Why choose built-in labeling over the AIP add-in for Office apps

Microsoft 365 licensing guidance for security & compliance.

When you use sensitivity labels in Microsoft 365 Apps on Windows computers, you have a choice of using labeling that's built into Office apps, or an add-in from the Azure Information Protection (AIP) unified labeling client.

Built-in labeling forms the cornerstone of a Microsoft Purview information protection deployment because this labeling technology extends across platforms (Windows, macOS, iOS, Android, and web), as well as across Microsoft apps and services, and beyond. Built-in labeling is also designed to work with other Microsoft Purview capabilities, such as data classification and Microsoft Purview data loss prevention (DLP).

Because built-in labels don't use an Office Add-in, they benefit from more stability and better performance. They also support the latest Microsoft Purview features, such as advanced classifiers.

By default, built-in labeling is turned off in Office for Windows apps when the AIP client is installed. You can change this default behavior by using the instructions in the following section, How to disable the AIP add-in to use built-in labeling for Office apps.

When you keep the AIP client installed but disabled in Office apps, the other capabilities of the AIP client remain supported:

  • Right-click options in File Explorer for users to apply labels to all file types.

  • A viewer to display encrypted files for text, images, or PDF documents.

  • A PowerShell module to discover sensitive information in files on premises, and apply or remove labels and encryption from these files.

  • A scanner to discover sensitive information that's stored in on-premises data stores, and then optionally, label that content.

For more information about these capabilities that extend labeling beyond Office apps, see the Azure Information Protection unified labeling client administrator guide from the AIP documentation.

Independently from labeling, you can continue to use the AIPService PowerShell module for tenant-level management of the encryption service. For example, configure super user access when you need to remove encryption for data recovery, track and revoke documents that have been opened by the AIP client, and configure the use license validity period for offline access. For more information, see Administering protection from Azure Information Protection by using PowerShell.

Decide whether to use built-in labeling for Office apps or the AIP add-in

Now that the AIP client is in maintenance mode, we don't recommend you use the AIP add-in for Office apps for the following reasons:

  • No new labeling features will be supported.
  • Add-ins are less stable because they can conflict with other add-ins that can result in Office apps hanging, crashing, or automatically disabling the add-in.
  • As an add-in, it runs more slowly, and can be disabled by users to bypass labeling requirements.
  • Any bug fixes will require reinstalling the Azure Information Protection client.
  • The labeling experience for users is slightly different from built-in labels that users have on their other devices (macOS, iOS, Android), and when they use Office for the web. This difference can increase costs for training and support.
  • There are already new Office labeling features released that are only supported by built-in labeling, and the list is growing all the time.

Use the AIP add-in for your Windows Office apps only if you've already deployed it to users and you need time to migrate them to built-in labeling. Or, users need a feature that isn't supported by built-in labeling. Use the feature parity information on this page to help you identify these features.

Features supported only by built-in labeling for Office apps

Note

Many new labeling features are in planning or development, so expect the list in this section to grow over time.

Some features are only supported by built-in labeling for Office apps, and won't be supported by the AIP add-in. These include:

  • For automatic and recommended labeling:
  • Sensitivity bar is integrated into existing user workflows
  • PDF support
  • For labels that let users assign permissions, different permissions (Read or Change) can be granted to users or groups
  • Encrypt-Only for emails
  • Visibility of labels on the status bar (Will be replaced with the sensitivity bar on the window title.)
  • Support for account switching
  • Users can't disable labeling

Example showing how users can review and optionally remove identified sensitive content in Word:

Credit card numbers identified to users as sensitivity content with an option to remove.

Example showing how sensitivity labels are integrated into user workflows:

Example showing sensitivity label name and description in the Save this file dialog box.

To keep informed when new labeling capabilities become available for built-in labeling, see What's new in Microsoft Purview and the Sensitivity labels sections.

How to disable the AIP add-in to use built-in labeling for Office apps

When you've installed the AIP client to extend labeling beyond Office apps but want to prevent the client's add-in from loading in Office apps, use the Group Policy setting List of managed add-ins as documented in No Add-ins loaded due to group policy settings for Office 2013 and Office 2016 programs.

For your Windows Office apps that support built-in labeling, use the configuration for Microsoft Word 2016, Excel 2016, PowerPoint 2016, and Outlook 2016, specify the following programmatic identifiers (ProgID) for the AIP client, and set the option to 0: The add-in is always disabled (blocked)

Application ProgID
Word MSIP.WordAddin
Excel MSIP.ExcelAddin
PowerPoint MSIP.PowerPointAddin
Outlook MSIP.OutlookAddin

Deploy this setting by using Group Policy, or by using the Office cloud policy service.

Important

If you use the Group Policy setting Use the Sensitivity feature in Office to apply and view sensitivity labels and set this to 1, there are some situations where the AIP add-in might still load in Office apps. Blocking the add-in from loading in each app prevents this happening.

Alternatively, you can interactively disable or remove the Microsoft Azure Information Protection Office Add-in from Word, Excel, PowerPoint, and Outlook. This method is suitable for a single computer, and ad-hoc testing. For instructions, see View, manage, and install add-ins in Office programs.

Whichever method you choose, the changes take effect when Office apps restart.

If after making these changes the Sensitivity button doesn't display on the Office ribbon, check whether sensitivity labeling has been turned off. Although this isn't the default configuration, an administrator might have explicitly set this configuration by using Group Policy or by directly editing the registry.

Note

Built-in labels require a subscription edition of Office apps. If you have standalone editions of Office, sometimes called "Office Perpetual", we recommend you upgrade to Microsoft 365 Apps for Enterprise to benefit from the latest labeling capabilities.

Remember, when you use this method to disable the AIP add-in, you can still use the AIP client to extend labeling beyond Office apps.

Feature parity for built-in labeling and the AIP add-in for Office apps

Many of the labeling features supported by the AIP add-in are now supported by built-in labeling. For a more detailed list of capabilities, minimum versions that might be needed, and configuration information, see Manage sensitivity labels in Office apps.

More features are planned and in development. If there's a specific feature that you're interested in, check the Microsoft 365 roadmap and consider joining the Microsoft Information Protection in Office Private Preview.

Use the following information to help you identify if you're using a feature from the AIP add-in that isn't yet supported by built-in labeling:

AIP add-in feature or capability Built-in labeling
Category: General
Central reporting and auditing Supported.
Learn more
Government Cloud Supported.
Admin can disable labeling
- All apps
Supported.
Learn more
Admin can disable labeling
- Per app
In planning or development
Category: User Experience
Labeling button on the ribbon Supported.
Multilanguage support for label names and tooltips Supported.
Learn more
Visibility of labels on a toolbar Supported.
Learn more
Label colors Supported.
Learn more
Category: Labeling actions
Manual labeling Supported.
Learn more
Mandatory labeling Supported.
Learn more
Default labeling
- New and existing items
- Separate settings for email
Supported.
Learn more
Recommended or automatic Supported.
Learn more
Downgrade justification Supported.
Learn more
Category: Visual markings
Headers, footers, watermark Supported.
Learn more
Dynamic markings Supported.
Learn more
Per app visual marking Supported.
Learn more
Category: Encryption
Admin-defined permissions Supported.
Learn more
User-defined permissions
- Do Not Forward for Outlook
- User and group custom permissions for Word, Excel, PowerPoint
Supported.
Learn more
User-defined permissions
- Organization-wide custom permissions by specifying domains for Word, Excel, PowerPoint
In preview
Co-authoring and AutoSave Supported.
Learn more
Double key encryption In planning or development
Document revocation for users Under review

Support for PowerShell advanced settings

The AIP client supports many customizations by using PowerShell advanced settings. Some of these advanced settings are now supported by built-in labeling, as documented in New-Label or Set-Label, and New-LabelPolicy or Set-LabelPolicy.

However, you might find you don't need to use PowerShell to configure the supported settings because they're included in the standard configuration from the Microsoft Purview compliance portal. For example, the ability to turn off mandatory labeling for Outlook and set a different default label.

The following configurations from the AIP add-in aren't yet supported by built-in labeling include:

Features not planned to be supported by built-in labeling for Office apps

Although new capabilities for built-in labeling are being added all the time, the AIP Office Add-in supports the following capabilities that aren't planned to be available in future releases for built-in labeling:

  • Application of labels to Microsoft Office 97-2003 formats, such as .doc files
  • Local usage logging to the Windows event log
  • Permanently disconnected computers
  • Standalone editions of Office (sometimes called "Office Perpetual") rather than subscription-based

Next steps

For instructions to create and configure these labeling capabilities, see Create and configure sensitivity labels and their policies.

Tip

If you already have sensitivity labels in the Microsoft Purview compliance portal, you won't be eligible for the automatic creation of default labels. However, you might still find it useful to reference their configuration: Default sensitivity labels.