eDiscovery for email attachment with encrypted sensitivity labels
We are currently testing encrypted sensitivity labels in conjunction with eDiscovery. We applied an encrypted label to a document, and eDiscovery was able to successfully search for the content in both OneDrive and SharePoint. However, the same functionality does not appear to work for email attachments—the content of encrypted attachments is not searchable. Are there any specific settings or configurations that need to be enabled to support encrypted email attachments in eDiscovery? Thanks
Default Label and Justification Suddenly Stopped Working
Hi, Sometime last week, default labels for documents suddenly stopped working, it still works for emails. Also, there is a configuration where users have to provide a justification to lower a sensitivity label, that stopped working as well. This has all been in place since May and have always worked but just suddenly stopped working last week. I created a new label with the exact configuration to test, but that works perfectly. I have tried recreating the labels that do not work anymore, but nothing changed. Has anyone experienced this and how did you go about it. Thanks, AishatNew blog post: Is Your Data Ready for Microsoft 365 Copilot?
Is Your Data Ready for Microsoft 365 Copilot? Microsoft 365 Copilot is a game-changer for productivity, but here’s the catch: Copilot surfaces what users already have access to. If your governance isn’t in order, sensitive data could be exposed. In my latest blog, I share: ✅ How to prevent oversharing in Teams & SharePoint ✅ Why sensitivity labels are critical for Copilot ✅ How to monitor usage and avoid shadow AI ✅ Why you don’t need perfect governance to start 📖 Read the full blog: Microsoft 365 Copilot Data Readiness Checklist 👉 What’s your biggest challenge with Copilot readiness? Drop your thoughts below!STALE-FORGOTTEN/ABANDONED existing sensitive emails with sensitive information
Hello team, In my company we have stale emails from 200 which contain sensitive data like: SINs, Driver Licenses, invoices, etc. the users reject to delete those emails as they may needs for reference. i.e.: Use case: HR needs to keep sensitive email as reference if end-user update life insurance beneficiaries, this email must be kept as evidence of the user's request update. this kind of emails can't be removed. However, this emails without protection in the user's mailbox is only meat for the attackers. unfortunately, we can`t protect existing emails with auto-labeling. So, what is the best practice to take backup emails, secure the emails and remove those from un-secure storage like user`s mailbox. This case apply almost 100% to any organization, this is a problem for everyone. ------------------------------------------------------------------------------------------------------------------------------------------ My approach: eDiscovery download all sensitive emails discovered. Apply label using AIP UL client to the download *.msg which put the files *.pfile Create folder in HR user's OneDrive which the email will be removed. If the user needs to search for any email's metadata, he can search directly, or if they need to search using email's content, he manually should remove sensitivity label to all items inside the folder. After the search content in *.msg, the user should apply protection again. Fallback: If the user forget protect the sensitive emails, the idea is to run schedule script to check for *msg, if found, it will apply label using PS. I want to check any other approach best practice is recommended? Backup & Setup Global Admin (GA) prepares local backup: export saved as native *.msg files. Create & Secure the Evidence Folder GA connects to user’s OneDrive. GA creates folder: ArchivedSensitiveEmails. GA applies retention label (Record) to folder → prevents rename/move GA breaks inheritance → only the OneDrive owner (Edit) Upload & Protect GA uploads the backup emails (*.msg) into the new folder. GA applies sensitivity label (Viewer-only) → user can open but not print/copy/forward. Now all items are protected as *.msg.pfile. User Workflow (On-Demand Search) User may remove protection on a file/folder to perform keyword search on native .msg. User is required to reapply protection after finishing the search (via Purview client). Automatic Weekly Enforcement Scheduled PowerShell job runs weekly across all OneDrives. Script scans ArchivedSensitiveEmails folder for unprotected .msg. If found → automatically applies encryption using the GA’s published sensitivity label. Access rights: only the OneDrive owner (Viewer) — optional HR group can also be added. Script deletes original .msg after creating .msg.pfile to enforce security. CSV log maintained for audit of actions (protected, skipped, errors). ------------------------------------------------------------------------------------------------------------------------------------------ So, what is the best practice or recommendation from Microsoft to protect the existing sensitive emails?Purview sensitivity label modernization Label grouping Roadmap ID: 386900
Hello team, Purview will implement a new way to organize labels: https://admin.microsoft.com/Adminportal/Home?#/MessageCenter/:/messages/MC1111778 https://www.microsoft.com/en-ca/microsoft-365/roadmap?id=386900 Do you know where can I get information about how this upgrade will impact the current taxonomy for sensitivity labels, I am using label, label parent and sublabels. I reviewed in microsoft learn without any information about this feature.Sharing: PDF readers that support Purview labels
As I was researching on Adobe Acrobat reader and Sensitivity labels, I decided to check if the common alternative PDF readers out there are able to support Purview MIP Sensitivity labels. There is already a published documentation on this for SharePoint-Compatible PDF readers that supports Microsoft IRM: https://learn.microsoft.com/en-us/purview/sp-compatible-pdf-readers-for-irm (last updated Nov-2023) but I wanted to see if these same PDF readers supports the ability for end-users to use/ select labels similar to that of Adobe Acrobat As of 11-June-2025; atleast one of them clearly do: Nitro PDF: Yes. Documentation shows that users can see and use the sensitivity labels. PDF -X.change Editor: Yes. Documentation show that users can see and use the sensitivity labels. (check the official website, I can't hyperlink it because the site is blocked. FOX PDF editor: No. Documentation only states RMS and not clear if it show Purview labels. This is for F.O.X.I.T editor (spelled without the ".") but for some reason there is a community ban on that word and it won't allow me to post the full name PDFescape: No. Sumatra PDF: No Okular: No If there are other PDF readers that I've missed, I encourage you list it down in the comment below. Would love to grow this list.Managing the Discoverability of Private Teams
Microsoft has a new approach to control private team discoverability. You can have all-in access by enabling discoverability through Teams policies or granular access by using sensitivity labels to control if private teams are discoverable or not. This article explains how both methods work. https://practical365.com/private-team-discoverability/
Speeding up Syncing changes across Purview - Sensitivity Labels
I have setup sensitivity labels across our organisation. What I would like to know is; is it possible to force a domain sync that would effect the changes that I have made quicker, whether the changes are on a label or a policy? At present, any changes that I make to a label take about 30min-1hr before they appear at the users end.
Unable to view PDF with sensitivity label
Hello, I am testing a confidential label with various settings, so far it works fantastically. When applying the [Confidential] label to a word file it works. However when I turn that Word document into a PDF and try to view it I am presented with the following screen: I input my email that also has an Acrobat Pro license and proceed. Then I am presented with the following login: When I press continue, quite literally, nothing happens. It just seems to get stuck in the login screen. Additionally if I do "open with" to the file I can view it normall on Microsoft Edge.
