We recently discovered a bug in the Microsoft Information Protection SDK that may cause MIP SDK clients to fail to download policy updates. The root cause has to do with how we cache service discovery information. We've released updates for MIP SDK versions 1.2 and 1.3. You can find those updates here:
When the MIP SDK fetches the label policy for a specific user, it makes a call to https://dataservice.protection.outlook.com. This endpoint looks up the service location for that specific user and returns an HTTP 301, redirecting the client to an endpoint specific to their location in the Exchange Online infrastructure. That will look something like this: https://nam01b.dataservice.protection.outlook.com. The SDK caches this 301 redirect. The next time the client needs to fetch policy, the SDK uses this cached result to skip discovery and directly connects to the endpoint.
Occasionally, the Office 365 team moves tenants to different segments of the Exchange Online infrastructure. In the event that a client has already cached the endpoint from the 301 redirect and then the tenant is moved elsewhere, the endpoint in Office will return another HTTP 301 redirect with the new location. The SDK will treat this as an error, as it thinks it already has the authoritative result, and tries again to fetch labels. It retries a few times, then fails.
The result is that clients that have already fetched policy will never update policy if administrators make updates to the policy.
This issue applies only if the MIP SDK implementation is using the on disk cache. If the cache is in memory, simply restart the application to resolve. For applications using the on disk cache, you must:
The Azure Information Protection Unified Labeling client, which uses the MIP SDK, can be reset by the user navigating to Sensitivity -> Help and Feedback -> Reset Settings. The client will clear its cache and update policy.
Please leave any questions or comments below!
-@Tom Moser and the MIP SDK Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.