Lifecycle using Custom Protection with Purview Sensitivity Labels
IMHO usage of Purview Sensitivity Label with custom protection lack some very basic functionalty to complete a documents lyfecycle an meet basic governance requirements. I focus on document lifecycle process and not plain technical weaknesses of the product like missing telemetry on protection changes, etc. Problem: A team if users handling strictly confidential contend agree to alway assign at leas two owners beside other users with document spefic roles (Editor, Restricted Editor, Viewer). Over time the team may grow and new mebmers join the team in a specific team role --> new users have no access to individually assigned roles on a per document base some users leave the team --> this user imposes a problem, because he does no longer meet the conditions of the need2know principle --> this is a problem or leave the company --> this user will hopefully loose thir account and will no longer have access to the content --> depending on compliance requirements, the user could be removed from the document access list Compliance requirement "who has potentially access to content of document "top-secret.docx, with what role per document (Owner, Editor, Restriced Editor, Viewer)? --> to my limitted knowledge - currenly no exiting tool, I know of, can do this task Solutions wicked and not really satisfactory solutions: use Powershell to bulk-update assigning owner and a list of members of a single role --> all existing individual assignments are lost, PS overwrites all existing protection description with the sumbitted limitted assigments use MIP Client to do some bulk labelling in future releases. https://github.com/OlaProeis/https://github.com/OlaProeis/FileLabeler is a very nice PowerShell based solution with the above limitations of Purview PowerShell Module I created a command line tool using MIP SDK targeting custom protection labels only (all the rest can be done using pwoershell, eg. OlaProis Tool) Current Status: pilot / basic tests of all assigments done Generally it always scans a given local folder and its subfolders all assignemnts are applied using submitted parametersto all custom protected documents protected by one single label-guid multiple actions can be applied in one run, meaning --add..., ---remove..., adAs..., etc in one single call All documents are preserved,meaning they are 1:1 available untouched and copies with a submitted trailer of the file name are created in the sam folder as the original to have a safe fallback. actions --addAccessAs <Source e-mail 1, target e-mail 1, target e-mail 2, [,target e-mail-n] ; Source e-mail 2, target e-mail 5, [,target e-mail..n]> add list of e-mails with role of first e-mail, multiple assignments separated by ";" --SetOwner <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> list of e-mails. first will be set as Owner on the document, consecutive members of the list will be placed in the list of owners. Any existing Owner is overridden --AddOwner <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> list of e-mail are added removed from all other roles of the document and then added to the list of owners --RemoveAccess <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> e-mail are removed from any document access list --AddEditor <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> --AddRestricedEditor <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> --AddViewer <e-mail 1, e-mail 2, e-mail 3[,e-mail..n]> --TenantGUID --AdHocLabelID --ClientID (ClientID, your EnterpriseApp GUID) --InputFolder --LogFileLocation --OutputFileTrailer <_mipupd> --> originalFile.docx --> originalFile_MIPUPD.docx --ListRightAssignments assignments are read out of each document protected by this very label-guid ..some meta data including cmd params, user, datetime etc. ---------------------------------------------------------------------------------------------------------------------------------------- InputFolder C:\temp\N01 --LogFileLocation c:\temp\ --ListRightAssignments ================================================================================ $$$ file: C:\temp\N01\Non business Doc.docx is either not labelled or not protected $$$ -------------------------------------------------------------------------------- $$$ file: C:\temp\N01\Presentation.pptx is either not labelled or not protected $$$ -------------------------------------------------------------------------------- Assignments read by username: email address removed for privacy reasons / 11-02-2026 21:14:46 Document : C:\temp\N01\y6qld_internal-to-strictly.docx Owner : email address removed for privacy reasons 0) Rights:DOCEDIT, EDIT, EXTRACT, PRINT, VIEW | Users:email address removed for privacy reasons 1) Rights:OWNER | Users:email address removed for privacy reasons 2) Rights:VIEW | Users:email address removed for privacy reasons -------------------------------------------------------------------------------- --ProcessAssignment with following actions Parameters With this tool we can meet basic compliance requirements regarding rights audit trail and we can support document lifecycle of users. Said all this. The tool is meant to be used by corresponding admins only behind a well defined workflow integrated in a ticketing system. All logs produced are part of the assignment and must be kept altogether to guarantee the audit trail. On note at the end. The App-Registration is configured in delegated mode, meaning that administrators must assign MIP superuser role to itself as part of the ticket and thus respects audit trail requirements. Generally this functionality may put a high risk on protected data. Therefore it is highly recommended to design the workflow around the tool first place togehther with your legal dept to include all their requirements, possibly include them in the approval workflow before even touching the crown jewels of your organization. This may not be the holy grail, but at least a pilot starting point to become lifecyle ready with MIP custom protection. Comments welcome. MaxDefault Sensitivity Label to be added to migrated files (from Local Network Server)
Hi Experts, We are migrating our file-sharing services from a local network file server to MS Teams/SPO. The requirement is to enable and give default sensitivity labels from the migrated files. Manually assigning sensitivity labels in over a TB of files is hectic and could be prone to error as well. MS Purview MIP labels and label policies are configured, however, at present, only new documents and/or revised files are only having the sensitivity labels assigned. Any suggestions, guide, and tips will be highly appreciated. Thanks, Rhey
Can´t Sign confidential documents
Hello, I have a problem. I want to send confidential contracts to customers for signing with Adobe DocuSign. This contracts have a label "confidential" from purview and are encrypted. But now the customer cant sign the contract with DocuSign because of the encryption. Is there a way that they can sign the document? We must encrypt the documents because compliance reasons and ISMS. Thank you.
Justification not triggered when downgrading between sublabels under same parent label
Hi all, I am looking for confirmation of expected behaviour with Microsoft Purview sensitivity labels and justification. We have justification enabled in our sensitivity label policy. When a user changes a label between labels that belong to the same label group, no justification prompt appears. When a user changes from a label in one label group to a label in a different label group, the justification prompt does appear as expected. Is this behavior by design? Specifically, does Microsoft treat the label group as the enforcement boundary for downgrade justification, meaning justification is not evaluated when moving between labels within the same group, even if effective protection is reduced? If this is expected, is there any supported way to require justification when downgrading between labels in the same label group? Thank you!
[HELP] "Action required for browser protections" alert
Hello! I have an Endpoint DLP policy with Device location. After several scoping changes (device groups, inclusions/exclusions) to narrow it to a specific target group, the orange alert appeared: Action required for browser protections. One or more policies were not applied in Edge for Business. This could be due to a policy sync issue, lack of required permissions, or an issue with the server. Either resync these policies or contact an admin with the required permissions to resync. After resyncing, you might still see this message for up to 1 day while the system completes the sync and activates protections. The policies were working before. Clicked Resync multiple times, only for the error to return. Please help!Encryption disappears in Outlook - Sensitivity Label not working
Hello everyone, we implemented Sensitivity Labels at our client and have iconsistent and unexpected behavior, we cannot explain. Maybe some of you can help or have ideas on whats going on: Scenario / Use Case A customer is using Sensitivity Labels to encrypt emails in Exchange Online. Label configuration: The sensitivity label applies encryption The label is scoped (published) to a Microsoft 365 group User A and User B are members of this Microsoft 365 group and therefore can apply the label User are licensed with M365 Business Premium The label is published and available to User A and User B (member of above M365 group) User C is an external recipient and not included in the label’s publishing scope Observed Behaviors Scenario 1 – Encryption Lost When Forwarded Externally User A (internal) sends an email to User B (internal) using a sensitivity label that applies encryption. User B receives the email correctly: The lock icon in Outlook is displayed, the message is encrypted as expected User B forwards the email to User C (external) User C receives the forwarded email unencrypted: No lock icon is shown, User C can read the entire conversation history, including content that was previously encrypted Scenario 2 – Encryption Disappears Within an Internal Email Conversation In addition to the external forwarding scenario, we are also observing the following behavior within an internal email thread: User A sends an encrypted email to User B using the sensitivity label. User B replies to User A: The reply remains encrypted User A replies again within the same conversation Suddenly, the encryption disappears: The lock icon is no longer shown The message and the full conversation history is no longer protected This happens without any user action to remove or change the sensitivity label. Key Observation Both scenarios occur intermittently: Sometimes encryption behaves as expected Sometimes encryption disappears “out of nowhere” The behavior is not reliably reproducible, which makes troubleshooting very difficult. Any help is appreciated!
Datascan not picking up the schema of .parquet files ParquetFormat JavaInvocationException happened
Since about a week we have a problem with our datascan on ADLS not picking up the schema of .parquet files. It does pick up on the asset but not on the schema of said asset. The parquet files are perfectly readable and writeable with Fabric/spark. Purview had no issue picking them up before last week, but it seems that something has changed on the Microsoft side? Anyone else facing these issues recently? 2026-02-02T06:21:47.116Z,SystemError,ReadData,https://xxx.dfs.core.windows.net/landingzone/masterdata/someotherfile.parquet,ParquetFormat JavaInvocationException happened,ScanErr0000Scaling Data Governance- Does a Purview in a Day Framework Exist?
Hello Purview Community, I’ve been exploring the available acceleration resources for Microsoft Purview, and one thing I noticed is a potential gap in the "In a Day" workshop series. While we have excellent programs like Power BI in a Day or Fabric in a Day, I haven't yet seen a formalized Purview in a Day framework designed to help organizations jumpstart their governance journey in a single, cohesive session. I am reaching out because my team is currently preparing something in this area that we believe will be very useful to the community and Microsoft in the future. Rather than working in isolation, we want to ensure we are aligned with the official roadmap. I wanted to reach out to the community and the Microsoft product team to ask: Is there an official "In a Day" initiative for Purview currently in the works? If not, who would be the best point of contact to discuss alignment? Looking forward to hearing your thoughts and seeing if we can build something impactful together!Label group migration - existing files labelled with former parent labels
Hi, I have a question about behavior during migration from legacy parent labels to label groups. Historically, we were allowed to apply parent labels directly to content. In our environment, we have an existing parent label called PUBLIC which has sublabels. PUBLIC itself has content encryption configured, so during migration it will be recreated as a sublabel within a label group. As a result, there are existing files that are currently labelled simply as PUBLIC (applied back when parent labels could be used directly). Post-migration, we plan to de-publish this newly created PUBLIC sublabel from user-facing policies. My question is about what happens to those existing files during and after the migration. Will files that are already labelled as PUBLIC automatically be updated to a specific label within the label group, such as PUBLIC/PUBLIC, or will they remain labelled as PUBLIC with no automatic relabelling? In other words, does the label group migration perform any automatic relabelling of existing content, or does it only affect label structure and publication going forward?
