Information Protection Labels and OneDrive

%3CLINGO-SUB%20id%3D%22lingo-sub-3298209%22%20slang%3D%22en-US%22%3EInformation%20Protection%20Labels%20and%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3298209%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy!%3CBR%20%2F%3E%3CBR%20%2F%3ERecently%20we%20implemented%20the%20security%20and%20compliance%20center%20protections%20(AIP%2FMIP%2FDLP).%20One%20issue%20we%20have%20run%20into%2C%20that%20is%20slightly%20self-inflicted.%20We%20had%20to%20change%20two%20of%20our%20labels%20to%20remove%20the%20encryption%20option.%20However%20I%20have%20found%20out%20that%20when%20you%20do%20that%2C%20any%20files%20that%20were%20already%20labeled%20using%20that%20label%2C%20will%20retaing%20the%20RMS%20protection%20template%20and%20protection.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20remove%20the%20protection%20on-prem%2C%20but%20the%20big%20issue%20is%20now%20doing%20so%20to%20any%2Fall%20files%20in%20our%20users%20OneDrive%20locations.%20OneDrive%20is%20used%20for%20folder%20redirection%20for%20our%20end-users%20documents%20folders.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20way%20to%20essentially%20run%20Set-AIPFileLabel%20-Remove%20Protection%20on%20OneDrive%20files%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3298209%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Purview%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3378151%22%20slang%3D%22en-US%22%3ERe%3A%20Information%20Protection%20Labels%20and%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3378151%22%20slang%3D%22en-US%22%3EGreetings%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1376327%22%20target%3D%22_blank%22%3E%40APMcWilly13%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3ESorry%20I%20don't%20have%20an%20answer%20for%20relabeling%20down%20at%20scale.%20MS%20doco%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fapply-sensitivity-label-automatically%3Fview%3Do365-worldwide%23will-an-existing-label-be-overridden%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fapply-sensitivity-label-automatically%3Fview%3Do365-worldwide%23will-an-existing-label-be-overridden%3C%2FA%3E%20says%20%22Automatic%20labeling%20will%20replace%20a%20lower%20priority%20sensitivity%20label%20that%20was%20automatically%20applied%2C%20but%20not%20a%20higher%20priority%20label.%22%3CBR%20%2F%3E%3CBR%20%2F%3EI%20infer%20that%20the%20problem%20is%20that%20users%20want%20to%20share%2Fcollaborate%20on%20a%20doc%20and%20the%20other%20party%20cannot%20open%20the%20encrypted%20content%2C%20or%20is%20there%20another%20problem%20this%20label%20is%20creating%3F%20With%20that%20problem%20statement%20in%20mind%2C%20since%20it%20became%20possible%20to%20co-author%20encrypted%20docs%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-coauthoring%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-coauthoring%3Fview%3Do365-worldwide%3C%2FA%3E%2C%20we%20encrypt%20all%20files%20by%20default.%20Users%20can%20then%20override%20the%20label%20by%20exception.%20Is%20enabling%20co-authoring%20a%20possible%20solution%20to%20your%20problem%20while%20leaving%20the%20label%20in%20place%3F%20Apologies%20if%20I%20have%20misunderstood%20the%20specifics%20of%20your%20problem.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%20Ash%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3403221%22%20slang%3D%22en-US%22%3ERe%3A%20Information%20Protection%20Labels%20and%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3403221%22%20slang%3D%22en-US%22%3EI%20don't%20see%20an%20equivalent%20of%20that%20command%20for%20SPO.%20In%20the%20PS%20cmdlet%20reference%20guide%20for%20SPO%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fsharepoint-online%2F%3Fview%3Dsharepoint-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fsharepoint-online%2F%3Fview%3Dsharepoint-ps%3C%2FA%3E%20there's%20only%20one%20label%20related%20removal%20cmdlet.%3CBR%20%2F%3EAccording%20to%20this%20doc%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-sharepoint-onedrive-files%3Fview%3Do365-worldwide%23remove-encryption-for-a-labeled-document%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-sharepoint-onedrive-files%3Fview%3Do365-worldwide%23remove-encryption-for-a-labeled-document%3C%2FA%3E%3CBR%20%2F%3EA%20global%20admin%20or%20SharePoint%20admin%20can%20run%20the%20Unlock-SPOSensitivityLabelEncryptedFile%20cmdlet%2C%20which%20removes%20both%20the%20sensitivity%20label%20and%20the%20encryption.%3CBR%20%2F%3E%3CBR%20%2F%3E1%3A%20go%20here%20and%20install%20the%20required%20PS%20modules%20for%20SharePoint%20Online.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fsharepoint%2Fsharepoint-online%2Fconnect-sharepoint-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fsharepoint%2Fsharepoint-online%2Fconnect-sharepoint-online%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E2%3A%20This%20command%20will%20show%20you%20all%20the%20OneDrive%20sites%20within%20your%20Tenant%2C%20which%20gives%20you%20the%20path%20to%20docs%20in%20OD.%3CBR%20%2F%3EGet-SPOSite%20-IncludePersonalSite%20%24true%20-Filter%20%22Url%20-like%20'-my.sharepoint.com%2Fpersonal%2F'%22%20%7Cft%3CBR%20%2F%3E%3CBR%20%2F%3E3%3A%20Here%20is%20where%20the%20wheels%20fall%20off.%20This%20command%20does%20not%20support%20wildcard%20characters.%20This%20command%20will%20remove%20the%20label%20from%20ONE%20doc.%20Sub%20out%20the%20FileUrl%20with%20a%20path%20from%20your%20list%20of%20OD%20sites.%3CBR%20%2F%3EUnlock-SPOSensitivityLabelEncryptedFile%20-FileUrl%20%22%3CA%20href%3D%22https%3A%2F%2Fcontoso.com%2Fsites%2FMarketing%2FShared%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcontoso.com%2Fsites%2FMarketing%2FShared%3C%2FA%3E%20Documents%2FDoc1.docx%22%20-JustificationText%20%22Need%20to%20decrypt%20this%20file%22%3C%2FLINGO-BODY%3E
Occasional Visitor

Howdy!

Recently we implemented the security and compliance center protections (AIP/MIP/DLP). One issue we have run into, that is slightly self-inflicted. We had to change two of our labels to remove the encryption option. However I have found out that when you do that, any files that were already labeled using that label, will retaing the RMS protection template and protection.

I can remove the protection on-prem, but the big issue is now doing so to any/all files in our users OneDrive locations. OneDrive is used for folder redirection for our end-users documents folders. 

Is there a way to essentially run Set-AIPFileLabel -Remove Protection on OneDrive files?

2 Replies
Greetings @APMcWilly13,

Sorry I don't have an answer for relabeling down at scale. MS doco here https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view... says "Automatic labeling will replace a lower priority sensitivity label that was automatically applied, but not a higher priority label."

I infer that the problem is that users want to share/collaborate on a doc and the other party cannot open the encrypted content, or is there another problem this label is creating? With that problem statement in mind, since it became possible to co-author encrypted docs https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-w..., we encrypt all files by default. Users can then override the label by exception. Is enabling co-authoring a possible solution to your problem while leaving the label in place? Apologies if I have misunderstood the specifics of your problem.

Thanks, Ash
I don't see an equivalent of that command for SPO. In the PS cmdlet reference guide for SPO, https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/?view=sharepoint-ps there's only one label related removal cmdlet.
According to this doc
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-fil...
A global admin or SharePoint admin can run the Unlock-SPOSensitivityLabelEncryptedFile cmdlet, which removes both the sensitivity label and the encryption.

1: go here and install the required PS modules for SharePoint Online.
https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online

2: This command will show you all the OneDrive sites within your Tenant, which gives you the path to docs in OD.
Get-SPOSite -IncludePersonalSite $true -Filter "Url -like '-my.sharepoint.com/personal/'" |ft

3: Here is where the wheels fall off. This command does not support wildcard characters. This command will remove the label from ONE doc. Sub out the FileUrl with a path from your list of OD sites.
Unlock-SPOSensitivityLabelEncryptedFile -FileUrl "https://contoso.com/sites/Marketing/Shared Documents/Doc1.docx" -JustificationText "Need to decrypt this file"