Share via

MIP SDK loses Azure Information Protection labels

Alexander P 21 Reputation points
2023-12-11T18:44:11.4066667+00:00

Hi!

MIP SDK seems to lose the label information.

I have a software that decrypts an AIP protected office file, changes it, and re-encrypts it.

Everything works fine, if the encrypted package contains a"Document Summary Information" stream with the MSIP_Label...-properties inside the stream.

If your remove the stream, MS Office can still read the correct label, but the MIP SDK loses the label informtion.

If you just remove the MSIP... properties, the label information is lost.

Steps to reproduce:

  1. Set a label, which encrypts an Office file.
  2. Remove the Document Summary information stream with a tool like Structured Storage Viewer
  3. Open the file in Office and check the label (i.e. VBA SensitivityLabel.GetLabel) => label is there
  4. Decrypt the file with MIP SDK and check the label in the protectionhandler => no label

The main question is: why can Office read the label if the stream is not there?

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
559 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,941 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,201 Reputation points Microsoft Employee Moderator
    2023-12-11T19:56:47.1766667+00:00

    Hi @Alexander P ,the reason why Office can still read the label even when the stream is not there is because the label information is also stored in the file's custom properties. When you remove the "Document Summary Information" stream, the custom properties are still intact, which is why Office can still read the label.

    However, the MIP SDK relies on the "Document Summary Information" stream to retrieve the label information. When this stream is removed, the SDK is unable to retrieve the label information from the custom properties, which is why the label is lost.

    To resolve this issue, you can try to modify your software to preserve the "Document Summary Information" stream when decrypting and re-encrypting AIP-protected Office files. This will ensure that the MIP SDK is able to retrieve the label information correctly.

    Alternatively, you can try to retrieve the label information from the custom properties using the MIP SDK's custom property APIs. This will require some additional development work, but it should allow you to retrieve the label information even when the "Document Summary Information" stream is not present.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.