As an admin, you can use the Azure portal to configure the Azure Information Protection sensitivity labels for your organization. You must also configure Workspace ONE Boxer using a key-value pair to enable the AIP feature.


  1. Sign in to the Azure portal. For more information about the Azure portal, see Configuring the Azure Information Protection policy.
  2. Enable the following options in the organization settings of your Office 365 account.
    1. Azure Information Protection
    2. Microsoft Information Protection API
  3. Activate the Data Protection and the Unified labeling options in AIP.
  4. Configure the labels in the Classification settings of AIP.
  5. Add and enable the PolicySensitivityLabelsEmailClassification key in the Workspace ONE UEM console. To know how to configure this key, see Enable AIP Sensitivity Labels in Workspace ONE Boxer.
    When you enable the PolicySensitivityLabelsEmailClassification key,
    • It deactivates the default Boxer policies (Classifications and IRM templates) for end users and replaces it with a set of AIP sensitivity labels, as set in Azure.
    • The following key-value pairs become inactive and cannot be enabled:
      • PolicyClassMarkingsEnabled
      • PolicyClassMarkingsXHeader
      • PolicyClassVersion
      • PolicyClassMarkings
      • PolicyClassMarkingsRankEnabled
      • PolicyClassMarkingsDefaultClass
    • As an admin, you must provide consent to your tenant users to use the sensitivity labels. Otherwise, each user has to consent manually. Users cannot use the labels without the consent.
    • Labels might take 24 hours to synchronize from Azure to Workspace ONE Boxer.