Microsoft Information Protection: Planning Your Sensitive Labels

Hey guys and girls, hope you guys are having a great weekend! Remember to stay healthy and stay safe as your priority.

Today’s blog is more towards talking about the Microsoft information protection labels, how to plan before deploying it. Each organization has their own preferences and requirements. Planning is a crucial part of every deployment especially when the deployment would have to roll-out to the users to use it for their daily work. Layman is the key to the users understanding.

Some organization have a compliance team and some does not have it. Having a compliance team would able to make this deployment much more clearer in terms of what the organization needs. If the organization does not have a compliance team, then we would help to identity together in terms what do they require only. Labels are structure in the form of priorities, so best to make it simple, and easier for administrator to manage too.

Phase 1: Give them the feel and look

Microsoft do provide default labels to organization, you can roll-out these default labels to smaller team or compliance team, allowing them to play around with it for a period of time. This allows them to have an idea how sensitive labels works and coming out a template would be easier for them. Having a template is the quickest way and easier way to roll-out the labels.

Default labels

Phase 2: Feedback and Drafting Template

Getting feedback and drafting template phase, is a closer phase to rolling out the labels that suits the organization needs. In this phase, there are few items that you would need to involve into and would take a bit of time,

  • Categories the labels based on location (Exchange online, SPO, OneDrive and etc)
    • There is difference in terms of protection features for each location
  • What can or can’t do in the labels
  • Users description about the labels (keep it as layman as you can)
  • Priority of the labels
  • Design structure of the labels/sub-labels (Simple is better)
  • Permissions (Flexible or Set)
  • Action for the priority labels (Flexible, Warning or Strict-Justification)
  • Customization notifications (Majority would decide to maintain the default, so you don’t need to spend too much time on this part)

Here are some design types that you can reference,

Design type 1

This design is for organization that would like to remain some default labels, and has new labels for other departments and its purposes. No sub-labels to be manage.

Design type 2

This design is for organization that would wish to keep some default labels but does not want to have other new labels to manage. Has sub-labels to manage.

Design type 3

This design is for organization that would like to manage their labels in the form of departments and with each department has their own labels. I wouldn’t recommend this though, because is complicated. As I mention earlier, labels are arrange in the form of priority.

Phase 3: Final Template

This is the phase where you can start to roll-out the final template of the labels back to the small team or compliance team to give it one last confirmation.



Azure: Troubleshoot Azure Information Protection installer via Intune

What’s up ladies and dudes!

Today’s topic is about the Azure Information Protection installer, yes is the MSI installer, AzInfoProtection_UL.msi.

Every MSI application you would need to use this following command to install them into the machine “msiexec /i <application name> /quiet“, but somehow for this case YOU DON’T NEED IT!

Basically you would just leave the command-line arguments empty.



Azure Information Protection: Office application prompt for privacy notice

Microsoft provide notice to end users that has Azure Information Protection enabled and Policy has set to them. It does not matter either you are on Azure Information Protection Classic or Unified labeling.

When you first launch your office application or relaunch it you will get this notice.

A privacy notice such as below;


aOSKL 2019: My First Ever Workshop – Coming Soon


I am glad to got accepted again for this aOSKL event, but there is a challenge to this, that is it is a workshop, 2 hours of workshop. Am I going to just read through slides? (That will be so boring….duhhh) What will my workshop consist? Well, are you interested to know? Come register and join my workshop! Seats are limited, first come first served.

“Sabrina Kay always hunger for challenges!”

Here is the link aOSKL 2019, to help you to find out more what this events has 🙂


Differences of AzInfoProtection and AzInfoProtection_UL client application

When unified labeling was announce that it is no longer in Preview mode, and here it comes the new application called, AzInfoProtection_UL, you could find the link to download this application at the references below of this post. There is the Preview application called, AzInfoProtection_UL_Preview.

Before unified labeling, the only application has for Azure Information Protection is AzInfoProtection (Classic client). So what so different about them? Before we jump into getting to know what are the differences, let’s understand the definition or meaning.

Classic client

Azure Information Protection is a new enhancement of rights management and it is manage from Azure portal. If you need scanner and HYOK (your own key) then you install AzInfoProtection.exe (User Profile based installer) or AzInfoProtection_MSI_for_central_deployment (System installer) client application.

Classic client

Classic client

This part shows Azure labels and Office 365 Sensitivity labels. Let’s take “DLP View Only” is a label custom created from Office 365.


Unified labeling

Azure Information Protection with Unified Labeling was just announce somewhere the month of June or July 2019. Unified Labeling means that your labels can be manage either from the Azure portal or from Office 365 Security and Compliance portal. This feature is enabled by default. You can migrate your labels from Azure to Office 365 Security and Compliance. Unified Labeling supports for more Office 365 products, such as Microsoft Teams. If you do not need HYOK protection (your own key)  or the scanner, then you install AzInfoProtection_UL.exe (User Profile) or AzInfoProtection_UL_MSI_for_central_deployment (System installer) client application.

This is how it looks like first install, notice the icon is different

Select on the “Sensitivity” icon and click “Show Bar”

These are my Office 365 Sensitivity labels

If you would like to deep-dive the comparison of these 2 application here is a helpful link.





Azure Community Singapore First Live YouTube Video! Topic: Azure Information Protection and Azure Sphere

Good day everyone! Keep staying positive even the day is bad. As a community member for Azure Community Singapore since the month of July or August 2019, this community is not just answering questions, this community has a monthly speaking meetup and yea I joined, I was “like yea, I would like to join and share about Information Protection”. However, the downside is that I can’t travel to Singapore every month just for this speaking meetup. Discuss and Discuss and they reach an end result, “let’s try doing it as YouTube Live!”.

The community set up 2 sessions, Azure Information Protection by Sabrina Kay and Azure Sphere by Snake Chia.

We went through twice of the rehearsal after working hours, the first rehearsal was to test out how we can do YouTube live with multiple users, we faced challenges like internet congestion and delay, try out implement QoS on the machine, hopes to improve connectivity and communication. On the last rehearsal, we did a dry run and getting the timeline and order of switching speaker, making sure everything fines. Thanks for pulling this rehearsal together.

The first YouTube Live just below this link:

[September 2019 Meetup] Azure Information Protection and Azure Sphere

Thanks, Marvin Heng, Goh Chun Lin, and Snake Chia! 🙂

PowerShell: Goodbye old Azure Rights Management module

Today I decided to say goodbye to a PowerShell command module, its name is Azure Rights Management, for short AADRM. Why? If you remember or read my old blog post about Rights Management in Azure then you know why I am saying Goodbye to it. Remember the old Azure Portal?

Before saying Goodbye, I was glad to experience this generation of Azure Rights Management, in 2017 and seeing the improvement and growth of it makes me happy. Now I am moving forward to the AIP Service module, where the new Rights Management named “Azure Information Protection”. AADRM End-of-life is on July 2020. During my first experience with AADRM, it was quite complicated to understand and manage it, because of its commands different from what I usually do.

Alright to install AIP Service module, what you should do first? When you already have AADRM installed, you have to uninstall it via PowerShell Run as Administrator. If you try to install the AIP Service module before uninstalling AADRM, it will give you an error saying “You already have the following commands ‘Get-AADRM and etc…’“.

This new AIP Service Module contains the new commands which are the AIP Service commands, don’t worry this new module still has the AADRM commands.

aip01.PNG If you happen to have MFA enabled, AADRM module and the new AIP service module does support.



Azure Information Protection and Unified Labeling (No longer in Preview)

This post has been in my draft, just got too much to handle this few months and I am terribly embarrassed about holding this post in draft. *Gomeinasai*

Last few weeks, I notice that there is a new Azure Information Protection version of the client, it was released on 14th July 2019, stating that it comes with unified labeling. I was a slight surprise “Is it true? that unified labeling is no longer in preview mode?”.


Before it was announced that it is no longer in preview mode, I had to do the manual integration and it will cause the Security and Compliance’s Data Leak Protection Policy to crash via GUI. I had to use force command to remove the Data Leak Protection policy, via PowerShell.

Manual integration involving SharePoint settings, Security and Compliance, and Azure Information Protection. However, this may win theoretically but technically is not working that well for me though. Well, it was a tough experience but good to go through it.

I tried many ways to get it working but it will crash. “Updating…” status will just stay there for more than 48 hours! *faint*

Anyway, is good to know that Unified labeling is no longer in preview mode. You can manage your labeling in Security and Compliance too by migrating the Azure Information Protection Labeling (AIP). Just to make sure no duplicates labeling in Security and Compliance before migrating.


Azure Information Protection: Install Azure Information Protection Application for Windows Client

If your Windows client is a joined to the domain and has limited privilege, to download software or applications. Thus, requirements a local administrator or an administrator account to proceed with these changes.


  1. Supported Windows
  2. Supported Office Application
  3. The Internet
  4. Browers


  1. Browse to Microsoft Download
  2. Once you have finish download, double click on the installer
    • az02.png
  3. Select “I agree”
    • az01
  4. Select “close”, once completed
    • az03.png
    • az04.png
  5. You will find the Azure Information Protection Viewer application shown and your office application has the Azure Information Protection labels shown too
  6. Select Start or Windows button
    • az05.PNG


There is another way to have this installed in the client’s device that is joined to the domain, which is through GPO (Group Policy Management).

Azure Information Protection: Overview Default labels on Office application

I am having an Office ProPlus application, using Windows 10 Pro. Azure Information Protection stands for AIP. I will use AIP term throughout this post. Making sure AIP is enabled at the Global administrator side.

If you are wondering “Hey, I do not want my users to be having the privileged to uninstall AIP application from their devices”, well I will explain more on the next post 🙂 !


  1.  An office 365 account
  2. Supporting Office 365 License
  3. Supporting Windows Client/Server
  4. Azure Information Protection Application

Just to show you how the labels look like for each of the Office application (Outlook, Word, PowerPoint, and Excel),

Outlook Without AIP


Outlook with AIP


Word without AIP


Word with AIP


Excel without AIP


Excel with AIP


PowerPoint without AIP


PowerPoint with AIP