Guidance: Sensitivity Labels during Mergers & Acquisitions (separate tenants, non-M365, etc.)
We’re building an internal playbook for how to handle Microsoft Purview sensitivity labels during mergers and acquisitions, and I’d really appreciate any lessons learned or best practices. Specifically, I’m interested in how others have handled: Acquired organizations on a separate Microsoft 365/O365 tenant for an extended period (pre- and post-close): How did you handle “Internal Only” content when the two tenants couldn’t fully trust each other yet? Any tips to reduce friction for collaboration between tenants during the transition? Existing label structures, such as: We use labels like “All Internal Only” and labels with user-defined permissions — has anyone found good patterns for mapping or reconciling these with another company’s labels? What if the acquired company is already using sensitivity labels with a different taxonomy? How did you rationalize or migrate them? Acquisitions where the target does not use Microsoft 365 (for example, Google Workspace, on-prem, or other platforms): Any strategies for protecting imported content with labels during or after migration? Gotchas around legacy permissions versus label-based protections? General pitfalls or watch-outs between deal close and full migration: Anything you wish you had known before your first M&A with Purview labels in play? Policies or configurations you’d recommend setting (or avoiding) during the interim period? Any examples, war stories, or template approaches you’re willing to share would be incredibly helpful as we shape our playbook. Thanks in advance for any insights!
MIP SDK cannot read file labels if a message was encrypted by Outlook Classic.
C++ application uses MIP SDK version 1.14.108. The application does Office files decryption and labels reading. The problem with labels reading is observed. Steps to reproduce: Create a docx file with a label which does not impose encryption. Open Outlook Classic, compose email, attach the document from 1, click Encrypt, send. During message sending our application intercepts encrypted by Outlook docx file in temporary folder C:\Users\UserName\AppData\Local\Temp Application decrypts the intercepted file using mipns::FileHandler::RemoveProtection. Visual inspection demonstrates that decryption runs successfully. Then a separate FileHandler for decrypted file is created, and mipns::FileHandler::GetLabel() returns an empty label. It means that the label was lost during decryption. Upon visual inspection of the decrypted file via Word we can see that the label is missing. Also, we do not see MSIP_Label* entries in meta data (File -> Info -> Properties -> Advanced Properties -> Custom). Here is a fragment of MIP SDK reducted log during file handler creation ================= file_engine_impl.cpp:327 "Creating file handler for: [D:\GitRepos\ ...reducted]" mipns::FileEngineImpl::CreateFileHandlerImpl gsf_utils.cpp:50 "Initialized GSF" `anonymous-namespace'::InitGsfHelper data_spaces.cpp:415 "No LabelInfo stream was found. No v1 custom properties" mipns::DataSpaces::GetLabelInfoStream data_spaces.cpp:428 "No LabelInfo stream was found. No v1 custom properties" mipns::DataSpaces::GetXmlPropertiesV1 file_format_base.cpp:155 "Getting protection from input..." mipns::FileFormatBase::GetProtection license_parser.cpp:233 "XPath returned no results" `anonymous-namespace'::GetXmlNodesFromPath license_parser.cpp:233 "XPath returned no results" `anonymous-namespace'::GetXmlNodesFromPath license_parser.cpp:299 "GetAppDataNode - Failed to get ID in PL app data section, parsing failed" `anonymous-namespace'::GetAppDataNode api_log_cache.cpp:58 "{{============== API CACHED LOGS BEGIN ============}}" mipns::ApiLogCache::LogAllMessages file_engine_impl.cpp:305 "Starting API call: file_create_file_handler_async scenarioId=89fd6484-7db7-4f68-8cf7-132f87825a26" mipns::FileEngineImpl::CreateFileHandlerAsync 37948 default_task_dispatcher_delegate.cpp:83 "Executing task 'ApiObserver-0' on a new detached thread" mipns::DefaultTaskDispatcherDelegate::ExecuteTaskOnIndependentThread 37948 file_engine_impl.cpp:305 "Ended API call: file_create_file_handler_async" mipns::FileEngineImpl::CreateFileHandlerAsync 37948 file_engine_impl.cpp:305 "Starting API task: file_create_file_handler_async scenarioId=89fd6484-7db7-4f68-8cf7-132f87825a26" mipns::FileEngineImpl::CreateFileHandlerAsync file_engine_impl.cpp:327 "Creating file handler for: [D:\GitRepos\...reducted....docx]" mipns::FileEngineImpl::CreateFileHandlerImpl file_format_factory_impl.cpp:88 "Create File Format. Extension: [.docx]" mipns::FileFormatFactoryImpl::Create file_format_base.cpp:363 "V1 metadata is not supported for file extension .docx. Setting metadata version to 0" mipns::FileFormatBase::CalculateMetadataVersion compound_file.cpp:183 "Open compound file for read" mipns::CompoundFile::OpenRead gsf_utils.cpp:50 "Initialized GSF" `anonymous-namespace'::InitGsfHelper compound_file_storage_impl.cpp:351 "Get Metadata" mipns::CompoundFileStorageImpl::GetMetadata compound_file_storage_impl.cpp:356 "No Metadata, not creating GSF object" mipns::CompoundFileStorageImpl::GetMetadata metadata.cpp:119 "Create Metadata" mipns::Metadata::Metadata metadata.cpp:136 "Got [0] properties from DocumentSummaryInformation" mipns::Metadata::GetProperties compound_file_storage_impl.cpp:351 "Get Metadata" mipns::CompoundFileStorageImpl::GetMetadata compound_file_storage_impl.cpp:356 "No Metadata, not creating GSF object" mipns::CompoundFileStorageImpl::GetMetadata metadata.cpp:119 "Create Metadata" mipns::Metadata::Metadata metadata.cpp:136 "Got [0] properties from DocumentSummaryInformation" mipns::Metadata::GetProperties =================
How to apply sensitivity labels to external emails received in my Outlook?
I have created a sensitivity label and an auto-labeling policy that applies the label when an email contains sensitive information. When an internal user sends the email, the label is applied correctly. But when I receive an email with sensitive information from an external user, the label is not applied. How can I apply the sensitivity label to emails that come from external users?
Downgrading of encrypted label (User defined permission) in SPO to Desktop app
Hi I have a file stored in SharePoint that was originally labeled Restricted with user-defined encryption. When I open the word file from SharePoint using a desktop Office application and downgrade the label to Internal, the original encryption and permissions are still retained. This issue occurs only when opening the file from SharePoint into the desktop app—the previous protection settings persist even though the sensitivity label correctly updates to Internal. I’ve attached a screenshot for reference. Is there any official Microsoft documentation that explains why this behavior occurs and the underlying reason for it? Additionally, what is the recommended workaround if I want to fully remove user-defined permissions when downgrading the label? I have already tried reapplying the Internal label, but the file remains encrypted with the prior permissions.
eDiscovery for email attachment with encrypted sensitivity labels
We are currently testing encrypted sensitivity labels in conjunction with eDiscovery. We applied an encrypted label to a document, and eDiscovery was able to successfully search for the content in both OneDrive and SharePoint. However, the same functionality does not appear to work for email attachments—the content of encrypted attachments is not searchable. Are there any specific settings or configurations that need to be enabled to support encrypted email attachments in eDiscovery? Thanks
Default Label and Justification Suddenly Stopped Working
Hi, Sometime last week, default labels for documents suddenly stopped working, it still works for emails. Also, there is a configuration where users have to provide a justification to lower a sensitivity label, that stopped working as well. This has all been in place since May and have always worked but just suddenly stopped working last week. I created a new label with the exact configuration to test, but that works perfectly. I have tried recreating the labels that do not work anymore, but nothing changed. Has anyone experienced this and how did you go about it. Thanks, AishatNew blog post: Is Your Data Ready for Microsoft 365 Copilot?
Is Your Data Ready for Microsoft 365 Copilot? Microsoft 365 Copilot is a game-changer for productivity, but here’s the catch: Copilot surfaces what users already have access to. If your governance isn’t in order, sensitive data could be exposed. In my latest blog, I share: ✅ How to prevent oversharing in Teams & SharePoint ✅ Why sensitivity labels are critical for Copilot ✅ How to monitor usage and avoid shadow AI ✅ Why you don’t need perfect governance to start 📖 Read the full blog: Microsoft 365 Copilot Data Readiness Checklist 👉 What’s your biggest challenge with Copilot readiness? Drop your thoughts below!STALE-FORGOTTEN/ABANDONED existing sensitive emails with sensitive information
Hello team, In my company we have stale emails from 200 which contain sensitive data like: SINs, Driver Licenses, invoices, etc. the users reject to delete those emails as they may needs for reference. i.e.: Use case: HR needs to keep sensitive email as reference if end-user update life insurance beneficiaries, this email must be kept as evidence of the user's request update. this kind of emails can't be removed. However, this emails without protection in the user's mailbox is only meat for the attackers. unfortunately, we can`t protect existing emails with auto-labeling. So, what is the best practice to take backup emails, secure the emails and remove those from un-secure storage like user`s mailbox. This case apply almost 100% to any organization, this is a problem for everyone. ------------------------------------------------------------------------------------------------------------------------------------------ My approach: eDiscovery download all sensitive emails discovered. Apply label using AIP UL client to the download *.msg which put the files *.pfile Create folder in HR user's OneDrive which the email will be removed. If the user needs to search for any email's metadata, he can search directly, or if they need to search using email's content, he manually should remove sensitivity label to all items inside the folder. After the search content in *.msg, the user should apply protection again. Fallback: If the user forget protect the sensitive emails, the idea is to run schedule script to check for *msg, if found, it will apply label using PS. I want to check any other approach best practice is recommended? Backup & Setup Global Admin (GA) prepares local backup: export saved as native *.msg files. Create & Secure the Evidence Folder GA connects to user’s OneDrive. GA creates folder: ArchivedSensitiveEmails. GA applies retention label (Record) to folder → prevents rename/move GA breaks inheritance → only the OneDrive owner (Edit) Upload & Protect GA uploads the backup emails (*.msg) into the new folder. GA applies sensitivity label (Viewer-only) → user can open but not print/copy/forward. Now all items are protected as *.msg.pfile. User Workflow (On-Demand Search) User may remove protection on a file/folder to perform keyword search on native .msg. User is required to reapply protection after finishing the search (via Purview client). Automatic Weekly Enforcement Scheduled PowerShell job runs weekly across all OneDrives. Script scans ArchivedSensitiveEmails folder for unprotected .msg. If found → automatically applies encryption using the GA’s published sensitivity label. Access rights: only the OneDrive owner (Viewer) — optional HR group can also be added. Script deletes original .msg after creating .msg.pfile to enforce security. CSV log maintained for audit of actions (protected, skipped, errors). ------------------------------------------------------------------------------------------------------------------------------------------ So, what is the best practice or recommendation from Microsoft to protect the existing sensitive emails?Purview sensitivity label modernization Label grouping Roadmap ID: 386900
Hello team, Purview will implement a new way to organize labels: https://admin.microsoft.com/Adminportal/Home?#/MessageCenter/:/messages/MC1111778 https://www.microsoft.com/en-ca/microsoft-365/roadmap?id=386900 Do you know where can I get information about how this upgrade will impact the current taxonomy for sensitivity labels, I am using label, label parent and sublabels. I reviewed in microsoft learn without any information about this feature.
