How to Report Files Protected by Sensitivity Labels

Reporting Files with Labels

Let’s assume that your users have applied Azure Information Protection or Office 365 sensitivity labels to a bunch of documents. How can you create a report of files to know which files are labelled and protected?

PowerShell to the Rescue

As it turns out, you can use PowerShell to examine the Azure Information Protection properties of files and extract the necessary information and use that to create our report. As always, an example helps to illustrate the point.

This PowerShell script looks for any Excel and Word documents in a folder (which could be a folder holding files copied by the OneDrive sync client from a SharePoint Online or OneDrive for Business document library). Each file is checked for the presence of an Azure Information Protection (AIP) or Office 365 sensitivity label (the same metadata is used). You need to be a tenant or AADRM administrator to be able to run the code.

$Report = @()
$Files = (Get-ChildItem -Path "c:\temp\" -Include *.docx, *.xlsx -Recurse)
ForEach ($F in $Files) {
$FileName = "C:\Temp\" + $F.Name
$TemplateName = $Null
$Status = (Get-AipFileStatus -Path $FileName)
 If ($Status.IsLabeled -ne $False) {
 If ($Status.RmsTemplateId -ne $Null) {
    $TemplateId = [GUID]($Status.RMSTemplateId)
    $TemplateName = (Get-RMSTemplate -Identity $TemplateId.Guid ErrorAction SilentlyContinue ).Name }
    $ReportLine = [PSCustomObject]@{
         File        = $F.Name
         IsLabeled   = $Status.IsLabeled
         LabelId     = $Status.MainLabelId
         Label       = $Status.MainLabelName
         Date        = $Status.LabelDate
         RMSGuid     = $Status.RMSTemplateId
         RMSTemplate = $TemplateName
         Owner       = $Status.RMSOwner }
 $Report += $ReportLine
$Report | Export-CSV -NoTypeInformation c:\Temp\LabeledFiles.csv

Outputting Details

If a file has a label, we extract details of the label and the underlying rights management template. One interesting thing that I discovered when writing the script is that the Get-RMSTemplate cmdlet fails when passed the GUID of a template used by an Office 365 sensitivity label. The GUIDs are correct, but for some reason the cmdlet fails. The output for an individual file that has a label with protection is:

File        : ABPs and Teams.docx
IsLabeled   : True
LabelId     : 81955691-b8e8-4a81-b7b4-ab32b130bff5
Label       : Secret
Date        : 13 Nov 2018 12:29:42
RMSGuid     : c7fc2174-097c-4123-9cad-15f1a32cb145
RMSTemplate : Secret
Owner       :

Script Output

The output for the script is a CSV file that can be opened and analyzed with Excel or Power BI.


This script is included in our coverage of protecting Office 365 content in Chapter 24 of the Office 365 for IT Pros ebook. There’s another 44 pages about protection to read there…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.