Forum Discussion

jmartos's avatar
jmartos
Occasional Reader
May 12, 2026

Separating IRM Full Control from Excel Worksheet Protection

We've developed several excel workbooks that leverage VBA macros with workbook structure and worksheet password protections to maintain standards.  The VBA macros unlock workbook/sheet protections to perform tasks and relock on completion.  Our executive management has tasked us to protect the workbooks to prevent unauthorized access so we have applied a sensitivity label to restrict access to an AD group (Project Managers). However, short of granting Full Control, the IRM prevents the macros from removing sheet/book protections.  We have tried to allow permissions for OBJMODEL and DOCEDIT already at Copilot's recommendation but this was unsuccessful. We don't want to grant full control because users are then able to remove the document label.

 

Any suggestions for how to grant workbook/sheet protection permission without allowing users to remove labels? At this time the best we've come up with is to grant the full access but require an explanation for a label downgrade with an alert to the admin/document owner.

1 Reply

  • AS1522's avatar
    AS1522
    Icon for Microsoft rankMicrosoft
    May 13, 2026

    Hi jmartos​ 

    This behavior is expected based on how IRM (sensitivity labels) handle permissions.

    Once a sensitivity label with restricted access is applied, macros don’t have enough permission to modify workbook or worksheet protections unless Full Control is granted. Essentially, the system doesn’t currently distinguish well between:

    • Macro actions (like unprotecting sheets/workbooks), and
    • Sensitive actions (like removing or downgrading labels)

    Because of this, configurations like OBJMODEL or DOCEDIT on their own won’t resolve the issue.

    What you can consider:

    1. Controlled Full Control access
      You can grant Full Control via a managed group (like Project Managers), and then put governance in place such as:
    • Requiring justification for any label downgrade/removal (so you know who made the change and why, potentially even adding an approval step)
    • Using audit logs and alerts to track activity
    1. Hybrid model
      Allow the access needed for macros to function, but rely on monitoring and policy-based controls to manage sensitive actions instead of trying to strictly block everything at the permission level.

    At the moment, there isn’t a way to let macros manage workbook/worksheet protection while fully preventing label modifications within the same permission scope. Let me know for any follow up questions.