What is the differnce between POLICY in Office Security vs Azure Information Protection?

Question

All I wanted to do was to protect my files.

So I started by trying to create a sensitive label, but it required me to subscribe to AIP. My step process:

1. Create a label (Example. EVERYONE can VIEW, but NOT MODIFY this file)

So I started from
https://protection.office.com/sensitivity?viewid=sensitivitylabels

which made me start my subscription for AIP service, since I wasn't allowed to make labels without one.

So I pay and end up here and create my labels to fit my workplace needs.
https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade

Why are there two places for label making if they literally are essentially the same thing? lol.

----------

2. What are policies even used for?
I'm assuming policies are meant as a way to give a user permission to apply a label, as well as applying a "default" label for docs the user opens, (+some other custom settings).

Now here's where I'm so lost -

There are label policies @ https://protection.office.com/sensitivity?viewid=sensitivitylabelpolicies&flight=EnableMIPLabels

and they also exist @ https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/scopedpoliciesBlade

I've created my original labels with the rules I want in the Azure portal. These labels are reflected back in the protection.office page when I refresh.
HOWEVER, unlike with labels, these two policies pages are not identical.

I used the protection.office page to make my POLICY. (Purpose = give user permission to use label)
and for my Azure page I didn't do anything and left the default Global policy.

Now here's the weird part; when I open a Word Doc (under an account with the policy and labels enabled), nothing shows up. No label to select, not even after I enabled the protection ribbon, or in File>Protection Workbook settings (only had the default Restricted View and Unrestricted View settings).

So I got back to Azure and head to the Global Policy and I add all my custom labels there (and I can't edit USERS as it's greyed out).

NOW, I see my labels on Word that apply the rules I want, but my polices are random.

The policies aren't even in order. So what is even the point of allowing me to move it up and down in Azure and displaying the ORDER # in Office Security and Compliance page?

What purpose does Azure's policy page serve? I'm so confused why a POLICIES have to be in two different places..
I'd be completely gone if I wasn't at least a tech savy, nevertheless the Azure platform is without a doubt not new-user-friendly lol

Answer 1

Azure Information Protection is Azure-based. The other sensitivity labels are Office-based. If your organization has sensitivity labels configured in the Azure Information Protection portal, they need to be migrated to use them in Office apps. You can choose to use either the built-in labeling or the Information Protection labeling.

See Choose which labeling client to use for Windows computers. Some of this is covered in the FAQ as well.

The original client, referred to as the Azure Information client or the classic client, downloads labels and policy settings from Azure and enables you to configure the AIP policy from the Azure portal.

The unified labeling client is a more recent addition and supports the unified labeling store used by multiple applications and services. The unified labeling client downloads sensitivity labels and policy settings from the Office 365 Security & Compliance Center, Microsoft 365 security center, and Microsoft 365 compliance center.

As mentioned in the documentation,

Label management for Azure Information Protection labels in the Azure portal is being deprecated March 31, 2021.

If you are using Azure Information Protection labels because your tenant isn't yet on the unified labeling platform, we recommend that you avoid creating sensitivity labels until you activate unified labeling. In this scenario, the labels you see in the Azure portal are Azure Information Protection labels rather than sensitivity labels. These labels can be used by the Azure Information Protection client (classic) on Windows computers, but can't be used by devices running macOS, iOS, or Android. To resolve this, migrate these labels to sensitivity labels.

The metadata applied by both sets of labels are compatible, so you don't need to relabel documents and emails when the migration is complete . . .

When you use sensitivity labels in Microsoft 365 Apps for enterprise apps on Windows computers, you have a choice of using an Azure Information Protection client, or use labeling that's built into Office.