Purview encryption

Question

Purview encryption

Rafana Fatima 0

Hi Team,

I have a question if I configure Encryption for a label and users assign permissions who can access the files etc.

What happens to the file when the owner of the file leaves the organisation. Who will have full permissions on the file.

Thanks

Rafana

Ganesh Gurram 7,020 Reputation points Microsoft External Staff Moderator

2025-05-06T21:28:51.0333333+00:00

@Rafana Fatima

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Ganesh Gurram 7,020 Reputation points Microsoft External Staff Moderator

2025-05-07T15:45:25.4666667+00:00

@Rafana Fatima - Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Rafana Fatima 0 Reputation points

2025-05-14T10:41:51.5166667+00:00

Thank you so much. Another question I had on encryption. For configuring encryption on a label i can configure under control access for a label right. I do not need to configure Azure Rights Management.
Ganesh Gurram 7,020 Reputation points Microsoft External Staff Moderator

2025-05-14T11:24:38.2566667+00:00

@Rafana Fatima

Thank you for your follow-up question. When configuring encryption for a sensitivity label, you can do so directly under the "Assign permissions" section of the label settings (also referred to as "Control access"). This is where you specify who can access the content and what rights they have.

You do not need to separately configure Azure Rights Management (RMS). The encryption is powered by the Microsoft Rights Management service, which is automatically activated and managed as part of Microsoft Purview Information Protection.

Reference: Restrict access to content by using encryption in sensitivity labels

Hope this helps. Do let us know if you have any further queries.

1 answer

Your answer

Ganesh Gurram 7,020 Reputation points Microsoft External Staff Moderator

2025-05-06T21:28:51.0333333+00:00

@Rafana Fatima

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Ganesh Gurram 7,020 Reputation points Microsoft External Staff Moderator

2025-05-07T15:45:25.4666667+00:00

@Rafana Fatima - Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Rafana Fatima 0 Reputation points

2025-05-14T10:41:51.5166667+00:00

Thank you so much. Another question I had on encryption. For configuring encryption on a label i can configure under control access for a label right. I do not need to configure Azure Rights Management.
Ganesh Gurram 7,020 Reputation points Microsoft External Staff Moderator

2025-05-14T11:24:38.2566667+00:00

@Rafana Fatima

Thank you for your follow-up question. When configuring encryption for a sensitivity label, you can do so directly under the "Assign permissions" section of the label settings (also referred to as "Control access"). This is where you specify who can access the content and what rights they have.

You do not need to separately configure Azure Rights Management (RMS). The encryption is powered by the Microsoft Rights Management service, which is automatically activated and managed as part of Microsoft Purview Information Protection.

Reference: Restrict access to content by using encryption in sensitivity labels

Hope this helps. Do let us know if you have any further queries.

Answer 1

@Rafana Fatima

When you configure encryption for a sensitivity label and a user applies it to a file with assigned permissions, the access control is enforced by Microsoft Purview Information Protection (formerly AIP). If the owner of the file leaves the organization, access to the file depends on how permissions were configured:

What happens when the owner leaves:

The file remains protected by the label's encryption settings. If permissions were granted to specific users or groups, those users continue to have access. If only the departing user had full permissions, and no additional access was granted, others may not be able to access the file.

Recommendations:

"If the user who protected the content is no longer with your organization and no other user has rights to the content, you must use the super user feature to access the content." Source – Microsoft Learn: Rights Management super users

Microsoft recommends using the Rights Management super user feature, which allows designated administrators to access all protected content, even if the original owner is no longer available.

Best Practices:

Assign access to groups instead of individuals whenever possible. Ensure the Rights Management super user role is configured for recovery and compliance scenarios.

For more details refer: Source – Microsoft Learn: Rights Management super users

Sensitivity label encryption for Australian Government compliance with PSPF

Restrict access to content by using sensitivity labels to apply encryption

I hope this information helps.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Share via

Purview encryption

1 answer

Your answer