

Lastly, review your new sensitivity label to ensure that all settings are correct. Once you've reviewed and confirmed all settings are correct, select Create label (Figure 8).

  Figure 8

You have now successfully created an Azure Information Protection label. Please note that users in your organization will not be able to view or apply this label to their content until you have created a Label policy.

Learn how to create a Label policy in our next article.