Forum Discussion
Separating IRM Full Control from Excel Worksheet Protection
MicrosoftHi jmartos
This behavior is expected based on how IRM (sensitivity labels) handle permissions.
Once a sensitivity label with restricted access is applied, macros don’t have enough permission to modify workbook or worksheet protections unless Full Control is granted. Essentially, the system doesn’t currently distinguish well between:
- Macro actions (like unprotecting sheets/workbooks), and
- Sensitive actions (like removing or downgrading labels)
Because of this, configurations like OBJMODEL or DOCEDIT on their own won’t resolve the issue.
What you can consider:
- Controlled Full Control access
You can grant Full Control via a managed group (like Project Managers), and then put governance in place such as:
- Requiring justification for any label downgrade/removal (so you know who made the change and why, potentially even adding an approval step)
- Using audit logs and alerts to track activity
- Hybrid model
Allow the access needed for macros to function, but rely on monitoring and policy-based controls to manage sensitive actions instead of trying to strictly block everything at the permission level.
At the moment, there isn’t a way to let macros manage workbook/worksheet protection while fully preventing label modifications within the same permission scope. Let me know for any follow up questions.
Thank you for the reply. This is the approach Copilot suggested that I summarized in my original post. I'll leave this open in the hope that someone might have another trick up their sleeve but it does appear that there is no path to do what we want done. Seems like an obvious blind spot for Microsoft. Well crafted macro-enabled workbooks would be near the top of the list of sensitive data companies would want to keep proprietary to their org.