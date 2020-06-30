Disclaimer: This tool is not provided with support or maintenance by Microsoft. This tool is shared with you for use under your consideration only.

Today, I’m happy to share an internal tool to semi-automate the sensitivity labels and policies migration process. This process is performed via 4 PS commands:

“Export-LabelsToJson” which exports the sensitivity labels and their configurations (name, tooltip, visual marking, encryption, site and groups settings, auto-labeling) into a JSON format

“Import-LabelsFromJson” which imports the sensitivity labels with their configurations from this same JSON format to any tenant

“Export-PoliciesToJson” which exports the label policies and their configurations (Name, published labels, advanced settings) into a JSON format

“Import-PoliciesFromJson” which imports the label policies with their configurations from this same JSON format to any tenant

Import the IP-automation module

Download the IP-automation package (at the end of this article).

Extract the IP-automation package (e.g. C:\Temp\IP-automation)

Open a PowerShell session and from this folder, import the module “UnifiedLabelling.psm1”: Import-module .\UnifiedLabelling.psm1



Connections to necessary services

Before running the commands, you must connect to some online services. The connecting account must own one of these roles: “Compliance admin” or “Global admin”.

Security and Compliance Center AIP Service Export-LabelsToJson Yes Yes Import-LabelsFromJson Yes Yes Export-PoliciesToJson Yes No Import-PoliciesFromJson Yes No

Connect to Security and compliance Center using PowerShell

There are three ways you can login into the SCC using PowerShell:

Basic authentication using the online documented way.

Modern authentication with support for MFA

Using the module “SecurityComplianceCenter”, also with MFA support. Install-module SecurityComplianceCenter Connect-SCC



If no connection is established before running the commands, the function will connect to SCC via the module “SecurityComplianceCenter”. Ensure the module is installed in that case.

Connect to AIPService using PowerShell

When the connection is necessary, the function will automatically try to connect. Simply ensure the module is installed.

Export MIP configuration from Tenant A

Run the 2 below commands to export Tenant A configuration into JSON files:

PS C:\temp\IP-automation> Export-LabelsToJson -Path .\TenantA-labels.json

PS C:\temp\IP-automation> Export-PoliciesToJson -Path .\TenantA-policies.json

Import MIP configuration to Tenant B

Run the 2 below commands to import Tenant A configuration from the previously created JSON files into Tenant B:

PS C:\temp\IP-automation> Import-LabelsToJson -Path .\TenantA-labels.json -Verbose

PS C:\temp\IP-automation> Import-PoliciesToJson -Path .\TenantA-policies.json -Target “john.doe@contoso.com” -Verbose

Note: The parameter “Target” must be the mail address of a user or a group for testing, avoiding publishing immediately to “All”, but this one only applies to new policies. In case the policy already exists in the targeted tenant (here tenant B), the targeted users and groups remain the same. If the parameter “Target” is not specified in the command, new policies will be published to “All” by default. I recommend specifying a test user or admin account.

Note: Policies’ importation will publish the labels. Therefore, the labels must always be imported before the policies.

Additional notes

Review the JSON files to import. Several settings will probably need to be manually updated (below list may not be complete): Labels configuration Rights definitions: you might need to update the mail addresses used to assign permissions (e.g. a group may not exist in both tenants). Label name: If an imported label already exists in Tenant B, an update of this label will be performed in Tenant B, based on the configuration imported. Ensure this is what you wish. If that’s not the case, modify the label’s name. Conditions: Conditions can be configured in so many possible ways. Ensure the imported configuration is compatible with the existing configuration of Tenant B (e.g. custom sensitive info types). Policies configuration For advanced settings policies, if you use some settings containing label IDs such as “outlookjustifyuntrustedcollaborationlabel”, these IDs should be updated manually in the JSON file.

The priority setting may cause some complications in your label’s priorities. If this happens, just update one label’s priority in the SCC portal and all priorities should be recalculated.

