Table of Contents
Read Protected PDF with Edge is Useful Feature
In December 2018, Adobe and Microsoft announced support in Adobe Acrobat Reader for PDF files protected with Microsoft Information Protection. An older format for protected PDFs (ppdf) was replaced by one based on V1.7 of the ISO specification for PDF, which allows for rights-management based protection of the kind used by Microsoft Information Protection (MIP) sensitivity labels.
Applying Sensitivity Labels to PDFs
You can’t apply sensitivity labels to PDFs inside an Office 365 app (you can using the paid-for versions of Adobe Acrobat). Instead, you apply labels through the Classify and protect option that’s added to Windows File Explorer when the Unified labeling client is installed on a workstation. Explorer launches the client to apply a label to the PDF (Figure 1).
You can also apply a label with PowerShell using the Set-AIPFileLabel cmdlet, which is installed with the unified labeling client. You can find the GUID for a sensitivity label with the Get-Label cmdlet.
Set-AIPFileLabel -Path "c:\temp\July 9 - Protected.pdf" -LabelId 81955691-b8e8-4a81-b7b4-ab32b130bff5 FileName Status Comment -------- ------ ------- c:\temp\July 9 - Protected.pdf Success
Finally, you will soon be able to apply sensitivity labels to PDFs by defining a default sensitivity label for SharePoint Online document libraries. This feature already supports Office documents and requires Office 365 E5 or Microsoft 365 E5 compliance licenses.
Reading Protected PDFs
All of this is good, but there’s no point in protecting PDFs if they can’t be read. To read a protected PDF, you need a reader which understands how protection works. Microsoft posts a list of supported readers online, the most common being Adobe Acrobat (Figure 2).
Reading PDFs in Edge Chromium
It’s nice to have a supported reader; it’s even better when the browser supports access to protected PDFs. The latest version of the Chromium-based Edge browser can read protected PDFs (I base this article on Version 83.0.478.61). Reading protected PDFs doesn’t work with private browser sessions, probably because some dependency exists on having a signed-in account.
Browser support for reading protected PDFs means that you can open protected PDFs from the SharePoint Online or OneDrive for Business browser clients or OWA. In this case of SharePoint Online, the protection can stop people taking screen captures. If you try to grab a capture (I tried with Snagit), you end up with a capture that’s all black. As Figure 3 shows, I was forced to take a photo of the screen to illustrate the point.
Some get very worried when applications don’t prevent users copying information from protected content. As demonstrated with SharePoint Online, the application can take the steps necessary to block access, but inventive people will find a way to share the information.
You can’t apply, change, or remove sensitivity labels from PDFs stored in SharePoint Online or OneDrive for Business. Instead, you must download the file and process it with the unified labeling client, and then upload it again.
Reading Protected PDFs with OWA
To test how OWA deals with protected PDFs, I attached the same file to an email and sent it. As you can see in Figure 4, OWA doesn’t stop screen captures even though the same permissions are assigned to the reader. The upside is that you can see the permissions and visual markings used to highlight the protected nature of the content to users.
Reading PDFs in Other Browsers
To show what happens when you try to access a protected PDF with another browser, I opened a SharePoint session with Brave. Figure 5 shows what results when I chose to open the file in the browser. The same is true in Chrome or Internet Explorer. To read the file, I had to download it and open the PDF with Acrobat Reader.
Good Feature to Have as Sensitivity Labels Become More Common
Some might consider building the ability to read protected PDFs into Edge a small and unimportant feature. It might not be the killer feature to convince people to move from Chrome or another browser, but I think the capability will be more appreciated over time, especially as the usage of protected content grows within Office 365 and more protected files are stored in SharePoint Online and Exchange Online.
Need more information about Office 365 sensitivity labels? Look no further than Chapter 24 of the Office 365 for IT Pros eBook. Its 60 pages will inform and delight you about how to use rights management to protect content in Office 365.
Hi Tony,
Thank you very much for the post, really helpful. When I try to protect a pdf with UL client I m getting the following error , do you know how can I trouble shoot this.
Session ID: 24a64095-f86c-427b-a9d5-1e9da87d8537
Error – An unknown error occurred. If this problem persists, contact your administrator or help desk.
See this post where I asked this question .
https://techcommunity.microsoft.com/t5/azure-information-protection/protecting-pdf-using-unified-labelling/m-p/1518888
Thanks in advance.
Sorry. Ask your admin or file a support request… and make sure that you’re running the latest version of the UL client as a first step.
Hello, I have a question about opening the PDF file in Edge browser by gmail account (already signup with Microsoft) at this link. https://answers.microsoft.com/en-us/msoffice/forum/all/view-pdf-file-protected-by-irm/ddc37de4-480d-4d62-8fb3-ac395125f8ec
Thank you for your help.