AADSTS50020: protected PDF issue for external users
I have been recently (don't know when it was started) observed getting error from protected PDF (sensitivity label with user defined permission) file while trying to open that pdf via AIP viewer mobile app (Android/iOS) AS external user (who has permission to open/view). No issue with Office file types protected. external (not internal, not guest) user (currently testing with gmail.com account, other O365 tenant user) getting error as attached from AIP view mobile app. We do have AIP excluded at conditional access policy which helped so far to avoid this problem for external users. Is there been any recent change in behavior around user defined protected PDF? Since user having problem is external, have no clue where to look for log and start investigation. Error code: AADSTS50020
Inbound Screening & PCI-DSS
PCI-DSS frowns on having credit card numbers and related information in systems not otherwise in scope. Yet we sometimes have law enforcement asking for us for researching by these very terms; they send these sometimes via E-mail. I wonder therefore whether Exchange can screen using DLP policies, with the intent of adding controls, such as masking or adding "no forwarding, no printing," and so on. Possible? Advisable?Sharing: PDF readers that support Purview labels
As I was researching on Adobe Acrobat reader and Sensitivity labels, I decided to check if the common alternative PDF readers out there are able to support Purview MIP Sensitivity labels. There is already a published documentation on this for SharePoint-Compatible PDF readers that supports Microsoft IRM: https://learn.microsoft.com/en-us/purview/sp-compatible-pdf-readers-for-irm (last updated Nov-2023) but I wanted to see if these same PDF readers supports the ability for end-users to use/ select labels similar to that of Adobe Acrobat As of 11-June-2025; atleast one of them clearly do: Nitro PDF: Yes. Documentation shows that users can see and use the sensitivity labels. PDF -X.change Editor: Yes. Documentation show that users can see and use the sensitivity labels. (check the official website, I can't hyperlink it because the site is blocked. FOX PDF editor: No. Documentation only states RMS and not clear if it show Purview labels. This is for F.O.X.I.T editor (spelled without the ".") but for some reason there is a community ban on that word and it won't allow me to post the full name PDFescape: No. Sumatra PDF: No Okular: No If there are other PDF readers that I've missed, I encourage you list it down in the comment below. Would love to grow this list.Export MDCA policy matches information via web console or API
Hi Everyone, This is my maiden post and thought this community to be able to give me guidance and help on my situation. I have created a policy to detect file violations using defender for cloud apps (previously MCAS), and the total count has reached approx. 1.2 million for specific Azure Info Protection (AIP) labels that matches the files stored on OneDrive and SharePoint Online. I'd like to export the records in an efficient manner, and I've explored: 1) via website, which limits to 5,000 records onto csv file 2) via Graph API which limits to 100 records every 2-seconds based on API calls limit imposed system wide Both are not working out, as (1) I can't live with 5,000 records, and the work around would be to implement an RPA via say PowerAutomate desktop or UI Path to do some form of web-scraping to download records and changing the advanced filters to a modified date range... even then, I am not quite sure how to do this yet, and if someone out there knows it, do let me know so that I can attempt to figure out via self-learning. Option (2) which is the method I've attempted, is futile as the process is inconsistent and I am continuously facing errors every time I execute scripts to download the records and export them onto the csv file. I'd like to know if anyone in the community has a better way/approach for me to deal with this situation. I tried to segregate my policy by the year of detection (2020, 2021 and 2022), and I am seeing 500k records for 2022, and 300k records for 2021, likely another 400k records for 2020 and before. I am quite stuck at the moment and would appreciate if anyone have any ideas on how to deal with exporting the information captured in the policy which I've created to detect file violations on the tenant. Caroline_Lee GershonLevitz-MSFT for visibility and recommendations.. 🙂
AIP Policies - What determines the order fo the policies? Example?
You can move AIP policies up and down. So it seems the order matters. What is an example where I would need to pay attention to the order and what does it determine? For example my users would get 3 policies: - the standard (global) policies für all company users (e.g. public, internal, confidential, restricted (protected)) - a department policy (Sales Restricted (protected)) - a policy allowing some users customized protection Would this also be the recommended order? Thanks, Franck
Show AIP Administration Page or PowerShell for tracking document in Microsoft 365
Hi, All I have questions about AIP (Azure Information Protection) in Microsoft 365. When we want to track and revoke documents as we applied , we can go to https://portal.azurerms.com as AIP document tracking site, but in this site it looks track and revoke only user own documents, but if global administrator with full authority about AIP wants to check or search documents status protected by AIP to share all users, how can he check it? Does it any something workplace? Even if I checks docs about AIP , I just only check document tracking site for not global administrator but user. Also when I go to AIP workplace in security compliance workplace, I am not sure. Please help me.
