Revoking access with sensitivity labels

Posted by

Reading time: 2 minutes

What if a sensitivity label is configured to expire access to the information? How does this work? Perhaps an open-door, perhaps not…


When we think of encryption, we normally think about the content within a document or email. And this is correct, of course. But Microsoft Purview Information Protection [MPIP] offers additional options when we configure a sensitivity label to use encryption. These options are based on Azure RMS and allow you to set an expiration on content and allow or disallow the content to be offline available.

Just for the elephant in the room: yes – these are encryption (rights management) options. This means that users might be confronted with sign-ins when trying to open the document. Be careful with these settings.

Please do note that these settings (for now) require the document to be opened in the relevant Microsoft 365 App. You cannot open the document in the browser when such a label is applied. Nor can you apply a label with these settings using the browser.

Disallowing offline access to the content implies that when opening the document, MPIP will contact the back-end system to check the label settings. This might come in handy if you want to have MPIP check if a label has changed. In order for this check to succeed, you need to be online. So by using this setting you will force the person opening the document to go online. If not: then the document will not open.

Setting an expiration date allows access to the content until this date is reached. And this function is the subject of this blog. I want to explain what happens when you label a document with a label configured with this setting. And most important: what will the person opening the document experience?

Create a label

In order to test this out, I’ve created a specific sensitivity label, aptly called “Revoke access 1 day”.

The encryption settings for this label are to allow all my (internal) users to have Co-Author permissions. But this access will be revoked after one day. This basically means that after one day my users will not be able to open the document.

A document is labeled using this label. And the document can, of course, be opened and edited within the one-day timespan.

The permissions to the document have been successfully applied.

Results after one day

Before we look at the results after one day, just take some time to look at SharePoint Online. As this expiration function cannot be used in Office on the web, it seems this also affects SharePoint Online. The sensitivity label is not read by SharePoint Online. This makes sense (kinda) when you consider that SharePoint Online will detect the label after processing the document when it has been uploaded. As it cannot (see above), the Sensitivity column stays empty.

Time to open the document, after at least one day. And as you might expect, the document cannot be opened. The only way to solve this is to re-apply the label or apply another label to the document – which can be done by the owner of the document. Or the super-user, in case of an emergency.

The bottom line to all of this is. Be careful with this setting when used within the encryption part of the label. An end-user does not have the option to request additional access or contact the information owner when the expiration sets in. The owner of the information cannot simply extend the expiration date. Instead, the label needs to be changed or removed.

So use this carefully and don’t use this with your more “run of the mill” labels. Establish a process for the expiration of the access and inform the users of this.

I hope this helps 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s