Forum Discussion

Max Philipp Blickenstorfer's avatar
Max Philipp Blickenstorfer
Copper Contributor
Feb 11, 2026

Lifecycle using Custom Protection with Purview Sensitivity Labels

IMHO usage of Purview Sensitivity Label with custom protection lack some very basic functionalty to complete a documents lifecycle an meet basic governance requirements. I focus on document lifecycle process and not plain technical weaknesses of the product like missing telemetry on protection changes, etc. 

Problem: A team if users handling strictly confidential contend agree to alway assign at leas two owners beside other users with document spefic roles (Editor, Restricted Editor, Viewer). Over time

  1. the team may grow and new mebmers join the team in a specific team role
    --> new users have no access to individually assigned roles on a per document base
  2. some users leave the team
    --> this user imposes a problem, because he does no longer meet the conditions of the need2know principle
    --> this is a problem
  3. or leave the company
    --> this user will hopefully loose thir account and will no longer have access to the content
    --> depending on compliance requirements, the user could be removed from the document access list

Solutions wicked and not really satisfactory solutions:

  1. use Powershell to bulk-update assigning owner and a list of members of a single role
    --> all existing individual assignments are lost, PS overwrites all existing protection description with the sumbitted limitted assigments
  2. use MIP Client to do some 

-----------------

IMHO usage of Purview Sensitivity Label with custom protection lack some very basic functionalty to complete a documents lyfecycle an meet basic governance requirements. I focus on document lifecycle process and not plain technical weaknesses of the product like missing telemetry on protection changes, etc. 

Problem: A team if users handling strictly confidential contend agree to alway assign at leas two owners beside other users with document spefic roles (Editor, Restricted Editor, Viewer). Over time

  1. the team may grow and new mebmers join the team in a specific team role
    --> new users have no access to individually assigned roles on a per document base
  2. some users leave the team
    --> this user imposes a problem, because he does no longer meet the conditions of the need2know principle
    --> this is a problem
  3. or leave the company
    --> this user will hopefully loose thir account and will no longer have access to the content
    --> depending on compliance requirements, the user could be removed from the document access list
  4. Compliance requirement "who has potentially access to content of document "top-secret.docx, with what role per document (Owner, Editor, Restriced Editor, Viewer)?
    --> to my limitted knowledge - currenly no exiting tool, I know of, can do this task

Solutions wicked and not really satisfactory solutions:

  1. use Powershell to bulk-update assigning owner and a list of members of a single role
    --> all existing individual assignments are lost, PS overwrites all existing protection description with the sumbitted limitted assigments
  2. use MIP Client to do some bulk labelling in future releases.
  3. https://github.com/OlaProeis/https://github.com/OlaProeis/FileLabeler is a very nice PowerShell based solution with the above limitations of Purview PowerShell Module

I created a command line tool using MIP SDK targeting custom protection labels only (all the rest can be done using pwoershell, eg. OlaProis Tool)

  • Current Status: pilot / basic tests of all assigments done
  • Generally it always scans a given local folder and its subfolders
  • all assignemnts are applied using submitted parametersto all custom protected documents protected by one single label-guid
  • multiple actions can be applied in one run, meaning --add..., ---remove..., adAs..., etc in one single call
  • All documents are preserved,meaning they are 1:1 available untouched and copies with a submitted trailer of the file name are created in the sam folder as the original to have a safe fallback.
  • actions
    • --ListRightAssignments
      assignments are read out of each document protected by this very label-guid
      ..some meta data including cmd params, user, datetime etc.
      ----------------------------------------------------------------------------------------------------------------------------------------
      InputFolder C:\temp\N01 --LogFileLocation c:\temp\ --ListRightAssignments
      ================================================================================
      $$$ file: C:\temp\N01\Non business Doc.docx is either not labelled or not protected $$$
      --------------------------------------------------------------------------------
      $$$ file: C:\temp\N01\Presentation.pptx is either not labelled or not protected $$$
      --------------------------------------------------------------------------------
      Assignments read by username: email address removed for privacy reasons / 11-02-2026 21:14:46
      Document : C:\temp\N01\y6qld_internal-to-strictly.docx
      Owner : email address removed for privacy reasons
      0) Rights:DOCEDIT, EDIT, EXTRACT, PRINT, VIEW | Users:email address removed for privacy reasons
      1) Rights:OWNER | Users:email address removed for privacy reasons
      2) Rights:VIEW | Users:email address removed for privacy reasons
      --------------------------------------------------------------------------------
    •  --ProcessAssignment with following actions
      • --addAccessAs <Source e-mail 1, target e-mail 1, target e-mail 2, [,target e-mail-n] ; Source e-mail 2, target e-mail 5, [,target e-mail..n]>
        add list of e-mails with role of first e-mail, multiple assignments separated by ";"
      • --SetOwner <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]>
        list of e-mails. first will be set as Owner on the document, consecutive members of the list will be placed in the list of owners. Any existing Owner is overridden
      • --AddOwner <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]>
        list of e-mail are added removed from all other roles of the document and then added to the list of owners
      • --RemoveAccess <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]>
        e-mail are removed from any document access list
      • --AddEditor <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]>
      • --AddRestricedEditor <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]>
      • --AddViewer  <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]>
      •  
    • Parameters
      • --TenantGUID
      • --AdHocLabelID
      • --ClientID (ClientID, your EnterpriseApp GUID)
      • --InputFolder
      • --LogFileLocation
      • --OutputFileTrailer <_mipupd> --> originalFile.docx --> originalFile_MIPUPD.docx

 

With this tool we can meet basic compliance requirements regarding rights audit trail and we can support document lifecycle of users. Said all this. The tool is meant to be used by corresponding admins only behind a well defined workflow integrated in a ticketing system. All logs produced are part of the assignment and must be kept altogether to guarantee the audit trail. On note at the end. The App-Registration is configured in delegated mode, meaning that administrators must assign MIP superuser role to itself as part of the ticket and thus respects audit trail requirements. Generally this functionality may put a high risk on protected data. Therefore it is highly recommended to design the workflow around the tool first place togehther with your legal dept to include all their requirements, possibly include them in the approval workflow before even touching the crown jewels of your organization. This may not be the holy grail, but at least a pilot starting point to become lifecyle ready with MIP custom protection.

 

Comments welcome.

Max

No RepliesBe the first to reply