Forum Discussion

riverazure's avatar
riverazure
Copper Contributor
Mar 12, 2025

Users with Business Premium License can see the content of labeled encrypted files?

Dears,

 

In my company we have different users with different licenses. Some have Microsoft Business Premium, others have Enterprise E5

 

In the organization, we have a collection of different things that we want to apply sentitivity labels:

 

1 - Files (Word, excel, powerPoint, etc..) which exist in a One Drive place

 

2 - Files (Word, excel, powerPoint, etc..) which exist in Azure Shared file drive 

 

3- Files (Word, excel, powerPoint, etc..) which exist in AWS Shares Drives

 

4- Files (Word, excel, powerPoint, etc..) which exist in AWS S3 buckets

 

Questions:

 

1 - Is it possible to apply sensitivity labels directly to the files which exist in all this different shared drives? or AWS is not possible?

2 - Please note, we want the labels to be sticked to the files to classify them but as well to encrypt those files so that only allowed people can decrypt them and see its content

3 - Some users have business licenses and others have enterprise E5 licenses. I know that the ones with enterprise licence , if they have permissions they will be able to see the content of the files. But what about the users which have business premium licenses will the license affect their capability to see the content of the file because they are not able to decrypt it ?

 

Thanks, Pedro

 

 

 

 

 

1 Reply

  • milgo's avatar
    milgo
    Icon for Microsoft rankMicrosoft
    Mar 28, 2025

    Great questions! Thanks for reaching out Pedro!

    1. Sensitivity labels can be applied to files stored in Microsoft Environment. However, applying sensitivity labels directly to files stored in AWS Shared Drives and AWS S3 buckets is not natively supported by Purview Information as these are different environments where we may not have direct access to apply the protection features.
    2. Yes, sensitivity labels can be configured to both classify and encrypt files. When a sensitivity label with encryption is applied to a file, only users who have been granted access through the label's permissions can decrypt and view the content. 
      The documentation (Apply encryption using sensitivity labels | Microsoft Learn) states that “When a document, email, or meeting invite is encrypted, access to the content is restricted, so that it-Can be decrypted only by users authorized by the label's encryption settings.”
      Helpful documentation here- https://learn.microsoft.com/en-us/purview/sensitivity-labels?view=o365-worldwide#what-sensitivity-labels-can-do
    3. For encrypted files, the ability to decrypt and view the content depends on the permissions set in the sensitivity label. If a Business Premium user is included in the permissions, they will be able to decrypt and access the content. This document provides a detailed description of what to expect based on the licensing. Microsoft Purview service description - Service Descriptions | Microsoft Learn

Resources