Microsoft are well down the track in migrating its cloud-based rights management solution from Azure into Microsoft 365 Compliance center (and along with it, changing a few names along the way!) Microsoft’s vision is to provide a more integrated and consistent approach to discovering, classifying, labelling and protecting sensitive data. An integral part of this integration is what occurs on the client side, meaning what happens inside Word, Excel, Outlook and other Office applications. Currently there are three different labelling clients:
- Classic client
- Unified labelling client
- Office built-in labelling client
The difficulty is knowing when to use each client. If you’re reading this after Match 31 2021, the decision has been made a bit easier for you because this is the date the classic client will be deprecated by Microsoft. As the classic client pulls the label and policy settings from the Azure portal, don’t deploy the classic client to your users if you’ve migrated your policies to the unified labelling experience in the Security and Compliance center, or created new policies here.
Unlike the classic client, the unified labelling client pulls its settings from the Security and Compliance portal, so you will need to copy any existing policies from the Azure portal to make sure users are able to consume them. It has been around for a while now and is almost at feature parity with the classic client. The main features missing which may have you second guessing the deployment of the unified labelling client are Hold Your Own Key (HYOK) and revoking protected documents. There are number of other features missing which can be found here, but generally, you will find everything you are looking for in the unified labelling client.
The last option is the built-in Office labelling client which (surprisingly) is built into the Microsoft Office applications. This is obviously the simplest deployment option as there isn’t actually any deployment requirements other than a supported version. Like the unified labelling client, it pulls its settings from the Security and Compliance portal. At this stage, only a subset of the information protection features are available in this client, so it’s a good idea to confirm it provides everything you want (use the link provided above to compare).
Like any new deployment, I would recommend piloting the implementation to a subset of your users to get a good . As always, feel free to reach out if you have questions or comments.
