Generate Default Azure Information Protection AIP Labels

One of the areas in Office 365 and Microsoft Azure that really excites me is the Azure Information Protection (AIP) module which gives you the ability to classify and label Microsoft Office documents, (e.g. “Confidential, Internal, Public”), and then apply policies against these labels, allowing you to protect and prevent data leakage within your organisation.  Microsoft has also introduced Sensitivity Labels in the Security & Compliance Centre (SCC Portal) within Office 365, making this technology even more accessible without necessary investing in AIP.  There are still advantages with AIP over Sensitivity Labels for now and you can read about the differences here.

I came across a peculiar issue the other day that got me stumped for a while, where I was unable to Generate the Default Labels from the AIP Azure Portal. I prefer to Generate the Default Labels as it gives me a good basis to begin with, without the need to manually create these yourselfs. 

The process is simple and straightforward in most cases.  You navigate to the Azure Portal, search for Azure Information and then click on Labels below classifications.

On the side pane, you should see a button that says + Generate Default Labels.  Clicking this button should generate the default labels, but not in my case, and in this instance I was presented with the below error;

Error – Generating default labels failed Cannot create default labels because you already have sensitivity labels. If you don’t need your existing sensitivity labels, you can delete them, and then retry. Note that if you delete labels, you might have to wait up to 15 minutes.

So I navigated to the SCC Portal to just double check that there weren’t any rogue Sensitivity labels that were lingering around, and in my case, there were no labels.  Now I don’t always trust the UI so I thought I would check in the back end using PowerShell.

To connect to the Office 365 Security & Compliance Centre PowerShell using Multi-factor authentication, you will need to use the following instructions on installing the Exchange Online Remote PowerShell Module and you can find these instructions here 

Once you have installed the Microsoft Exchange Online PowerShell Module, launch a PowerShell session and connect to the SCC using the Connect-IPPSSession command as follows;

Connect-IPPSSession -UserPrincipalName [email protected]

In the sign-in Window that opens, enter your password, and then authenticate with your MFA.

Once you have authenticated you can run the following command to ensure you have connected successfully and that the Security & Compliance Centre cmdlets are imported correctly.

Get-RetentionCompliancePolicy 

Security & Compliance Centre

Now that we have confirmed connection, I will run the following command to see if there are indeed any sensitivity labels in the back end that aren’t necessarily showing from the front end SCC Portal.

Get-Label

Get-Label

Wham! There it is! So even though the SCC Portal was showing no labels being created, I was still unable to Generate the default AIP Labels due to the fact that AIP is still aware of sensitivity labels lingering in the back end.

The next logical step is to attempt to remove this label via the following command;

Remove-Label -Identity "Confidential"

However, I was thrown with the following Warning;

“We cannot remove rule ‘Confidential’ since it is already in pending deletion state”

Remove-Label

So I then re-ran the same command and this time appending it with a Force Deletion.

Remove-Label -Identity "Confidential" -ForceDeletion

ForceDeletion

After clicking Y to proceed, I re-ran the Get-Label command to confirm that there was nothing else present.

After confirming that was the case, I navigated back to the AIP Portal via Azure and was successful in Generating the Default Labels as follows.

Generate Default AIP Labels

If you have Unified Labeling already enabled, then you should also see these labels in Office 365 Security & Compliance Centre.

Generate AIP Sensitivity Labels

I hope you find this blog useful! 

Are you getting the most out of Office 365? GKM2 is a proud Microsoft Silver Cloud Partner and we’re experts at all things Microsoft as well as many other cloud solutions. Let us help you drive productivity and lower IT costs.

Let’s set up a cloud review today! Just call us at +61 2 9161 7171 or reach out online.