Forum Discussion

qcjacobo77's avatar
qcjacobo77
Copper Contributor
Dec 05, 2024

Restricting Modification of Purview Labels

We have a use case where we have a set of files that are going to have a label applied (let's say for dicussion purposes the label that is being applied is "Highly Confidential") using the Azure Purv...
classification
Labeling
labels
nikkichapple's avatar
nikkichapple
MVP
Dec 11, 2024

If you apply encryption to the "Highly Confidential" label. Then, when you configure the permissions, create two groups of users.

Group 1: standard business users do not have the "Export" and "Full Control" permissions set. For example, Editor or Restricted permissions. These permissions are needed to allow users to remove or change the encrypted label. 

Group 2: Users authorized who change the label. These must have the "Export" and "Full Control" permissions set. Eg Owner

Make sure these two groups of users are not named individuals but either email-enabled security group, distribution group, or Microsoft 365 group in Microsoft Entra ID so that you can manage the controls outside of the label configuration. 

When you need to share a subset of files labeled "Highly Confidential" label with external users, than the authorized users can change the label. For example, you could set up another encrypted label with user-defined permissions to share externally to a named user with encryption. Or the authorized user could select a label without encryption

Resources