Creating Labels for Azure Information Protection
The Scenario:
You are starting to implement Azure Information Protection and you need to create Labels and Sub-Labels so your users can see the new fancy buttons in their Office applications. Often there are default labels to work from, but sometimes those labels have been removed or you simply want to create your own labels and are not sure what all the options in the portal do. Fear not! I will show you how to create labels and explain all the functionality of those labels along the way. As an added bonus, I have provided some labels templates at the end that may be useful in defining your structure. These are of course just a recommendation and you can use them or not as you see fit. Also, since I like to make sure you have the best information possible, the official documentation for creating labels can be found at /en-us/azure/information-protection/deploy-use/configure-policy-new-label and as always is authoritative over anything I might say here. ;-)
The Solution
Here I am going to assume that you already know how to log into the Azure Portal and get to the AIP blade. So, navigate to the AIP blade and I will help you create labels that look like the set below.
To create a new label, click on the + Add a new label link below Protection templates
This will bring up the Label blade as shown below.
Let’s step through each of the options on this new label interface.
Enabled
This is a simple Off/On selection that defaults to On.
Label display name
This is the text that will display on the button in the Office AIP client interface and in the sensitivity bar of protected documents. As an example, we can use the first default label of Personal.
Description
This is the description of the purpose and usage instructions for a label. This should be concise enough to fit in a popup description while being descriptive enough to help your users know if the label should be applied to the content. The description for Personal is below (I will list all of the default labels and their descriptions later in this post).
Non-Business data which does not belong to <enter your company here>. Data is not encrypted and cannot be tracked or revoked. Do not use Non-Business to classify any personal data which is collected by or belongs to <enter your company here>. Such content should be marked as either Confidential or Highly Confidential.
Color
This is the color that will display next to the label in the sensitivity bar in Office. You can Select from a list of standard colors in the drop-down or select Custom and specify the color using the hex triplet code for RGB.
Example: Gray or #737373
Set permissions for documents and email containing this label
The options here are Not configured, Protect, or Remove Protection.
Not configured is exactly what is sounds like and is what is used for the Personal, Public, and General labels.
Protect gives additional options for encrypting content using a Microsoft managed key, Azure (cloud key), BYOK, or HYOK.
After selecting Protect, you will also need to configure the additional options by clicking on the Protection type (in this case Azure (cloud key). Protection is typically used for Confidential and Highly Confidential sub-labels. The Protect blade looks similar to the image below.
The first option in the Protection settings is Azure (cloud key) or HYOK (AD RMS) protection.
In Azure (cloud key) protection, you first have to
Select the protection action type
This defines if you will use standard permissions for users, groups, or domains (Set permissions), or use the Do Not Forward or Custom Settings dialogs in Office (Set user-defined permissions (Preview)).
If using Set permissions, click the + Add permissions link below users to select user rights.
This brings up the Add permissions blade
To add all users synced to your O365 tenant, simply click the + Add <your company> - All members link and choose a permission preset or custom permissions. Alternatively, you can browse the directory for any mail enabled groups or users to add rights to.
Note: You will only be able to add one type of permissions at a time so if you want different levels of permissions for different groups you will need to save and return to add the different levels of access.
One additional option you have in this interface is to add additional external users or domains on the Enter details tab.
Note: If entering a domain, include only the domain name and no additional characters like *@
The permissions you can choose from under Choose permissions from preset or set custom are shown below.
You can click through the presets to see what is available or use Custom to assign specific permissions from this list.
After adding users/groups/domains and selecting the appropriate level of permissions, click OK to return to the Protection settings interface.
If you choose Set user-defined permissions (Preview) you will see the interface below.
If you deselect either of these options, the label will not display in the programs noted. This is often used to create Recipient Only labels that will apply the Do Not Forward permission, but the label would look out of place in Word, Excel, PowerPoint and File Explorer. Similarly, a label like Custom Permissions would look out of place in Outlook but fine in the other Office applications.
The other options in the Protections settings interface are Content expiration and Allow offline access.
Content expiration
This option allows you to expire content on a specific date or after a specific number of days. This could be useful for contracts that are not valid after a specific date or offers that are only valid for a set number of days from creation.
Allow offline access
This option defines the length of time that a Use license is valid without reauthenticating to AIP. The default for this is 7 days which allows a user to be offline for a full week without needing to authenticate to the cloud. After that amount of time they will need to reach out to AIP to get a new use license. Leaving this default for Confidential information and perhaps using a lower number of days for Highly Confidential is a good decision as it allows you to revoke access to content dynamically by removing a user from the authorized groups defined in the AIP label.
Note: Use caution with setting this option to Never as it could have detrimental impact on usability and could cause users that travel regularly to be unable to work on Airplanes or other locations with limited internet access. 
Finally, Remove Protection allows you to use a label to remove any existing protection applied to a document. This is useful for bulk decryption templates.
Set visual marking (such as header or footer)
This option allows you to add header/footer text to your labeled documents. This is typically reserved for Confidential/Highly Confidential documents but can be configured for any label.
Documents with this label have a header/footer/watermark
This can be set to Off or On with the default being Off. If this is set to Off, the additional options below are hidden.
Header/Footer/Watermark text
This is the text that will be added to the header/footer/watermark of the document or email
Header/Footer/Watermark font size
This is the font size for the header/footer/watermark
Header/Footer/Watermark font name
The default header/footer/watermark font is Calibri. A custom font must be typed in manually and if the font is not present on the system opening the document the system will use a random font.
Header/Footer/Watermark Color
This works like the color option for the label (Select from list or use Custom RGB hex triplet)
Header/Footer alignment
Choose from Left, Center, or Right alignment with Left being default
Caution : Headers and Footers defined in labels will overwrite any existing headers or footers in documents or emails.
Watermark layout
Choose Horizontal or Diagonal with Diagonal being the default
Configure conditions for automatically applying this label
This option can be used to automatically apply or recommend this label based on defined criteria. This is an AIP Premium P2 feature (EMS E5) and goes beyond the scope of this post.
Default Label Contents and Template
The information below can be used to create the default templates that Microsoft provides with new AIP tenants. There is also a blank template that you can use for planning your own labels and adding to your documentation.
Personal
Label Name:
Personal
Note: Many companies use Non-Business rather than Personal for this label name
Sub-Label:
No
Description:
Non-Business data which does not belong to <enter your company here>. Data is not encrypted and cannot be tracked or revoked. Do not use Non-Business to classify any personal data which is collected by or belongs to <enter your company here>. Such content should be marked as either Confidential or Highly Confidential.
Label color:
Gray
AIP Protection:
Not configured
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
No
Footer Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Public
Label Name:
Public
Sub-Label:
No
Description:
Business data specifically prepared and approved for public consumption. Data is NOT encrypted and cannot be tracked or revoked.
Label color:
Green
AIP Protection:
Not configured
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
No
Footer Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
General
Label Name:
General
Sub-Label:
No
Description:
Business data which is NOT intended for public consumption. However, this can be shared with internal employees, business guests and external partners as required. Data is not encrypted and cannot be tracked or revoked.
Label color:
Blue
AIP Protection:
Not configured
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
No
Footer Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Confidential
Label Name:
Confidential
Sub-Label:
No
Description:
Sensitive business data that could cause damage to the business if shared with unauthorized people. Data is encrypted. Data owners can track and revoke content.
Label color:
Orange
AIP Protection:
Not configured
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
No
Footer Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Confidential \ Recipients Only
Label Name:
Confidential \ Recipients Only
Sub-Label:
Yes, of Confidential
Description:
Confidential data that is encrypted and that can be viewed by the recipients only.
AIP Protection:
Protect, User defined permissions, In Outlook apply Do Not Forward
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
Yes
Footer Text:
Classified as Confidential \ Recipients Only
Font size:
10
Color:
Black
Alignment:
Left
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Confidential \ All Employees
Label Name:
Confidential \ All Employees
Sub-Label:
Yes, of Confidential
Description:
Confidential data which is classified and protected. <Company name> employees may edit, reply, forward and print. Data owners can track and revoke content.
AIP Protection:
Protect, Set permissions, Add all members of tenant with Co-Owner rights
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
Yes
Footer Text:
Classified as Confidential \ All Employees
Font size:
10
Color:
Black
Alignment:
Left
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Highly Confidential
Label Name:
Highly Confidential
Sub-Label:
No
Description:
Very Sensitive business data that would certainly cause damage to the business if over-shared. Data is encrypted. Data owners can track and revoke content.
Label color:
Red
AIP Protection:
Not configured
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
No
Footer Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Highly Confidential \ Recipients Only
Label Name:
Highly Confidential \ Recipients Only
Sub-Label:
Yes, of Highly Confidential
Description:
Highly Confidential data that is encrypted and that can be viewed by the recipients only.
AIP Protection:
Protect, User defined permissions, In Outlook apply Do Not Forward
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
Yes
Footer Text:
Classified as Highly Confidential \ Recipients Only
Font size:
10
Color:
Black
Alignment:
Left
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Highly Confidential \ All Employees
Label Name:
Highly Confidential \ All Employees
Sub-Label:
Yes, of Highly Confidential
Description:
Highly Confidential data which is classified and protected. <Company name> employees may edit, reply, forward and print. Data owners can track and revoke content.
AIP Protection:
Protect, Set permissions, Add all members of tenant with Co-Owner rights
Document Headers:
No
Header Text:
N/A
Font size:
N/A
Color:
N/A
Alignment:
N/A
Document Footers:
Yes
Footer Text:
Classified as Highly Confidential \ All Employees
Font size:
10
Color:
Black
Alignment:
Left
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
N/A
Conditions set:
None
Template
Label Name:
LabelName
Sub-Label:
No
Description:
Description of Label Usage
Label color:
Color or N/A for sub-labels
AIP Protection:
Protection Properties
Document Headers:
No
Header Text:
N/A
Font size:
10
Color:
Black
Alignment:
Left
Document Footers:
No
Footer Text:
N/A
Font size:
10
Color:
Black
Alignment:
Left
Document Watermark:
No
Watermark Text:
None
Size:
N/A
Color:
N/A
Layout:
Diagonal
Conditions set:
None