AIP Microsoft 365 Office 365 sensitivity labels

Removing a Default Sensitivity Label

In Microsoft 365 Sensitivity Labels you can have a label policy that requires that all content is labelled. If you enable this and then later decide this is not for you, you can republish your label policy and disable the default label and the require label policies.

That is, your settings start like this:

Policy settings before change

And then you change the settings in the label policy and you end up with these settings, which are published to the end users upon you saving the changes to the policy:

Policy settings after the change

As you can see from the before/after screenshots, the label required by default on documents has gone from Confidential to None.

But I have found sometimes this changes does not take full effect! You can only see it though if you look in PowerShell for this policy. The PowerShell module to use is the Exchange Online Management module (Install-Module ExchangeOnlineManagement if you don’t have it already) and then run Connect-IPPSSession to connect to the Microsoft 365 Protection Center. Once connected run Get-LabelPolicy and then (Get-LabelPolicy <name_of_your_policy>).Settings to return the settings.

If I get the settings as above before I remove the mandatory requirement for a label I see:

[requiredowngradejustification, true]
[mandatory, true]
[defaultlabelid, be5e9727-67cc-4056-a87b-1dbbf67b7b9b]

Where the DefaultLabelID matches the GUID for the default label (Get-Label GUID should return the label that is the default).

But, once I remove the mandatory label and the default label, the “mandatory” setting should change to false and the “defaultlabelid” should be removed.

If the defaultlabelid does not get removed and the users do not see the policy change pushed out then it time for PowerShell to the rescue.

Set-LabelPolicy <Name> -AdvancedSettings @{defaultlabelid=""}

The above cmdlet changes the named policy label to remove the defaultlabelid value. Once you have run this, (Get-LabelPolicy <name>).Settings should not show the requirement for a default label.

aadrm AIP Azure Information Protection encryption IAmMEC Office 365 rms

Azure Information Protection General Troubleshooting

Azure Information Protection (AIP) is the new name, and new features for Azure Rights Management. Azure Information Protection allows a company to create a series of labels to apply to documents and to have those documents tags and labelled. For example a watermark or header is easy to set in the Azure Information Protection management blade in

In fact its so easy to turn on I did just that. The actual work and business consulting with Azure Information Protection is the why and business reasons for using it rather than the technical steps to enable it.

So once I enabled it and the client installed I found that I had a banner toolbar in Office applications as shown:


Clicking any of the labels will perform the default function of the product. These can be modified in the Azure Portal as shown:



The above two graphics show one example label (Confidential) that has had a sub label added (called NBConsult UK). The larger image above shows the details for this “NBConsult UK” label. In the properties blade for the label you can see I have turned on a template from RMS.

Once the changes are made and saved, you can publish the changes. Clients will pick up these changes on restarting the client application.


And then started my issues and the steps to troubleshoot this. First I got the following prompt twice:


Followed by:


And so I was finding my documents did not get the RMS based labels applied.

Reasons why this might be the case can be checked using the RMS tool in the Office application. So I tried to protect the document manually via File > Info tab:


This worked – I had the rights to use the template in the application – just AIP could not apply the template via the AIP tool.

To fix this I ran the Azure Information Protection (AIP) diagnostics tool. To get this click the AIP lock icon and choose Help and Feedback from the menu:


From this a popup appears:


And from this choose Run diagnostics:


Let the tool complete. I got the following errors before the application failed (crashed) and then did not complete again if left it again

image and then image

To get around this issue, as the reset option to fix the AIP application in the diagnostics tool was not available due to the application crash, I followed the steps in to bootstrap the client manually. If the AIP diag client completes, fix the listed issue or choose Reset in the client.

Once I had deleted the files and related registry keys mentioned in the above website I could restart any Office application. The RMS certs, keys and settings where downloaded to the client again and the AIP client was able to protect a document where as before it was not: