User Profile
IvanWilson
Iron Contributor
Joined 10 years ago
User Widgets
Recent Discussions
Microsoft removing EEEU sharing permissions
Microsoft have announced that they will be removing the permission assigned to the "Everyone Except External Users" group (EEEU) from the OneDrive site collection and default document library: https://mc.merill.net/message/MC1013464 This will happen between 10 April 2025 and 30 September 2025. My understanding is that this is to avoid the risk of over-sharing and for most people it will have minimal impact. Generally, internal users don't have read access to each other's OneDrive content. I've checked a few OneDrive accounts in different tenants. I have seen the EEEU group granted access at the OneDrive site collection level, but not at the library level. I've also seen instances where the EEEU group is not present at either the site collection or library level. Back in 2020, there was a message centre update https://office365itpros.com/2020/11/06/eeeu-onedrive-finished/ "Microsoft Removes EEEU Permission from OneDrive for Business Accounts" Is this just a final clean-up of OneDrive sites that still have this permission?3.3KViews0likes1CommentOnedrive and Prevent access to drives policy
I am working with clients that have enabled a group policy "Prevent access to drives from My Computer" as part of their security hardening process. This prevents them from accessing their OneDrive folder. The following article describes a workaround, but it results in a less secure setup. https://james-rankin.com/videos/using-onedrive-sync-client-with-c-drive-restrictions-and-a-bunch-of-handy-security-tips-too/ Has anyone solved this issue in the 4 years since this article? I've posted a suggestion to the OneDrive Feedback portal - https://feedbackportal.microsoft.com/feedback/idea/fd351968-79b0-ef11-95f5-6045bdbc7c39204Views0likes0CommentsError moving a file protected with a sensitivity label
I am seeing intermittent errors when trying to move a Microsoft Word file between sites. The file is protected with a sensitivity label that has encryption enabled. I'm using the "Move to" option within a SharePoint library. The full error message is below. The text was extracted from a screenshot, so may not be 100% accurate. 1 item wasn’t moved Cannot protect. Error code is: 00000000. CallStack - - at Microsoft SharePoint.SPGlobal.HandleComException(COM Exception comEx) at Microsoft.SharePoint.Library.SPRequest.GetFileAsSt ream(String bstrUrl, StorePath bstrWebRelativeUrl, Boolean bHonorLevel, Byte iLevel, OpenBinaryFlags grfob. String bstrEtag Not Match, Object punkSPFileMgr, Boolean bHonorCustomIrm, IrmProtectionParams filelrmSettings, ISPDataCallback pRequiredAuthContextCallback, Ulnt32& pdwVirusCheckStatus, Int32& plVirusVendorld, String& pVirusCheckMessage, Int32& pIVirusScanLatency, String& pEtagNew, String& pContentTagNew, SPFilelnfo& pFileProps, Guid& pgWebldReal, Guid& pgDoclibld) at Microsoft SharePoint SPFile.GetFileStream(SPWeb web, SPResourcePath fileUrl, SPFileLevel level, OpenBinaryFlags openOptions, String etagNotMatch, ISPFileStreamManager spMgr, SPFileRightsManagementSettings rightsManagementSettings, Boolean throwOnVirusFound, Boolean skipLabellrm PermCheck, SPVi rusCheckStatus& virusCheckStatus, Int32& virusVendorld, String& virusCheckMessage, String& etagNew, String& conte ntTag New, SPFilelnfo& fileprops, Guid& doclibld, Guid& webldForAuditing) at Microsoft.SharePoint.SPFile.GetFileStreamNewOpti mizedlmpl(SPWeb web, SPResourcePath fileUrl, SPFileLevel level, OpenBinaryFlags openOptions, String etagNotMatch, ISPFileStreamManager spMgr, SPFileRightsManagementSettings rightsManagementSettings, Boolean throwOnVirusFound, Int64 numOfBytesToReadBeforeRefresh, SPVirusCheckStatus& virusCheckStatus, Int32& virusVendorld, String& virusCheckMessage, String& etagNew, String& contentTagNew, SPFilelnfo& fileprops, Guid& doclibld, Guid& webldForAuditing) at Microsoft.SharePointDeployment.FileSerializer.Upl oadFileData(Object fileOrListltem, SPLoggerObject loggerObject, SPWeb web, Guid fileld, SPResourcePath filePath, Filelnfo filelnfo. String fileValue, Int32 authorld. String authorLoginName, Int32 editorld. String editorLoginName, String checkinComment, DateTime timeCreated, DateTime timeLastModified, MetalnfoHandler metalnfo, Int32 iVersion, Boolean isFirstVersion, Nullable 1 isLastVersion, 32 listitemid. String listlnternalName, Boolean hasNoExecuteFlag, ImportObjectManager objectManager, SerializationlnfoHelper infoHelper) at Microsoft.SharePoint.Deployment.FileSerializer.Upl oadFileData(Object fileOrListltem, SPLoggerObject loggerObject, SPWeb web, Guid id, SPResourcePath filePath, Boolean fileExistslnDb, Nullable 1 isLastVersion, SerializationlnfoHelper infoHelper, SerializationlnfoHelper infoHelperListitem, MetalnfoHandler metalnfo, StreamingContext context) at Microsoft.SharePoint.Deployment.FileSerializer.Cre ateOrUpdateFile(Object fileOrListltem, SPLoggerObject loggerObject, SPWeb web, Guid id, SPResourcePath& filePath, Boolean fileExistslnDb, Boolean isFirstVersion, Nullable'1 isLastVersion, Boolean hasWebParts, SerializationlnfoHelper infoHelper, SerializationlnfoHelper infoHelperListitem, StreamingContext context) at MicrosoftSharePointDeployment.FileSerializer.Cre ateOrUpdateFileVersion(Object fileOrListltem, SPLoggerObject loggerObject, SPWeb web, Guid id, SPResourcePath& fileUrl, Boolean fileExistslnDb, String version. Boolean isFirstVersion, Nullable'1 isLastVersion, SerializationlnfoHelper infoHelper, XmlDocument listltemVersionsXml, StreamingContext context, ISurrogateSelector selector) at MicrosoftSharePointDeployment.ListltemSerializer .AddOrUpdateDoclibltemVersion(SerializationlnfoH elper infoHelper, XmlDocument listltemVersionsXml, SPListltem& listltem, SPLoggerObject loggerObject, SPWeb web, Guid newld, SPResourcePath& listltemServerRelativePath, Boolean blsPublish, Boolean exists. String version. Boolean isFirstVersion, Boolean isLastVersion, StreamingContext context, ISurrogateSelector selector. Loggerstatistics stats) at Microsoft.SharePointDeployment.ListltemVersionS erializer.AddListltemVersion(SPWeb web, SPListltem listltem, SPLoggerObject loggerObject, Guid newld. Boolean editHistory, Boolean existslnDb, Boolean isFirst, Boolean isLast, Boolean isDocLib, StreamingContext context, XmlElement listltemData, SerializationlnfoHelper listltemlnfoHelper, XmlDocument listltemVersionsXml, SPResourcePath& listltemServerRelativeUrl, ISurrogateSelector selector. Loggerstatistics stats, Guid docld) at Microsoft.SharePointDeployment.ListltemSerializer .UpdateListltemVersionData(SerializationlnfoHelper infoHelper, SPWeb web, SPListltem& listitem, Guid newld. Boolean existslnDb, Boolean isDocLib, SPResourcePath& listltemServerRelativePath, StreamingContext context, ISurrogateSelector selector) at Microsoft.SharePointDeployment.ListltemSerializer .SetObjectData(Object obj. Serializationinfo info, StreamingContext context, ISurrogateSelector selector) at Microsoft.SharePoint.Deployment.XmlFormatter.Cal ISetObjectData(Object obj. Serializationinfo objectData, ISerializationSurrogate surrogate, ISurrogateSelector selector) X235Views0likes0Comments"Open in app" when OneDrive is not installed
Earlier this year, Microsoft announced the "Open in app" functionality that allows people to open files in SharePoint Online and OneDrive using the desktop application. This requires the OneDrive sync client to be installed. However, in a Citrix Windows 2022 environment that does not have OneDrive installed, I can still use the "Open in app" functionality with Microsoft Word, Excel, PowerPoint. So is OneDrive sync client only required for editing other file types?198Views0likes0CommentsRe: Microsoft Purview - Sensitivity Auto-Label email attachments
As far as I know, that is not supported. The label would need to be assigned to the document before it is attached to the email or after the attachment has been downloaded. You can have emails inherit labels from attachments, but not the other way round.355Views0likes0CommentsRe: Encryption of documents via Sensitivity label and external parties
In my testing, Gmail doesn't support documents encrypted with sensitivity labels. Encrypted emails are handled differently. The encrypted email is sent in a "wrapper" email. If the recipient's email client supports the encrypted format, the client decrypts the email. If the client doesn't support the encrypted format (e.g. GMail), then the end user sees the wrapper message, which redirects the recipient to a Microsoft site where they can go through the one-time-password check and view the email plus attachments. So, you may need to send attachments as encrypted emails to ensure that non-supported recipients can easily view attachments.728Views0likes1CommentRe: Microsoft Purview - Sensitivity Auto-Label email attachments
DillonA2125 do you mean that you want the attachments encrypted based on the email sensitivity label setting? This should be happening automatically for your Word, Excel, PowerPoint attachments. If you mean that you want the attachments to be assigned the same sensitivity label as the email, then that is different. There is a feature called "https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#encryption-based-label-matching-for-documents" which will apply a sensitivity label to an encrypted document if their encryption policies match and users are in the same tenant. If the email attachments are PDFs, you will need to run a PowerShell command https://learn.microsoft.com/en-us/purview/ome-faq#what-file-types-are-supported-as-attachments-in-protected-emails--do-attachments-inherit-the-protection-policies-and-permissions-associated-with-protected-emails--what-about-pdf-474Views0likes2CommentsSharePoint Migration Tool - File Server migration behavior
How much disk space do you need when using SPMT to migrate file server content to SharePoint Online? The documentation recommends 150 GB. However, my experience has been that the agents run out of disk space if the source exceeds the available disk space. I would have expected content to be packaged and uploaded in batches, so that agents don't need to store all of the migrated content. If I look into the MigrationToolStorage folder on an agent, I can see that it creates separate pack directories. However, it keeps doing this until it runs out of space. The migration job then fails with the error "Temporary storage on your local computer is too low". For the current migration job, I paused it just before the agent ran out of space. At that point, there were 30 separate pack folders on the agent, using 117 GB of storage. It took around 30 minutes after pausing for these folders to get processed and removed. My current plan is to keep pausing the migration job when disk space is low until all the data has been migrated. However, I would have expected SPMT to cater for this scenario automatically. The ethernet connection on the agent is running at a steady 380 Mbps, so it doesn't appear to be a bottleneck. I have configured two agents, but only one appears to be used. This may be because I am only executing a single migration job.1.1KViews1like0CommentsRe: Best practice basics for Labels and DLPs to protect company data
I've just done some more testing with emailing office files that have encrypted Microsoft Word attachments. The Word document was assigned a sensitivity label with user-defined access. In one test, I assigned an encrypted sensitivity label to the email. In the other test, I assigned a sensitivity label that does not apply encryption. I sent the emails to an external Office 365 account and Gmail account that matched the sensitivity label permissions. The external Office 365 recipient was able to view the email and attachments without any issues. Previously, I used to get an error when previewing attachments encrypted with user-defined permissions. For the gmail recipient, the experience was different depending on whether the email itself was encrypted. For the encrypted email, they were given a link to view the message on outlook.office365.com. This required them to authenticate with their Gmail account or get a one-time passcode to the same email address. They were also able to preview the Word document attachment on the same site. For the unencrypted email, the gmail user was unable to preview the attachment. An alternative option could be to send sharing links to the Google workspace users. That would allow them to view encrypted documents that they have been granted access to.503Views0likes1CommentRe: Best practice basics for Labels and DLPs to protect company data
sumo83 I have experienced the same. The Office Web Apps currently do not support viewing Word, Excel or PowerPoint files that are encrypted with a label with user-defined access. An external recipient will need to use the desktop applications to access these. PDFs encrypted with user-defined access can be opened with Microsoft Edge and some 3rd party PDF editors. This might help in some scenarios.593Views0likes3CommentsRe: Purview Information Protection for internal and external emails
mohan1921 Microsoft recently published a guide called "Secure by default with Microsoft Purview". This does recommend using a default sensitivity label for documents that does implement encryption. https://learn.microsoft.com/en-us/purview/deploymentmodels/depmod-securebydefault-phase1#start-with-default-labels-and-protection-at-file-and-site-level893Views0likes0CommentsSensitivity Labels applied to email attachments versus directly on the document
I've noticed that the encryption applied to email attachments via sensitivity labels behaves differently than if the encryption is applied directly to the document. Example 1: I create an email and choose a sensitivity label that encrypts contents based on the specified users. I attach a Word document that does not have a sensitivity label applied. The email and attachment are encrypted. The email is sent to an external user Example 2: I create an email and attach a Word document that has already been assigned a sensitivity label that includes encryption. The email is sent to an external user. In Example 1, the recipient can view the attachment in Outlook Web. In Example 2, the document can't be viewed in Outlook Web. You will see a message "Sorry, Word can't open this document in a browser because it's protected by Information Rights Management". In example 1, the recipient can forward the email to someone in a separate tenant. They can also view the email and attachment. Is this expected behavior?Re: Outlook desktop client is encrypting emails despite the sensitivity label setting
So Microsoft have published details about an issue with Outlook desktop classic and sensitivity labels. https://support.microsoft.com/en-us/office/outlook-desktop-is-unable-to-apply-labels-with-encryption-8e084af0-b718-491d-8d42-5996e2bfd7fb The registry setting workaround described at the bottom of the article fixes the issue. Looking forward to a longer term fix779Views1like0CommentsRe: Outlook desktop client is encrypting emails despite the sensitivity label setting
Thanks oliwer_sundgren Only DLP policy configured is to remove encryption to specific addresses. We identified the issue prior to creating this policy No Exchange mail rules configured. Waiting between label changes has no impact This is affecting all users that the policy is scoped for, but only with the desktop client. The web client doesn't cause this issue No Outlook add-ins Only one Publishing Label policy currently defined831Views0likes1CommentOutlook desktop client is encrypting emails despite the sensitivity label setting
We have 3 different sensitivity labels set up - General, Internal and Confidential. The General label does not encrypt content, internal and confidential do. The default label for emails is Confidential. When someone uses the Outlook Desktop client (release 2407) and switches from Confidential to General, the email is still encrypted. This doesn't happen with the Outlook web client. If the switch from Confidential to Internal and then to General, the email is not encrypted. Has anyone else seen this behavior?1.3KViews0likes6CommentsRe: Can you change the default comma number format to exclude decimals?
Interesting - it works when I use Ctrl + N once I am viewing a workbook (new or existing). Is there any way to control the template used when you select the "Blank workbook" from the File tab? It seems odd that these two options behave differently1.2KViews0likes1CommentRe: Can you change the default comma number format to exclude decimals?
Sorry, the file name was a typo in my reply, I used the correct file name in the directory. I've manually copied the file to C:\Users\myaccount\AppData\Roaming\Microsoft\Excel\XLSTART\Book.xltx, restarted Excel, but I still get the standard formatting when I create a new workbok1.4KViews0likes5CommentsRe: Can you change the default comma number format to exclude decimals?
HansVogelaar, I've tried creating the Bool.xltx file and saving it to %appdata%\Microsoft\Excel\XLSTART. It was automatically moved into my "Default personal templates location" folder. However, it doesn't appear to be used when I create a new workbook. Any suggestions?1.9KViews0likes7Comments
Recent Blog Articles
No content to show