Forum Discussion
How do you work around the client restrictions for opening encrypted documents?
We are wanting to roll out Purview sensitivity labels. Specifically, encrypted labels so we can implement controls such as preventing printing, copy/paste, etc. The issue we have ran into is that once an Office doc is encrypted, there appears to only be two ways to open the document:
- In a licensed Office desktop client
- Sharing a link to the document in SharePoint so it can be opened in a web browser.
We share documents with a large variety of 3rd parties that do not use Office. Many are small businesses who seem to prefer Google Workspace, so no Office clients. The SharePoint web browser option also does not work for us as we require users to have an Entra ID account to access our SharePoint, and it would not be feasible to onboard the number of external users we share documents with (nor to purchase O365 licenses for all of them). We considered using both encrypted and non-encrypted labels and using encrypted only when the recipient uses office. However there is no way for our internal users to know if the person they are sending a document to is using Office. So now we are left not really knowing what to do. I would love to hear some suggestions for how other organizations handled this.
2 Replies
That statement is essentially correct. Here’s the unavoidable reality:
Client/Tool Can open RMS encrypted docs? Office Desktop (modern) Yes Office for web (SharePoint/OneDrive) Yes Outlook desktop / web (via OME) Yes Google Workspace apps No Third-party PDF viewers No Most browsers without native support No Sensitivity label encryption is based on Microsoft Information Protection / IRM, which requires the application opening the file to be MIP-aware (“enlightened”). Only apps that understand IRM can decrypt the content and enforce restrictions like no print or no copy. Today, that realistically means Office desktop apps and Office on the web.
If the recipient uses non-Office tools (for example Google Workspace), they will not be able to open encrypted documents. There isn’t a workaround for this — it’s a fundamental design constraint of IRM-based encryption.
Because of that, most organizations end up at the same trade-off:
- Use encrypted labels for internal users or known partners with Office
- Use non-encrypted labels (with visual markings, DLP, and auditing) for broad external sharing
Trying to apply encryption universally for all external recipients usually isn’t practical unless you control the client environment.
You need an "enlightened" app to work with IRM-protected documents, there is no other way around it. So you're at the classical crossroad - decide between usability and security.
