Migrate the Azure Information Protection (AIP) add-in to built-in labeling for Office apps
When you use sensitivity labels in Microsoft 365 Apps on Windows computers, we recommend you use you labeling that's built into Office apps, even if you have the Azure Information Protection (AIP) unified labeling client installed. The AIP add-in is now disabled by default in the latest versions of Office apps, and the add-in will be retired April 2024.
To prepare for this change, use this article to understand the benefits of using built-in labeling, which main features have parity, and how to control the migration from the AIP add-in to the newer labeling experience.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Built-in labeling vs. the AIP client
Built-in labeling forms the cornerstone of a Microsoft Purview Information Protection deployment because this labeling technology extends across platforms (Windows, macOS, iOS, Android, and web), as well as across Microsoft apps and services, and beyond. Built-in labeling is also designed to work with other Microsoft Purview capabilities, such as data classification and Microsoft Purview Data Loss Prevention (DLP).
Because built-in labels don't use an Office add-in, they benefit from more stability and better performance. They also support the latest Microsoft Purview features, such as advanced classifiers.
Up until recently, built-in labeling was turned off by default in Office for Windows apps when the AIP client was installed. This default is no longer the case for newer versions of Office. You can control the default behavior by using the instructions in the following section, How to disable the AIP add-in to use built-in labeling for Office apps. For example, disable the add-in for initial testing on a couple of computers, and then move onto a pilot for a few users. When you're ready, migrate all users to the newer labeling experience.
When you keep the AIP client installed but disabled in Office apps, the other capabilities of the AIP client remain supported:
Right-click options in File Explorer for users to apply labels to all file types.
A viewer to display encrypted files for text, images, or PDF documents.
A PowerShell module to discover sensitive information in files on premises, and apply or remove labels and encryption from these files.
A scanner to discover sensitive information that's stored in on-premises data stores, and then optionally, label that content.
For more information about these capabilities that extend labeling beyond Office apps, see the Azure Information Protection unified labeling client administrator guide from the AIP documentation.
Independently from labeling, you can continue to use the AIPService PowerShell module for tenant-level management of the encryption service. For example, configure super user access when you need to remove encryption for data recovery, track and revoke documents that have been opened by the AIP client, and configure the use license validity period for offline access. For more information, see Administering protection from Azure Information Protection by using PowerShell.
Built-in labels require a subscription edition of Office apps. If you have standalone editions of Office, sometimes called "Office Perpetual", upgrade to Microsoft 365 Apps for Enterprise to benefit from the latest labeling capabilities.
Benefits of using built-in labeling for Office apps vs. the AIP add-in
The AIP add-in component from the AIP client is in maintenance mode and will be retired April 2024. Even before the retirement date, we don't recommend you use this add-in for Office apps for the following reasons:
- No new labeling features will be supported.
- Add-ins are less stable because they can conflict with other add-ins that can result in Office apps hanging, crashing, or automatically disabling the add-in.
- As an add-in, it runs more slowly, and can be disabled by users to bypass labeling requirements.
- Any bug fixes will require reinstalling the Azure Information Protection client.
- The labeling experience for users is slightly different from built-in labels that users have on their other devices (macOS, iOS, Android), and when they use Office for the web. This difference can increase costs for training and support.
- There are new Office labeling features released that are only supported by built-in labeling, and the list is growing all the time.
Until the retirement date, use the AIP add-in for your Windows Office apps only if you've already deployed it to users and you need time to migrate them to built-in labeling. Or, if there's a key feature that users need that isn't yet available for their Office update channel.
Features supported only by built-in labeling for Office apps
Many new labeling features are in planning or development, so expect the list in this section to grow over time.
Some features are only supported by built-in labeling for Office apps, and won't be supported by the AIP add-in. These include:
- For automatic and recommended labeling:
- Sensitivity bar that's integrated into existing user workflows
- PDF support
- Protect meeting invites, with their attachments and responses
- For labels that let users assign permissions, different permissions (Read or Change) can be granted to users or groups
- Encrypt-Only for emails
- Support for account switching
- Users can't disable labeling
Watch a short demo to see some of these features in action:
To keep informed when new labeling capabilities become available for built-in labeling, see What's new in Microsoft Purview and the Sensitivity labels sections.
How to disable the AIP add-in to use built-in labeling for Office apps
Starting with version 2302 for Current Channel and Semi-Annual Enterprise Channel, but version 2303 for Monthly Enterprise Channel, the AIP add-in is disabled by default. For these versions, there's nothing for you to configure for users to benefit from built-in labels. If you need to use the AIP add-in rather than built-in labeling, you must configure a new setting to override the default.
If you’ve previously used the AIP add-in as the default labeling client in Office apps and use Office versions later than the ones listed, by default, the AIP add-in is automatically disabled and replaced by built-in labeling.
To disable the AIP add-in for older versions, see the next section.
Remember, when the AIP add-in is disabled, you can still use the AIP client to extend labeling beyond Office apps.
How to configure older versions of Office to disable the AIP add-in
For Office apps older than version 2302 (Current Channel and Semi-Annual Enterprise Channel) or version 2303 (Monthly Enterprise Channel), to prevent the AIP add-in from loading in Office apps, use the Office policy setting List of managed add-ins as documented in No Add-ins loaded due to group policy settings for Office 2013 and Office 2016 programs.
For your Windows Office apps that support built-in labeling, use the configuration for Microsoft Word 2016, Excel 2016, PowerPoint 2016, and Outlook 2016, specify the following programmatic identifiers (ProgID) for the AIP client, and set the option to 0: The add-in is always disabled (blocked)
Deploy this setting by using Group Policy and Microsoft 365 Apps for enterprise administrative templates, or by using the Cloud Policy service for Microsoft 365.
If you use the Office policy setting Use the Sensitivity feature in Office to apply and view sensitivity labels and set this to Enabled, there are some situations where the AIP add-in might still load in Office apps. Blocking the add-in from loading in each app prevents this happening.
Alternatively, you can interactively disable or remove the Microsoft Azure Information Protection Office Add-in from Word, Excel, PowerPoint, and Outlook. This method is suitable for a single computer, and ad-hoc testing. For instructions, see View, manage, and install add-ins in Office programs.
Whichever method you choose, the changes take effect when Office apps restart.
If after making these changes the Sensitivity button doesn't display on the Office ribbon, check whether sensitivity labeling has been turned off with the Use the Sensitivity feature in Office to apply and view sensitivity labels Office policy setting. Although this isn't the default configuration for Office apps, an administrator might have explicitly set this configuration by using Group Policy or by directly editing the registry.
How to configure newer versions of Office to enable the AIP add-in
If you've previously set the Office policy setting of Use the Sensitivity feature in Office to apply and view sensitivity labels to Disabled (or set the equivalent registry key of UseOfficeForLabelling to 0) to disable built-in labeling because you wanted to use the AIP add-in: Going forward, if you don't configure the new setting that's described in this section, you won't be able to use sensitivity labeling with either the AIP add-in or built-in labeling.
Starting with version 2302 (Current Channel and Semi-Annual Enterprise Channel) and version 2303 (Monthly Enterprise Channel) of the Office apps, the AIP add-in is disabled by default. To enable it, you must configure a new Office policy setting:
- Use the Azure Information Protection add-in for sensitivity labeling. Set the value to 1 by selecting Enabled.
If you're using Group Policy, make sure you've downloaded recent Group Policy Administrative Template files for Microsoft 365 Apps for enterprise and navigate to this setting from User Configuration/Administrative Templates/Microsoft Office 2016/Security Settings. If you're using the Cloud Policy service for Microsoft 365, search for the setting by name to configure it.
Additional Office settings you might need to configure:
The Office policy setting Use the Sensitivity feature in Office to apply and view sensitivity labels, must be Disabled or Not configured.
If the list of managed add-ins block the AIP add-in, as described in the previous section, you'll need to either remove these entries for the AIP add-in, or set their value to 1: The add-in is always enabled.
Feature parity for built-in labeling and the AIP add-in for Office apps
Many of the labeling features supported by the AIP add-in are now supported by built-in labeling. For a detailed list of available capabilities and configuration information, see Manage sensitivity labels in Office apps. To support a specific feature, you might need to change your Office update channel.
More features are planned and in development. If there's a specific feature that you're interested in, check the Microsoft 365 roadmap and consider joining the Microsoft Information Protection in Office Private Preview.
Use the following information to help you identify if the features you use with the AIP add-in is available with built-in labeling. Additional features that aren't yet available but in planning or deployment might delay your final migration for users, but you can begin testing the other features now to expedite a later migration.
|AIP add-in feature or capability||Built-in labeling|
|Central reporting and auditing||
|Admin can disable labeling for all apps||
|Admin can display labels for just files or just emails||
|Category: User Experience|
|Labeling button on the ribbon|
|Multilanguage support for label names and tooltips||
|Visibility of labels on a toolbar||
|Category: Labeling actions|
- New and existing items
- Separate settings for email
|Recommended or automatic||
|Category: Visual markings|
|Headers, footers, watermark||
|Per app visual marking||
- Do Not Forward for Outlook
- Users and groups, or organization-wide custom permissions for Word, Excel, PowerPoint
|Co-authoring and AutoSave||
Remember to use the Microsoft 365 roadmap to identify and track new features in development.
Support for PowerShell advanced settings
The AIP client supports many customizations by using PowerShell advanced settings. For the advanced settings applicable to Office apps that are also supported by built-in labeling, see the list in New-Label or Set-Label, and New-LabelPolicy or Set-LabelPolicy.
However, you might find you don't need to use PowerShell to configure the supported settings because they're included in the standard configuration from the Microsoft Purview compliance portal. For example, UI configuration to choose label colors, and turn off mandatory labeling for Outlook. Check the available configurations in Manage sensitivity labels in Office apps.
The AIP add-in used PowerShell advanced settings for oversharing popup messages in Outlook. When you use built-in labeling, the equivalent of this configuration is now available as a DLP policy configuration.
Features not planned to be supported by built-in labeling for Office apps
Although new capabilities for built-in labeling are being added all the time, the AIP Office add-in supports the following capabilities that aren't planned to be available in future releases for built-in labeling:
- Application of labels to Microsoft Office 97-2003 formats, such as .doc files
- Local usage logging to the Windows event log
- Permanently disconnected computers
- Standalone editions of Office (sometimes called "Office Perpetual") rather than subscription-based
Migration planning for the AIP add-in for Office apps
To smoothly transition to using built-in labeling for Office apps, use the information on this page to prepare a migration plan that includes the following tasks:
Identify the features that you currently use, and test them with built-in labeling to ensure you understand the configuration and user experience.
Identify any new features that you want to use, and decide whether to include them in the migration or at a later stage.
Make sure all dependencies are in place, such as Microsoft 365 Apps for Enterprise is deployed with the correct update channel and the AIP add-in disabled, and the correct licenses are assigned to users.
Update any internal documentation and training, and prepare your help desk and users for change.
To help you with your migration journey, we recommend the migration guidance and playbook from Microsoft Purview Customer Experience Engineering (CxE).
For additional information, see the Tech Community blog post, Microsoft Purview Information Protection in M365 Apps - January 2023.