Restricting Modification of Purview Labels
We have a use case where we have a set of files that are going to have a label applied (let's say for dicussion purposes the label that is being applied is "Highly Confidential") using the Azure Purview Scanner (although any method of applying the label should suffice for this use case). That label is not going to be made visually selectable/available to any Active Directory/Azure AD account (meaning it will not be visible to those account in MS Word, MS Excel, MS Powerpoint, Sharepoint or any other application where labeling has been made available and impacts the file itself). All Active Directory/Azure AD user accounts will have access to apply 3 additional labels of "Public", "Internal", and "Confidential" to files that do not meet the qualifiers to be labeled "Highly Confidential". We want a way of preventing any one of those user accounts from modifying or removing the label only when the label applied to the file is "Highly Confidential". We also need to be able to share a subset (this subset is not a fixed number of files) of the files that have the "Highly Confidential" label applied with external parties via Exchange Online. We have attempted to use the permissions made available in the Purview product today to help achieve our use case --- but that also means we have to apply encryption (there is no "OR" option). We have tried numerous methods of applying encryption and at the same time attempting to ensure that the external email experience is seamless (or at least consistent across platforms). Unfortunately, we have been unsuccessul to date (just not a great user experience). So, either we need a way of decoupling permissions and encryption (assuming that will even achieve our end goal) or an alternate solution which allows the user to apply one of the 3 labels I mentioned without the ability to remove/modify the "Highly Confidential" label where it is applied.Retention Labels - PowerAutomate integration doesn't support solution flows?
Hi there, As explained in the documentation here, you can now call a PowerAutomate flow when a retention label reaches the end of its retention period, which is great. However, based on my tests, this functionnality does NOT support flows that are part of a solution. It only works for flows created in "My Flows". Am I the only one thinking no serious enterprise would handle a process as big as tenant-wide retention using a "personal" flow created by a random user in "My Flows"? I would rather use a "corporate" flow that is packaged, service-principal-owned and deployed through staging environments using ALM best practices but somehow someone decided that solution flows weren't supported, which makes the functionality useless 😞 Anybody found a workaround to make it work with a solution flow? Thanks!
Edit sensitivity labels in bulk
I have a user with dozens of files that are tagged with sensitivity label 'Private \ Internal' but now wishes to share them to an external user. Obviously with this label external users are blocked from viewing the files, is there any way to bulk change these files to another sensitivity label we have called 'Private \ External' which would enable the external viewers to view them? essentially I'm asking if there is a bulk method to change files sensitivity labels from their original ones to a new one?Error Information Rights Management not configured
Hi Team. I deploy Microsoft Information Protection with sensitivity labels. After create labels, in both, Office clients and Web, show error: Information Rights Management not configured. For configure IRM, sign in Office, create message or document protected by IRM existing (Attach message in spanish). Trobleshooting: Migrate service Azure Information Protection to Microsoft Information Protection. Delete all labels migrated from AIP to MIP. Create new labels in MIP. Test in Word, Outlook client. Test in Word, Outlook web. Ideas for troubleshooting? Thanks,
Can you prevent the downgrade of a sensitivity label?
I know you can require a justification to downgrade a label to a less restrictive label, but can you prevent it? It seems a logical extension of this capability but I cannot find any articles to suggest this is possible. The only thing I can think of is to encrypt the label, and don't allow the "Edit rights". I am going to be testing this, but I was wondering if there is another (better) way.
