Pinned Posts
Forum Widgets
Latest Discussions
Lifecycle using Custom Protection with Purview Sensitivity Labels
IMHO usage of Purview Sensitivity Label with custom protection lack some very basic functionalty to complete a documents lifecycle an meet basic governance requirements. I focus on document lifecycle process and not plain technical weaknesses of the product like missing telemetry on protection changes, etc. Problem: A team if users handling strictly confidential contend agree to alway assign at leas two owners beside other users with document spefic roles (Editor, Restricted Editor, Viewer). Over time the team may grow and new mebmers join the team in a specific team role --> new users have no access to individually assigned roles on a per document base some users leave the team --> this user imposes a problem, because he does no longer meet the conditions of the need2know principle --> this is a problem or leave the company --> this user will hopefully loose thir account and will no longer have access to the content --> depending on compliance requirements, the user could be removed from the document access list Solutions wicked and not really satisfactory solutions: use Powershell to bulk-update assigning owner and a list of members of a single role --> all existing individual assignments are lost, PS overwrites all existing protection description with the sumbitted limitted assigments use MIP Client to do some ----------------- IMHO usage of Purview Sensitivity Label with custom protection lack some very basic functionalty to complete a documents lyfecycle an meet basic governance requirements. I focus on document lifecycle process and not plain technical weaknesses of the product like missing telemetry on protection changes, etc. Problem: A team if users handling strictly confidential contend agree to alway assign at leas two owners beside other users with document spefic roles (Editor, Restricted Editor, Viewer). Over time the team may grow and new mebmers join the team in a specific team role --> new users have no access to individually assigned roles on a per document base some users leave the team --> this user imposes a problem, because he does no longer meet the conditions of the need2know principle --> this is a problem or leave the company --> this user will hopefully loose thir account and will no longer have access to the content --> depending on compliance requirements, the user could be removed from the document access list Compliance requirement "who has potentially access to content of document "top-secret.docx, with what role per document (Owner, Editor, Restriced Editor, Viewer)? --> to my limitted knowledge - currenly no exiting tool, I know of, can do this task Solutions wicked and not really satisfactory solutions: use Powershell to bulk-update assigning owner and a list of members of a single role --> all existing individual assignments are lost, PS overwrites all existing protection description with the sumbitted limitted assigments use MIP Client to do some bulk labelling in future releases. https://github.com/OlaProeis/https://github.com/OlaProeis/FileLabeler is a very nice PowerShell based solution with the above limitations of Purview PowerShell Module I created a command line tool using MIP SDK targeting custom protection labels only (all the rest can be done using pwoershell, eg. OlaProis Tool) Current Status: pilot / basic tests of all assigments done Generally it always scans a given local folder and its subfolders all assignemnts are applied using submitted parametersto all custom protected documents protected by one single label-guid multiple actions can be applied in one run, meaning --add..., ---remove..., adAs..., etc in one single call All documents are preserved,meaning they are 1:1 available untouched and copies with a submitted trailer of the file name are created in the sam folder as the original to have a safe fallback. actions --ListRightAssignments assignments are read out of each document protected by this very label-guid ..some meta data including cmd params, user, datetime etc. ---------------------------------------------------------------------------------------------------------------------------------------- InputFolder C:\temp\N01 --LogFileLocation c:\temp\ --ListRightAssignments ================================================================================ $$$ file: C:\temp\N01\Non business Doc.docx is either not labelled or not protected $$$ -------------------------------------------------------------------------------- $$$ file: C:\temp\N01\Presentation.pptx is either not labelled or not protected $$$ -------------------------------------------------------------------------------- Assignments read by username: email address removed for privacy reasons / 11-02-2026 21:14:46 Document : C:\temp\N01\y6qld_internal-to-strictly.docx Owner : email address removed for privacy reasons 0) Rights:DOCEDIT, EDIT, EXTRACT, PRINT, VIEW | Users:email address removed for privacy reasons 1) Rights:OWNER | Users:email address removed for privacy reasons 2) Rights:VIEW | Users:email address removed for privacy reasons -------------------------------------------------------------------------------- --ProcessAssignment with following actions --addAccessAs <Source e-mail 1, target e-mail 1, target e-mail 2, [,target e-mail-n] ; Source e-mail 2, target e-mail 5, [,target e-mail..n]> add list of e-mails with role of first e-mail, multiple assignments separated by ";" --SetOwner <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> list of e-mails. first will be set as Owner on the document, consecutive members of the list will be placed in the list of owners. Any existing Owner is overridden --AddOwner <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> list of e-mail are added removed from all other roles of the document and then added to the list of owners --RemoveAccess <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> e-mail are removed from any document access list --AddEditor <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> --AddRestricedEditor <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> --AddViewer <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> Parameters --TenantGUID --AdHocLabelID --ClientID (ClientID, your EnterpriseApp GUID) --InputFolder --LogFileLocation --OutputFileTrailer <_mipupd> --> originalFile.docx --> originalFile_MIPUPD.docx With this tool we can meet basic compliance requirements regarding rights audit trail and we can support document lifecycle of users. Said all this. The tool is meant to be used by corresponding admins only behind a well defined workflow integrated in a ticketing system. All logs produced are part of the assignment and must be kept altogether to guarantee the audit trail. On note at the end. The App-Registration is configured in delegated mode, meaning that administrators must assign MIP superuser role to itself as part of the ticket and thus respects audit trail requirements. Generally this functionality may put a high risk on protected data. Therefore it is highly recommended to design the workflow around the tool first place togehther with your legal dept to include all their requirements, possibly include them in the approval workflow before even touching the crown jewels of your organization. This may not be the holy grail, but at least a pilot starting point to become lifecyle ready with MIP custom protection. Comments welcome. MaxDefault Sensitivity Label to be added to migrated files (from Local Network Server)
Hi Experts, We are migrating our file-sharing services from a local network file server to MS Teams/SPO. The requirement is to enable and give default sensitivity labels from the migrated files. Manually assigning sensitivity labels in over a TB of files is hectic and could be prone to error as well. MS Purview MIP labels and label policies are configured, however, at present, only new documents and/or revised files are only having the sensitivity labels assigned. Any suggestions, guide, and tips will be highly appreciated. Thanks, Rhey
Can´t Sign confidential documents
Hello, I have a problem. I want to send confidential contracts to customers for signing with Adobe DocuSign. This contracts have a label "confidential" from purview and are encrypted. But now the customer cant sign the contract with DocuSign because of the encryption. Is there a way that they can sign the document? We must encrypt the documents because compliance reasons and ISMS. Thank you.
Adaptive Scope
I created an adaptive scope, in which i use CustomAttribute10 -eq "Leaver", to build the user scope. The accounts are hybrid ad accounts wherefore we need to populate ExtensionAttribute10 with the string "Leaver". the OnPrem Ad Account is updated accordingly Set-aduser $User.DistinguishedName -add @{ExtensionAttribute10="Leaver"} the extension attribute has been added to Entra-ID sync in which the attrute is sync to Entra-ID. When i verify the synced account in Entra-ID i can verify that Custom attribute 10 is indeed synced to Entra-ID. (get-mguser -Filter "DisplayName eq '$($AdUser.Name)')" -Property OnPremisesExtensionAttributes | select -ExpandProperty OnPremisesExtensionAttributes).ExtensionAttribute10 Leaver This is my adaptive Scope get-adaptivescope | select FilterConditions FilterConditions ---------------- {"Conditions":[{"Value":"Leaver","Operator":"Equals","Name":"CustomAttribute10"}],"Conjunction":"And"} I have created the adaptive scope about a week ago, so it should be poppulated. However when i check my scope, it is still empty. What did i miss?
Issue wiht the downgraing label
Hello, We are experiencing an issue with sensitivity labels configured for SharePoint using Confidential – Encrypted. When User A uploads a file with this label applied automatically rom the SharePoint library , User B is unable to downgrade the label to a different one and receives an error message. We have confirmed that both User A and User B have the same permissions (Co-author access) to the file and location. Could you please advise what might be causing this or what additional permissions or configuration may be required? Any help would be much appreciated.Different Retention Policies for Active/Inactive Mailboxes
Cloud Environment: Azure GOV tenant, GCC-High. Users are licensed with: MS365 E3 - GCCHIGH MS Defender for Office365 (Plan 1) - GCCHIGH Windows 10/11 Enterprise E5 - GCCHIGH Hybrid Identity: Users are synced from AD DS to Entra ID, via Entra Connect. Thus, we set various identity attributes, like "Department" using the AD DS attribute editor. Confirmed the "Department" attribute is syncing correctly to Entra ID. Purview Adaptive scopes: Active Mailboxes (user), oPATH query: (IsInactiveMailbox -eq "False") Inactive Project Staff (user), oPATH query: (IsInactiveMailbox -eq "True") -and (Department -eq "project staff") Inactive Contract Staff (user), oPATH query: (IsInactiveMailbox -eq "True") -and (Department -eq "contract staff") Purview Data Lifecycle Management, Retention policies: Default Data Retention (Exchange mailboxes) - Adaptive scope "Active Mailboxes", Retention: Keep content for 7 years, then do nothing. Inactive Project Staff (Exchange mailboxes) - Adaptive scope "Inactive Project Staff", Retention: keep items for 3 years, then delete items automatically. Inactive Contract Staff (Exchange mailboxes) - Adaptive scope "Inactive Contract Staff", Retention: keep items for 1 years, then delete items automatically. Desired Outcome: All active staff, regardless of Department attribute have the "Default Data Retention" policy applied to mailbox, so when their account is deleted in AD DS, (soft deleted in Entra ID after Entra Connect sync), their mailbox goes to inactive state. Then, when the mailbox is inactive, the "Inactive" retention policy is automatically applied depending on what their Department attribute was, before their Entra ID identity got soft deleted by Entra Connect sync. Problem/Questions: We tried this for 1 user account, and although the Default Data Retention policy was applied before the user was soft deleted, the Inactive Project Staff policy was never applied (waited 4 days). This test user didn't have any licenses assigned to them when we tried this, unfortunately. Could this be the reason why the Inactive Project Staff policy was never applied? When they were soft deleted, their mailbox was visible in Purview "Inactive mailboxes". Will adaptive scope retention policies still be applied to inactive mailboxes, if that adaptive scope relies on an Entra ID attribute, like "Department"? I assume this Entra ID attribute is somehow stored in the now, inactive mailbox.
Justification not triggered when downgrading between sublabels under same parent label
Hi all, I am looking for confirmation of expected behaviour with Microsoft Purview sensitivity labels and justification. We have justification enabled in our sensitivity label policy. When a user changes a label between labels that belong to the same label group, no justification prompt appears. When a user changes from a label in one label group to a label in a different label group, the justification prompt does appear as expected. Is this behavior by design? Specifically, does Microsoft treat the label group as the enforcement boundary for downgrade justification, meaning justification is not evaluated when moving between labels within the same group, even if effective protection is reduced? If this is expected, is there any supported way to require justification when downgrading between labels in the same label group? Thank you!
[HELP] "Action required for browser protections" alert
Hello! I have an Endpoint DLP policy with Device location. After several scoping changes (device groups, inclusions/exclusions) to narrow it to a specific target group, the orange alert appeared: Action required for browser protections. One or more policies were not applied in Edge for Business. This could be due to a policy sync issue, lack of required permissions, or an issue with the server. Either resync these policies or contact an admin with the required permissions to resync. After resyncing, you might still see this message for up to 1 day while the system completes the sync and activates protections. The policies were working before. Clicked Resync multiple times, only for the error to return. Please help![HELP]"Action required for browser protections" alert
Hello! I have an Endpoint DLP policy with the Devices location. After multiple scoping changes (device groups, inclusions/exclusions) to narrow it to a specific target group, the alert appeared: Action required for browser protections. One or more policies were not applied in Edge for Business. This could be due to a policy sync issue, lack of required permissions, or an issue with the server. Either resync these policies or contact an admin with the required permissions to resync. After resyncing, you might still see this message for up to 1 day while the system completes the sync and activates protections. The policies were working before. Clicked Resync multiple times, banner disappears briefly, only to return. Please help!
Purview Data Map scanning Microsoft Fabric and no classifications applied or scan rule sets
Microsoft Purview cannot currently apply built-in or custom classifications (including sensitive information types) to metadata discovered from Microsoft Fabric workspace scans. While Purview can register Fabric workspaces and extract structural metadata (workspaces, Lakehouses, Warehouses, tables, columns, and limited lineage), classification rules are not executed against Fabric assets in the same way they are for supported sources such as Azure SQL, ADLS Gen2, or on-prem databases. This results in classification gaps across a core enterprise analytics platform. Why This Is a Significant Service Omission 1. Breaks the Core Value Proposition of Purview 2. Undermines Regulatory and Risk Management Controls 3. Creates an Inconsistent Governance Experience 4. Blocks Downstream Purview Capabilities 5. Forces Anti-Patterns and Workarounds The lack of automated classification support for Microsoft Fabric workspace data represents a material service omission in Microsoft Purview, significantly limiting its effectiveness as a unified data governance platform and introducing avoidable compliance, operational, and assurance risks—particularly in regulated environments. Are there plans to improve this and if so what are the timescales?
