Did you know the Azure Information Protection (AIP) client can now be used for co-authoring files with sensitivity labels? We cover this optional feature in this blog post, providing an overview of its advantages, prerequisites, and limitations. This allows organizations to make a conscious decision on whether to enable co-authoring for files with sensitivity labels.
Advantages of enabling Co-Authoring for files with sensitivity labels
This feature has mainly the following two advantages:
When saving new protected documents in OneDrive for Business, the documents can be immediately opened in Office Online. (When the feature is not enabled, it may take ten minutes or longer until the document is available in Office Online.)
Users with compatible rich clients are able to work simultaneously on a protected document stored in OneDrive or SharePoint Online.
Check this before enabling Co-Authoring on the tenant
(Information in this section was last checked in November 2021, see our documentation for updates.)
Please observe that the Office version requirements and other limitations listed here apply to all clients that handle labeled content – not only clients that will actually co-author protected documents.
Make sure that all Windows clients have a compatible version of Microsoft Apps for Enterprise installed. Both for Current Channel and for Monthly Enterprise Channel, version 2107 or higher is required. For Semi-Annual Enterprise Channel, version 2202 or higher is required. If you’re using AIP client, make sure the AIP unified labeling client version 12.62 or higher is installed.
All Mac users require Microsoft Apps for Enterprise version 16.51 or higher.
Office Mobile (iOS) apps must be on version 2.58 or higher and Office Mobile (Android) apps must be on version 16.0.14931 or higher.
The Double Key Encryption [DKE] feature must not be used/tested in the same tenant as long as the AIP Office add-in is active on clients working with DKE protected documents. Co-Authoring can be enabled on the tenant if you use exclusively Office built-in sensitivity labeling, which supports DKE starting with Current Channel version 2307 (Monthly Enterprise Channel and Semi-Annual Enterprise Channel versions to follow). Please observe that even with newer Office version, DKE protected documents cannot be co-authored, i.e. you can only co-author documents protected with a cloud key.
Make sure any custom services based on the MIP SDK are compatible with co-authoring, i.e. they are based on MIP SDK 1.7 or later.
Please observe that the metadata location for label information changes after enabling co-authoring on the tenant – you will no longer find the label information in Office custom properties. More details on the changed location for storing label information can be found in our documentation.
As described here, documents cannot be co-authored if they’re either protected with user-defined permissions or if they have User access to content expires set to a value other than Never.
There are also limitations related to the AIP feature removing external content marking in apps and Office 97-2003 format support (.doc, .ppt, and .xls) per our documentation.
Enable the feature on the tenant
Before enabling Co-Authoring, keep in mind that this feature cannot be disabled easily. A support case would be required for disabling Co-Authoring, which will take several days, and during this process you need to prove that you’re a global admin.
We suggest you double-check the prerequisites and limitations described in this blog post and the referenced documentation before enabling the feature since it can be disrupted if enabled without proper evaluation.
To enable the feature, perform the following steps:
Sign in to the Microsoft 365 compliance center as a global admin for your tenant.
From the navigation pane, select Settings > Co-authoring for files with sensitivity files.
Then select Turn on co-authoring for files with sensitivity labels, and Apply:
Due to a delay in replication, it’s suggested to wait 24 hours before using the Co-Authoring features in applications.
Disabling Co-Authoring requires you to raise a ticket with Microsoft support.
This request might take several days and you will need to prove that you are a global administrator for your tenant. Also expect the usual support charges to apply.