When you spend as much time as I do going over the various announcements Microsoft makes via blog posts or at Ignite sessions, you inevitably start developing a sense for detecting not only the loads of marketing crap, but also those hidden details both marketing and engineering folks suspiciously skip out. One such example is the story of “Unified labels” in the Office 365 Security and Compliance Center.
We first heard about Microsoft’s intention of bringing together the AIP and SCC labels back at last year’s Ignite conference. The story was great, provide a unified classification, labeling and protection experience across all workloads and clients. And then we started waiting. Almost nothing happened over the course of the year, and once we got back to Orlando, eager to see what Microsoft did with this feature, a certain fishy odor started spreading.
All the talks of “unified” experience now showcased two separate tabs in the Labels section of the Security and Compliance Center, one for “Sensitivity” and one for “Retention”. The big “unification” story seems to have shifted to “migrating AIP labels to the SCC portal” and providing some integration with SPO sites. All good stuff on its own, however nowhere near as exciting as those plans that were announced an year earlier. And annoyingly, even when directly probed about the “unified” labels, no straight answer was given by different Microsoft folks. Finally, this session spelled it all out:
So apparently somewhere along the road, Microsoft decided to change the design of the “unified labels” feature, probably because they run into various roadblocks. Nothing wrong with that, anyone using Office 365 should already be used to the high speed by which things change in the cloud. The marketing folks however seem to have decided to keep using the “unified” moniker to designate something obviously not fitting the definition. Apparently, it’s too big of an issue for them to let us know that we are NOT getting this (screenshot taken from BRK2134/Ignite 2017):
So, forget about having single “unified label” that can be used to classify an item, add visual elements to it, set retention period and action, protect it via RMS encryption, trigger DLP controls whenever it’s shared, and so on. You will still be able do all of these, and more, but simply not via the same “apply a single label” concept. Instead, we will have separate “Retention” and “Sensitivity” labels, and the focus seems to now have shifted to an “unified platform” powering those. Which can again be considered misleading, given the split between Security, and Compliance, which will both get their own portals soon.
Another thing that wasn’t clearly communicated at Ignite is the status of integration between SharePoint Online and Azure Information Protection, or the “sensitivity” labels. While there were some cool demos, those seem too far off in the future at this point, as the whole problem of “reasoning over data” remains unsolved. If you don’t know what I’m talking about, read this article for detailed explanation. Here’s a short excerpt:
…Azure Information Protection labels are different than Office 365 labels…
Be aware that when Azure Information Protection encryption is applied to files stored in Office 365, the service cannot process the contents of these files. Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work. DLP policies can only work with the metadata (including Office 365 labels) but not the contents of these files (such as credit card numbers within files).
Or illustrated via a screenshot:
Among other things, this means that automatic application of Sensitivity labels to SPO content will not come anytime soon. So next time you hear Microsoft talking about “unified labels”, just ask yourself what exactly the “unified” part means…
Don’t get me wrong, I love many of the features they showcased and there’s certainly a momentum building in the right direction. However, it has taken them a long, long time and we are still far away from getting true integration between the services and a unified experience. Hopefully, they will prove me wrong and by this time next year I will have nothing but praise to post.
I’d love to see this whole concept get some more love from Microsoft. I understand making this type of encryption simultaneously coherent, secure, easy to manage, and accessible to end-users must be incredibly challenging, but until these significant bumps are smoothed out, it’s a hard sell, even to a pro-Microsoft shop.
For example, how can an organization enthusiastically adopt AIP and also Teams, the former breaks the later? It’s not like these are both old technologies that have to be retrofitted to work together. Why was Teams even launched without a plan for viewing protected content? Also, how is it possible SharePoint hasn’t been fully onboard with AIP until “soon”?
Regular access control lists are woefully insufficient; we NEED AIP for most content, but scanning and labeling/protecting documents across an department, let alone an enterprise is a huge task, and knowing that Microsoft is still changing their minds about how it’s all going to come together almost makes any large scale adoption a dangerous idea.