Quickstart: Create a new Azure Information Protection label for specific users

Applies to: Azure Information Protection

Relevant for: Azure Information Protection classic client for Windows

Note

To provide a unified and streamlined customer experience, we are sunsetting the Azure Information Protection classic client and Label Management in the Azure Portal as of March 31, 2021. No further support is provided for the classic client, and maintenance versions will no longer be released.

  • The classic client will be fully retired, and will stop functioning, on March 31, 2022.
  • As of March 18, 2022, we are also sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022.

The content in this article is provided to support customers with extended support only. For more information, see Removed and retired services.

In this quickstart, you'll create a new Azure Information Protection label that only specific users can see and apply to classify and protect their documents and emails.

This configuration uses a scoped policy.

Time required: You can finish this configuration in less than 10 minutes.

Prerequisites

To complete this quickstart, you need:

Requirement Description
A supporting subscription You'll need a subscription that includes Azure Information Protection.
AIP added to the Azure portal You've added the Azure Information Protection pane to the Azure portal, and confirmed that the protection service is activated.

For more information, see Quickstart: Get started in the Azure portal.
An emailed-enabled group in Azure AD You'll need an emailed-enabled group in Azure AD that contains the users who will see and apply the new label.

If you don't have a suitable group, create one named Sales Team and add at least one user.
Classic client installed To test the new label, you'll need the classic client installed on your computer.

The Azure Information Protection classic client is being sunset in March 2021. To deploy the AIP classic client, open a support ticket to get download access.

For a full list of prerequisites to use Azure Information Protection, see Requirements for Azure Information Protection.

Create a new label

Note

Azure Information Protection is not currently supported on Microsoft Azure operated by 21Vianet portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.

First, create your new label.

  1. If you haven't already done so, open a new browser window and sign in to the Azure portal. Then navigate to the Azure Information Protection pane.

    For example, in the search box for resources, services, and docs, start typing Information and select Azure Information Protection.

    If you are not the global admin, use the following link for alternative roles: Signing in to the Azure portal

  2. Under Classifications, select Labels, and then click + Add a new label.

  3. On the Label pane, specify at least the following fields:

    Field Description
    Label display name A name for the new label that users will see, and that identifies the classification for the content.
    For example: Sales - Restricted
    Description A tooltip to help users identify when to select this new label.
    For example: Business data that is restricted to the Sales Team.
  4. Make sure that Enabled is set to On (the default), and select Save Save.

    Select the X at the top-right to close the New label pane.

Add the label to a new scoped policy

Now, add your newly created label to a new scoped policy.

  1. At the left again, under Classifications, select Policies, and then click Add a new policy.

  2. In the Policy name field, enter a meaningful value that describes the users who will see your new label.

    For example, Sales.

  3. Select the Select which users or groups get this policy row to open the AAD Users and Groups pane.

  4. On the AAD users and Groups pane, search for and select the group that you identified in the prerequisites, such as Sales Team.

    Click Select to close the pane.

  5. Back on the Policy pane, under Label display name, click Add or remove labels.

  6. On the Policy: Add or remove labels pane, select the label that you created, for example, Sales - Restricted, and then select OK.

  7. Back on the Policy pane, select Save Save.

Your new label is now published just to the members of the group that you specified.

Test your new label

To test this label, you need a minimum of two computers because the Azure Information Protection client does not support multiple users on the same computer:

  • On your first computer, sign in as a member of the Sales Team group. Open Word and confirm that you can see the new label. If Word is already open, restart it to force a policy refresh.

  • On your second computer, sign in as a user who isn't a member of the Sales Team group. Open Word and confirm that you can't see the new label. As before, if Word is already open, restart it.

Clean up resources

Do the following if you do not want to keep this label and scoped policy:

  1. From the Classifications > Policies area: On the Azure Information Protection - Policies pane, select the context menu (...) for the scoped policy you've created. For example, Sales.

  2. Select Delete policy and if you're asked to confirm, select OK.

  3. From the Classifications > Label area: On the Azure Information Protection - Label pane, select the context menu (...) for the label you've created. For example, Sales - Restricted.

  4. Select Delete this label and if you're asked to confirm, select OK.

Next steps

This quickstart includes the minimum options so that you can quickly create a new label for specific users, using the classic client. For full instructions, see the following articles:

In addition, if you want the label to protect the content such that only members of the Sales Team could open it, you will need to configure the label to apply protection. For instructions, see How to configure a label for Rights Management protection.