Forum Discussion
Restricting Modification of Purview Labels
We have a use case where we have a set of files that are going to have a label applied (let's say for dicussion purposes the label that is being applied is "Highly Confidential") using the Azure Purview Scanner (although any method of applying the label should suffice for this use case). That label is not going to be made visually selectable/available to any Active Directory/Azure AD account (meaning it will not be visible to those account in MS Word, MS Excel, MS Powerpoint, Sharepoint or any other application where labeling has been made available and impacts the file itself). All Active Directory/Azure AD user accounts will have access to apply 3 additional labels of "Public", "Internal", and "Confidential" to files that do not meet the qualifiers to be labeled "Highly Confidential". We want a way of preventing any one of those user accounts from modifying or removing the label only when the label applied to the file is "Highly Confidential". We also need to be able to share a subset (this subset is not a fixed number of files) of the files that have the "Highly Confidential" label applied with external parties via Exchange Online. We have attempted to use the permissions made available in the Purview product today to help achieve our use case --- but that also means we have to apply encryption (there is no "OR" option). We have tried numerous methods of applying encryption and at the same time attempting to ensure that the external email experience is seamless (or at least consistent across platforms). Unfortunately, we have been unsuccessul to date (just not a great user experience). So, either we need a way of decoupling permissions and encryption (assuming that will even achieve our end goal) or an alternate solution which allows the user to apply one of the 3 labels I mentioned without the ability to remove/modify the "Highly Confidential" label where it is applied.
3 Replies
nikkichappleI guess the other ask (related) is that if we are using the Purview on-premises scanner to apply a label (such as "Highly Confidential") to an on-premises file (such as a file that exists on a Windows file server), there should be a way to restrict the ability to change that label to only a select group of individuals (or individuals part of a defined group) can change it (due to the simple fact that the label was applied programatically as opposed to being applied by a human) --- however, again, this would need to be accomplished without invoking encryption (meaning solely a permission applied to the label).
nikkichappleVery much appreciate your take on a solution to the problem.
Two challenges I am anticipating with this approach:
- The point in the process where the business user is going to send an attachment with the "Highly Confidential" label applied. This step requires that the user (100% of the time) sucessfully modify the label applied to the file attachment (to one without permissions --- thus without encryption) such as "Highly Confidential/External Access". On occasion, only due to human error (and nothing tehcnical in place to prevent such human error), the user is going to forget to apply this change.
- Because of the human error aspect (mentioned above), the email will be sent (nothing preventing it from being sent), the external user experience (due to validted inconsistency between IOS, Android, and Windows) will be less than ideal (in some cases preventing that external individual from accessing that email at all), and the business will experience an unnecessary delay (delay between the original message send and the notification to re-send without encryption).
We tried to find a way to change the label of the email attachment in a programatic fashion (to remove the encryption/permissions), but were unable to identify a solution (we could only affect the email message itself).
Still would be nice if Microsoft would provide the ability in the Purview product to choose if we want to leverage permissions OR encryption for a specific label or set of labels. This would give us the ability to apply granular control and access over the labels themselves while not introducing the barriers as to the clunky external encryption experience (across IOS, Android, Windows etc.).
If you have any ideas/thoughts, let me know. Happy to jump on a call to discuss as well.
If you apply encryption to the "Highly Confidential" label. Then, when you configure the permissions, create two groups of users.
Group 1: standard business users do not have the "Export" and "Full Control" permissions set. For example, Editor or Restricted permissions. These permissions are needed to allow users to remove or change the encrypted label.
Group 2: Users authorized who change the label. These must have the "Export" and "Full Control" permissions set. Eg Owner
Make sure these two groups of users are not named individuals but either email-enabled security group, distribution group, or Microsoft 365 group in Microsoft Entra ID so that you can manage the controls outside of the label configuration.
When you need to share a subset of files labeled "Highly Confidential" label with external users, than the authorized users can change the label. For example, you could set up another encrypted label with user-defined permissions to share externally to a named user with encryption. Or the authorized user could select a label without encryption
