%3CLINGO-SUB%20id%3D%22lingo-sub-916941%22%20slang%3D%22en-US%22%3EImportant%20Update%20for%20MIP%20SDK%201.2%20and%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916941%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22mip-sdk-service-discovery-cache-fix%22%20id%3D%22toc-hId-1846185652%22%20id%3D%22toc-hId-1846185652%22%20id%3D%22toc-hId-1846185652%22%20id%3D%22toc-hId-1846185652%22%3EMIP%20SDK%20Service%20Discovery%20Cache%20Fix%3C%2FH2%3E%0A%3CP%3EWe%20recently%20discovered%20a%20bug%20in%20the%20Microsoft%20Information%20Protection%20SDK%20that%20may%20cause%20MIP%20SDK%20clients%20to%20fail%20to%20download%20policy%20updates.%20The%20root%20cause%20has%20to%20do%20with%20how%20we%20cache%20service%20discovery%20information.%20We've%20released%20updates%20for%20MIP%20SDK%20versions%201.2%20and%201.3.%20You%20can%20find%20those%20updates%20here%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fmipsdkbins1.2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMIP%20SDK%201.2%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmipsdkbins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMIP%20SDK%201.3%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.nuget.org%2Fpackages%3Fq%3D%252Bmicrosoft%2B%252Binformationprotection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENuGet%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId--705971309%22%20id%3D%22toc-hId--705971309%22%20id%3D%22toc-hId--705971309%22%20id%3D%22toc-hId--705971309%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22root-cause%22%20id%3D%22toc-hId-1036839026%22%20id%3D%22toc-hId-1036839026%22%20id%3D%22toc-hId-1036839026%22%20id%3D%22toc-hId-1036839026%22%3ERoot%20Cause%3C%2FH2%3E%0A%3CP%3EWhen%20the%20MIP%20SDK%20fetches%20the%20label%20policy%20for%20a%20specific%20user%2C%20it%20makes%20a%20call%20to%20%3CA%20href%3D%22https%3A%2F%2Fdataservice.protection.outlook.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdataservice.protection.outlook.com%3C%2FA%3E.%20This%20endpoint%20looks%20up%20the%20service%20location%20for%20that%20specific%20user%20and%20returns%20an%20HTTP%20301%2C%20redirecting%20the%20client%20to%20an%20endpoint%20specific%20to%20their%20location%20in%20the%20Exchange%20Online%20infrastructure.%20That%20will%20look%20something%20like%20this%3A%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fnam01b.dataservice.protection.outlook.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fnam01b.dataservice.protection.outlook.com%3C%2FA%3E%3C%2FSTRONG%3E.%20The%20SDK%20%3CSTRONG%3Ecaches%20this%20301%20redirect%3C%2FSTRONG%3E.%20The%20next%20time%20the%20client%20needs%20to%20fetch%20policy%2C%20the%20SDK%20uses%20this%20cached%20result%20to%20skip%20discovery%20and%20directly%20connects%20to%20the%20endpoint.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOccasionally%2C%20the%20Office%20365%20team%20moves%20tenants%20to%20different%20segments%20of%20the%20Exchange%20Online%20infrastructure.%20In%20the%20event%20that%20a%20client%20has%20already%20cached%20the%20endpoint%20from%20the%20301%20redirect%20and%20%3CSTRONG%3Ethen%3C%2FSTRONG%3E%20the%20tenant%20is%20moved%20elsewhere%2C%20the%20endpoint%20in%20Office%20will%20return%20another%20HTTP%20301%20redirect%20with%20the%20new%20location.%20The%20SDK%20will%20treat%20this%20as%20an%20error%2C%20as%20it%20thinks%20it%20already%20has%20the%20authoritative%20result%2C%20and%20tries%20again%20to%20fetch%20labels.%20It%20retries%20a%20few%20times%2C%20then%20fails.%3C%2FP%3E%0A%3CP%3EThe%20result%20is%20that%20clients%20that%20have%20already%20fetched%20policy%20will%20never%20update%20policy%20if%20administrators%20make%20updates%20to%20the%20policy.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1515317935%22%20id%3D%22toc-hId--1515317935%22%20id%3D%22toc-hId--1515317935%22%20id%3D%22toc-hId--1515317935%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22workaround%22%20id%3D%22toc-hId-227492400%22%20id%3D%22toc-hId-227492400%22%20id%3D%22toc-hId-227492400%22%20id%3D%22toc-hId-227492400%22%3EWorkaround%3C%2FH2%3E%0A%3CP%3EThis%20issue%20applies%20only%20if%20the%20MIP%20SDK%20implementation%20is%20using%20the%20on%20disk%20cache.%20If%20the%20cache%20is%20in%20memory%2C%20simply%20restart%20the%20application%20to%20resolve.%20For%20applications%20using%20the%20on%20disk%20cache%2C%20you%20must%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnd%20the%20process%20that%20is%20using%20MIP%20SDK.%3C%2FLI%3E%0A%3CLI%3ERemove%20the%20MIP%20cache%20storage.%20The%20location%20of%20this%20will%20vary%20by%20application%20implementation%2C%20but%20the%20databases%20are%20called%20%3CSTRONG%3Emip.policies.sqlite3%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Emip.protection.sqlite3%3C%2FSTRONG%3E.%20The%20SDK%20will%20recreate%20them%20at%20next%20app%20launch.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Azure%20Information%20Protection%20Unified%20Labeling%20client%2C%20which%20uses%20the%20MIP%20SDK%2C%20can%20be%20reset%20by%20the%20user%20navigating%20to%20%3CSTRONG%3ESensitivity%3C%2FSTRONG%3E%20-%26gt%3B%20%3CSTRONG%3EHelp%20and%20Feedback%3C%2FSTRONG%3E%20-%26gt%3B%20%3CSTRONG%3EReset%20Settings%3C%2FSTRONG%3E.%20The%20client%20will%20clear%20its%20cache%20and%20update%20policy.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20leave%20any%20questions%20or%20comments%20below!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3319%22%20target%3D%22_blank%22%3E%40Tom%20Moser%3C%2FA%3E%26nbsp%3Band%20the%20MIP%20SDK%20Team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-916941%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20released%20an%20important%20update%20that%20fixes%20an%20issue%20in%20a%20specific%20situation%20where%20clients%20may%20stop%20updating%20policy.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-916941%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1168728%22%20slang%3D%22en-US%22%3ERe%3A%20Important%20Update%20for%20MIP%20SDK%201.2%20and%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1168728%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20tried%20the%20steps%20you%20said%20but%20to%20no%20avail.%20I've%20updated%20my%20policy%20in%20the%20security%20and%20compliance%20center.%20But%20I'm%20encountering%20the%20error%20saying%20%22failed%20to%20download%20Information%20Protection%20policy%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20getting%20this%20error%20as%20seen%20below.%20Please%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22natpascual1330_1-1581495192857.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F170795i91E08581D7278EF4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22natpascual1330_1-1581495192857.png%22%20alt%3D%22natpascual1330_1-1581495192857.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1169977%22%20slang%3D%22en-US%22%3ERe%3A%20Important%20Update%20for%20MIP%20SDK%201.2%20and%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169977%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20looks%20like%20what%20may%20be%20an%20auth%20issue%20as%20it's%20not%20indicating%20you're%20signed%20in%20as%20any%20user.%20Can%20you%20try%20to%20reset%20settings%20and%20log%20in%20again%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

MIP SDK Service Discovery Cache Fix

We recently discovered a bug in the Microsoft Information Protection SDK that may cause MIP SDK clients to fail to download policy updates. The root cause has to do with how we cache service discovery information. We've released updates for MIP SDK versions 1.2 and 1.3. You can find those updates here:

 

Root Cause

When the MIP SDK fetches the label policy for a specific user, it makes a call to https://dataservice.protection.outlook.com. This endpoint looks up the service location for that specific user and returns an HTTP 301, redirecting the client to an endpoint specific to their location in the Exchange Online infrastructure. That will look something like this: https://nam01b.dataservice.protection.outlook.com. The SDK caches this 301 redirect. The next time the client needs to fetch policy, the SDK uses this cached result to skip discovery and directly connects to the endpoint.

 

Occasionally, the Office 365 team moves tenants to different segments of the Exchange Online infrastructure. In the event that a client has already cached the endpoint from the 301 redirect and then the tenant is moved elsewhere, the endpoint in Office will return another HTTP 301 redirect with the new location. The SDK will treat this as an error, as it thinks it already has the authoritative result, and tries again to fetch labels. It retries a few times, then fails.

The result is that clients that have already fetched policy will never update policy if administrators make updates to the policy.

 

Workaround

This issue applies only if the MIP SDK implementation is using the on disk cache. If the cache is in memory, simply restart the application to resolve. For applications using the on disk cache, you must:

  • End the process that is using MIP SDK.
  • Remove the MIP cache storage. The location of this will vary by application implementation, but the databases are called mip.policies.sqlite3 and mip.protection.sqlite3. The SDK will recreate them at next app launch.

 

 

The Azure Information Protection Unified Labeling client, which uses the MIP SDK, can be reset by the user navigating to Sensitivity -> Help and Feedback -> Reset Settings. The client will clear its cache and update policy. 

 

Please leave any questions or comments below!

 

-@Tom Moser and the MIP SDK Team

2 Comments
Occasional Visitor

Hi,

I tried the steps you said but to no avail. I've updated my policy in the security and compliance center. But I'm encountering the error saying "failed to download Information Protection policy

I'm getting this error as seen below. Please help.

 

natpascual1330_1-1581495192857.png

 

 

Microsoft

This looks like what may be an auth issue as it's not indicating you're signed in as any user. Can you try to reset settings and log in again?