Microsoft Information Protection / Security

Different client and mandatory labels

Posted by

Reading time: 2 minutes

How does a mandatory label act within the two different clients? Bottom line: reviewing a Word document with the integrated client requires edit-rights to that document.

Introduction

In March/April of 2023, Microsoft will be phasing out the Azure Information Protection Unified Labeling client for Office applications. To be sure: this only affects these applications. But if your organization uses this client to label Office documents, your users will start noticing a difference. Some time ago I wrote a small article on this, so I won’t have to go into much detail.

But today I did stumble on a very subtle difference, that end users will start to notice as well. So make sure you inform them properly. The subject is the mandatory labeling of documents in Office. To be fair: this information is available on Microsoft Learn.

Let’s take a look at this scenario

The user opens a document from a read-only location. This might be an external location where documents are only shared. Because of the Microsoft Purview Information Protection [MPIP] policy, any Office document needs to have a label assigned. The policy also has no label configured as a default.

How will MPIP act when such a document is opened in the Microsoft 365 app? And the answer is: this depends on which client is used and if it’s a Word document opened in review mode.

In a nutshell

When you open an Office document with the AIP Unified Labeling client installed and active, then the mandatory label is enforced only when the document is saved during closure (and after the document has been modified). During in-between saves, the user will be prompted for the label but can choose not now.

The integrated client however enforces this mandatory label before the document can be edited or reviewed. And it will display a message stating this on the top of the document.

Let’s take a look.

Here is a basic PowerPoint document, which has been opened in PowerPoint Online. The document does not have a sensitivity label, although this is mandatory in my organization. I have read-only access to the document and open this in the PowerPoint app. This PowerPoint app has the integrated client enabled.

The Unified Labeling client does not have an issue with the mandatory label. It simply opens the document and does not bother with a message or pop-up.

When a user decided to save the document, in order to modify it (which probably will happen), then the difference will become even clear. If the integrated client is used, a label needs to be added right away. The Unified Labeling client will allow the user to work on the document until PowerPoint and the document are closed.

But this is PowerPoint. Let’s take a closer look at using Word and  SharePoint Online.

Review mode

SharePoint Online allows us to share a Word document not only in edit or read-only mode. You can also choose to let someone “review” the document. And here is another difference between the two clients.

The Unified Labeling client has no problems with a Word document that has been shared in the “review” mode. You can open the document and add comments, without the need for a label. However…… The integrated client perceives this as a modification of the document. And editing a document when a label is mandatory is only possible when that label has been applied. This also goes for documents in “review mode”.

This indicates that you cannot review or add comments to a read-only document when a sensitivity label is mandatory and you are using the integrated client.

This leaves us where?

You might think that these subtle changes are just superficial. But for end-users, these might be very relevant. And the need for editing permissions when “just” reviewing a Word document can be very confusing. Just to recap:

  1. You can open a non-labeled “read-only” document without any trouble. You might get a pop-up when you need to edit and/or save the document.
  2. The integrated client displays a message on the top of the screen, stating that before editing, the label needs to be applied.
  3. The Unified Labeling client only askes for/demands the label when the document is closed definitively and does not require a label when reviewing a document.
  4. When a label is mandatory, it is very hard to close the relevant Microsoft 365 App. I even had to use the task manager (or CTRL-ALT-DEL) once.

I hope this heads-up helped. Just to be sure: when using default labeling, auto-labeling, and auto-labeling at rest, you can circumvent some of these issues. But not all, unfortunately.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s