Forum Discussion

Max Philipp Blickenstorfer's avatar
Max Philipp Blickenstorfer
Copper Contributor
Feb 11, 2026

Lifecycle using Custom Protection with Purview Sensitivity Labels

Organizations using Purview Sensitivity Labels with custom protection face a fundamental governance challenge: there is no lifecycle‑ready way to maintain, audit, or update per‑document user rights as teams evolve. This affects compliance, need‑to‑know enforcement, and operational security.

 

Document lifecycle challenges

  • Team growth: new members do not inherit document‑specific rights.
  • Team shrinkage: departing members retain access unless manually removed.
  • Employee offboarding: accounts are disabled, but compliance may require explicit removal from protected documents.
  • Audit requirements: organizations need to answer “Who has what rights on document X?” — and today, no native tool provides this for custom‑protected files.

 

Existing method

Limitation

Purview PowerShell

Overwrites all existing assignments; no granular updates

MIP Client

Not yet capable of bulk lifecycle operations

OlaProeis/FileLabeler

Great tool, but limited by the same PowerShell constraints

 

What the tool enables

  • Rights audit trail per document
  • Controlled lifecycle updates (add/remove/transfer rights)
  • Preservation of original files for rollback
  • Multi‑action batch processing
  • Admin‑only delegated workflow with MIP superuser role
  • Full logging for compliance

Supported operations

  • ListRightAssignments – extract all rights from each document under a given label GUID
  • SetOwner / AddOwner – assign or add owners
  • AddEditor / AddRestrictedEditor / AddViewer – role‑based additions
  • RemoveAccess – remove any user from all roles
  • AddAccessAs – map one user’s role to one or more new users
  • Multi‑action execution – combine operations in a single run
  • Safe mode – original files preserved; updated copies created with a trailer

Because this tool can modify access to highly sensitive content, it must be embedded in a controlled workflow: ticket‑based approval, delegated admin, MIP superuser assignment, and retention of all logs as part of the audit trail. This ensures compliance with need‑to‑know, separation of duties, and legal requirements.

 

I would appreciate feedback from the community and Microsoft product teams on:

  • whether similar lifecycle capabilities are planned for Purview
  • whether the MIP SDK is the right long‑term approach
  • how others handle custom‑protected document lifecycle today
  • interest in collaborating on a more robust open‑source version

 

Max

Information Protection
microsoft purview
MIP CUSTOM PROTECTION
purview
Sensitivity Labels

1 Reply

  • Max Philipp Blickenstorfer's avatar
    Max Philipp Blickenstorfer
    Copper Contributor
    Feb 14, 2026

    Apology for the repeated posts

    Hi everyone,

    Just a quick note to apologize for the repeated versions of my post earlier . I ran into some issues with the community content checks — especially the automatic removal of e‑mail addresses and similar corrections — and ended up having to repost a few times until the formatting finally passed validation.

    I didn’t intend to clutter the thread or create extra noise. Thanks for your patience and understanding.

    Max