[HELP] "Action required for browser protections" alert
Hello! I have an Endpoint DLP policy with Device location. After several scoping changes (device groups, inclusions/exclusions) to narrow it to a specific target group, the orange alert appeared: Action required for browser protections. One or more policies were not applied in Edge for Business. This could be due to a policy sync issue, lack of required permissions, or an issue with the server. Either resync these policies or contact an admin with the required permissions to resync. After resyncing, you might still see this message for up to 1 day while the system completes the sync and activates protections. The policies were working before. Clicked Resync multiple times, only for the error to return. Please help!
Datascan not picking up the schema of .parquet files ParquetFormat JavaInvocationException happened
Since about a week we have a problem with our datascan on ADLS not picking up the schema of .parquet files. It does pick up on the asset but not on the schema of said asset. The parquet files are perfectly readable and writeable with Fabric/spark. Purview had no issue picking them up before last week, but it seems that something has changed on the Microsoft side? Anyone else facing these issues recently? 2026-02-02T06:21:47.116Z,SystemError,ReadData,https://xxx.dfs.core.windows.net/landingzone/masterdata/someotherfile.parquet,ParquetFormat JavaInvocationException happened,ScanErr0000
Email to external(trusted user) not require verify user Identity(with Google or One-time passcode)
Dear Expert and Community, I am starting with MS Purview - Data Loss Prevention. I have one point to clarify and seek your advise / comment / contribute or sharing good practice regarding with below: - Firstly, we can send email to externally user contain sensitive information, it is encryption or blocked (result: worked as expected). If remail encrypt, the external receiver require verify the Identity via sign in with google acc / with a one time password. - Second: we plan sending email to external user (only trusted user / domain). Is it possible, do not require these scope user reverify their Identity again and again? If yes, how to do it? If not - why? Well appreciated for update and supporting. Thanks,Can´t Sign confidential documents
Hello, I have a problem. I want to send confidential contracts to customers for signing with Adobe DocuSign. This contracts have a label "confidential" from purview and are encrypted. But now the customer cant sign the contract with DocuSign because of the encryption. Is there a way that they can sign the document? We must encrypt the documents because compliance reasons and ISMS. Thank you.
Lifecycle using Custom Protection with Purview Sensitivity Labels
Organizations using Purview Sensitivity Labels with custom protection face a fundamental governance challenge: there is no lifecycle‑ready way to maintain, audit, or update per‑document user rights as teams evolve. This affects compliance, need‑to‑know enforcement, and operational security. Document lifecycle challenges Team growth: new members do not inherit document‑specific rights. Team shrinkage: departing members retain access unless manually removed. Employee offboarding: accounts are disabled, but compliance may require explicit removal from protected documents. Audit requirements: organizations need to answer “Who has what rights on document X?” — and today, no native tool provides this for custom‑protected files. Existing method Limitation Purview PowerShell Overwrites all existing assignments; no granular updates MIP Client Not yet capable of bulk lifecycle operations OlaProeis/FileLabeler Great tool, but limited by the same PowerShell constraints What the tool enables Rights audit trail per document Controlled lifecycle updates (add/remove/transfer rights) Preservation of original files for rollback Multi‑action batch processing Admin‑only delegated workflow with MIP superuser role Full logging for compliance Supported operations ListRightAssignments – extract all rights from each document under a given label GUID SetOwner / AddOwner – assign or add owners AddEditor / AddRestrictedEditor / AddViewer – role‑based additions RemoveAccess – remove any user from all roles AddAccessAs – map one user’s role to one or more new users Multi‑action execution – combine operations in a single run Safe mode – original files preserved; updated copies created with a trailer Because this tool can modify access to highly sensitive content, it must be embedded in a controlled workflow: ticket‑based approval, delegated admin, MIP superuser assignment, and retention of all logs as part of the audit trail. This ensures compliance with need‑to‑know, separation of duties, and legal requirements. I would appreciate feedback from the community and Microsoft product teams on: whether similar lifecycle capabilities are planned for Purview whether the MIP SDK is the right long‑term approach how others handle custom‑protected document lifecycle today interest in collaborating on a more robust open‑source version MaxDefault Sensitivity Label to be added to migrated files (from Local Network Server)
Hi Experts, We are migrating our file-sharing services from a local network file server to MS Teams/SPO. The requirement is to enable and give default sensitivity labels from the migrated files. Manually assigning sensitivity labels in over a TB of files is hectic and could be prone to error as well. MS Purview MIP labels and label policies are configured, however, at present, only new documents and/or revised files are only having the sensitivity labels assigned. Any suggestions, guide, and tips will be highly appreciated. Thanks, Rhey
Justification not triggered when downgrading between sublabels under same parent label
Hi all, I am looking for confirmation of expected behaviour with Microsoft Purview sensitivity labels and justification. We have justification enabled in our sensitivity label policy. When a user changes a label between labels that belong to the same label group, no justification prompt appears. When a user changes from a label in one label group to a label in a different label group, the justification prompt does appear as expected. Is this behavior by design? Specifically, does Microsoft treat the label group as the enforcement boundary for downgrade justification, meaning justification is not evaluated when moving between labels within the same group, even if effective protection is reduced? If this is expected, is there any supported way to require justification when downgrading between labels in the same label group? Thank you!Encryption disappears in Outlook - Sensitivity Label not working
Hello everyone, we implemented Sensitivity Labels at our client and have iconsistent and unexpected behavior, we cannot explain. Maybe some of you can help or have ideas on whats going on: Scenario / Use Case A customer is using Sensitivity Labels to encrypt emails in Exchange Online. Label configuration: The sensitivity label applies encryption The label is scoped (published) to a Microsoft 365 group User A and User B are members of this Microsoft 365 group and therefore can apply the label User are licensed with M365 Business Premium The label is published and available to User A and User B (member of above M365 group) User C is an external recipient and not included in the label’s publishing scope Observed Behaviors Scenario 1 – Encryption Lost When Forwarded Externally User A (internal) sends an email to User B (internal) using a sensitivity label that applies encryption. User B receives the email correctly: The lock icon in Outlook is displayed, the message is encrypted as expected User B forwards the email to User C (external) User C receives the forwarded email unencrypted: No lock icon is shown, User C can read the entire conversation history, including content that was previously encrypted Scenario 2 – Encryption Disappears Within an Internal Email Conversation In addition to the external forwarding scenario, we are also observing the following behavior within an internal email thread: User A sends an encrypted email to User B using the sensitivity label. User B replies to User A: The reply remains encrypted User A replies again within the same conversation Suddenly, the encryption disappears: The lock icon is no longer shown The message and the full conversation history is no longer protected This happens without any user action to remove or change the sensitivity label. Key Observation Both scenarios occur intermittently: Sometimes encryption behaves as expected Sometimes encryption disappears “out of nowhere” The behavior is not reliably reproducible, which makes troubleshooting very difficult. Any help is appreciated!Label group migration - existing files labelled with former parent labels
Hi, I have a question about behavior during migration from legacy parent labels to label groups. Historically, we were allowed to apply parent labels directly to content. In our environment, we have an existing parent label called PUBLIC which has sublabels. PUBLIC itself has content encryption configured, so during migration it will be recreated as a sublabel within a label group. As a result, there are existing files that are currently labelled simply as PUBLIC (applied back when parent labels could be used directly). Post-migration, we plan to de-publish this newly created PUBLIC sublabel from user-facing policies. My question is about what happens to those existing files during and after the migration. Will files that are already labelled as PUBLIC automatically be updated to a specific label within the label group, such as PUBLIC/PUBLIC, or will they remain labelled as PUBLIC with no automatic relabelling? In other words, does the label group migration perform any automatic relabelling of existing content, or does it only affect label structure and publication going forward?
