Hello everyone! Following issue with MIP on a quite common use case: We would like to provide a Microsoft Information Protection label "Confidential" with an offline access on the file of 30 days. Only predefined user groups can open the document. Additionally, we would like to provide a Microsoft Information Protection label "Highly confidential" where we let the user assign permissions when they apply the label. In order to be able to revoke access for these highly confidential documents, we'd like to set offline access to 0 days (authentification required whenever a user tries to open a file). Unfortunately, offline access can't be configured for a MIP label where users can assign permissions as they are not saved as AIPServiceTemplates. However, I can set the AipServiceMaxUseLicenseValidityTime which then is globally valid for all labels and overwrites specific offline access values from other labels, as it is more restrictive. Is there a way that allows me to set offline access individually for labels with predefined permissions and labels where the user can apply permissions?

@BenHV Thank you for your time and patience throughout this issue! I received a response from our AIP team and will post their update below. Update: If you use user defined permissions, it gives the user control and therefore you don't have the option to set that setting. I would rather have the lower classification have user defined permissions and the more restrictive be defined by a label, that should circumvent the issue. I hope this helps! If you have any other questions, please let me know. Thank you for your time and patience throughout this issue. ---------- Please remember to " Accept Answer " if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

MIP: AipServiceMaxUseLicenseValidityTime and predefined offline access in labels

Accepted answer

JamesTran-MSFT 36,496 Reputation points Microsoft Employee

2021-01-29T17:58:09.077+00:00

@BenHV
Thank you for your time and patience throughout this issue! I received a response from our AIP team and will post their update below.

Update:
If you use user defined permissions, it gives the user control and therefore you don't have the option to set that setting. I would rather have the lower classification have user defined permissions and the more restrictive be defined by a label, that should circumvent the issue.

I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.
BenHV 21 Reputation points

2021-02-01T09:11:54.033+00:00

Thanks, James!

Unfortunately, it doens't circumvent the issue. If I use "user defined permissions", the only way I can restrict offline access is to set AipServiceMaxUseLicenseValidityTime on tenant level. In this case, the tenant setting is more restrive than every other label specific setting and overwrites it. However, for some label I would like to provide offline access to a file.

Tenant = 0 days offline access ("Set-AipServiceMaxUseLicenseValidityTime 0")
Label 1 = User defined permissions
Label 2 = 30 days offline access
Label 3 = 100 days offline access
--> All label have 0 days offline access

JamesTran-MSFT 36,496 Reputation points Microsoft Employee

2021-02-01T22:36:31.883+00:00

@BenHV
Thank you for the detailed response!

Using the workaround provided in my "update", I did receive another update from our engineering team and will post it below.

Update:
If you use user defined permissions, it gives the user control and therefore you don't have the option to set that setting. I would rather have the lower classification have user defined permissions and the more restrictive be defined by a label, that should circumvent the issue.

There’s no tenant wide setting, but you may test the registry value below to disable caching on a client for content protected with user defined permissions. It’s the value behind the setting “Require a connection to verify a user’s permission” for user defined permissions.

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\DRM] "RequireConnection"=dword:00000001

If you have any other questions, please let me know.
Thank you!

BenHV 21 Reputation points

2021-02-03T12:45:10.703+00:00

I would rather have the lower classification have user defined permissions and the more restrictive be defined by a label, that should circumvent the issue.

Unfortunately, this is not possible. A document with a lower classific. can be accessible to a broader audience, whereas "highly conf." documents should only be accessible for a user defined group. However, I'd like to prevent an access to this highly confidential file for 30 days after one successfull authentication.

value behind the setting “Require a connection to verify a user’s permission”

I'm actually looking for a way to set the setting behind "Allow offline access" (label configuration at the security center where I can set the value "Only for a number of days" or "Never") for labels with user defined permissions. Just to clarify: setting the Set-AipServiceMaxUseLicenseValidityTime to "0" seems to be the only way to achieve that, which then affects all labels.

Can you confirm, that this is the only possible way?

JamesTran-MSFT 36,496 Reputation points Microsoft Employee

2021-02-03T21:36:53.51+00:00

@BenHV
Thank you for the quick response! I reached out to our AIP team and will post their update below.

Update:
You cannot set a value for offline access duration for labels with user defined permissions. On the client, on a per user basis you may disable offline access for content protected with user defined permissions (see the registry settings).

Since what you're looking for isn't available, I'd recommend creating a feature request by leveraging our User Voice forum, this way our PG teams can look into this feature for future planning/implementation.

Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment

Share via

MIP: AipServiceMaxUseLicenseValidityTime and predefined offline access in labels

0 additional answers