Forum Discussion

Max Philipp Blickenstorfer's avatar
Feb 11, 2026

Lifecycle using Custom Protection with Purview Sensitivity Labels

Organizations using Purview Sensitivity Labels with custom protection face a fundamental governance challenge: there is no lifecycle‑ready way to maintain, audit, or update per‑document user rights as teams evolve. This affects compliance, need‑to‑know enforcement, and operational security.

 

Document lifecycle challenges

  • Team growth: new members do not inherit document‑specific rights.
  • Team shrinkage: departing members retain access unless manually removed.
  • Employee offboarding: accounts are disabled, but compliance may require explicit removal from protected documents.
  • Audit requirements: organizations need to answer “Who has what rights on document X?” — and today, no native tool provides this for custom‑protected files.

 

Existing method

Limitation

Purview PowerShell

Overwrites all existing assignments; no granular updates

MIP Client

Not yet capable of bulk lifecycle operations

OlaProeis/FileLabeler

Great tool, but limited by the same PowerShell constraints

 

What the tool enables

  • Rights audit trail per document
  • Controlled lifecycle updates (add/remove/transfer rights)
  • Preservation of original files for rollback
  • Multi‑action batch processing
  • Admin‑only delegated workflow with MIP superuser role
  • Full logging for compliance

Supported operations

  • ListRightAssignments – extract all rights from each document under a given label GUID
  • SetOwner / AddOwner – assign or add owners
  • AddEditor / AddRestrictedEditor / AddViewer – role‑based additions
  • RemoveAccess – remove any user from all roles
  • AddAccessAs – map one user’s role to one or more new users
  • Multi‑action execution – combine operations in a single run
  • Safe mode – original files preserved; updated copies created with a trailer

Because this tool can modify access to highly sensitive content, it must be embedded in a controlled workflow: ticket‑based approval, delegated admin, MIP superuser assignment, and retention of all logs as part of the audit trail. This ensures compliance with need‑to‑know, separation of duties, and legal requirements.

 

I would appreciate feedback from the community and Microsoft product teams on:

  • whether similar lifecycle capabilities are planned for Purview
  • whether the MIP SDK is the right long‑term approach
  • how others handle custom‑protected document lifecycle today
  • interest in collaborating on a more robust open‑source version

 

Max

1 Reply

  • Apology for the repeated posts

    Hi everyone,

    Just a quick note to apologize for the repeated versions of my post earlier . I ran into some issues with the community content checks — especially the automatic removal of e‑mail addresses and similar corrections — and ended up having to repost a few times until the formatting finally passed validation.

    I didn’t intend to clutter the thread or create extra noise. Thanks for your patience and understanding.

    Max