Reading PDFs Protected by Sensitivity Labels with the Edge Browser

Useful Feature in Chromium-based Edge Browser

In December 2018, Adobe and Microsoft announced support in Adobe Acrobat Reader for PDF files protected with Microsoft Information Protection. An older format for protected PDFs (ppdf) was replaced by one based on V1.7 of the ISO specification for PDF, which allows for rights-management based protection of the kind used by Office 365 sensitivity labels.

Applying Sensitivity Labels to PDFs

You can’t apply sensitivity labels to PDFs inside Office 365. Instead, you apply labels through the Classify and protect option that’s added to Windows File Explorer when the Unified labeling client is installed on a workstation. Explorer launches the client to apply a label to the PDF (Figure 1).

Applying a sensitivity label to a PDF using the Unified Labeling client
Figure 1: Applying a sensitivity label to a PDF using the Unified Labeling client

You can also apply a label with PowerShell using the Set-AIPFileLabel cmdlet, which is installed with the unified labeling client. You can find the GUID for a sensitivity label with the Get-Label cmdlet.

Set-AIPFileLabel -Path "c:\temp\July 9 - Protected.pdf" -LabelId 81955691-b8e8-4a81-b7b4-ab32b130bff5

FileName                        Status Comment
--------                        ------ -------
c:\temp\July 9 - Protected.pdf Success

Reading Protected PDFs

All of this is good, but there’s no point in protecting PDFs if they can’t be read. To read a protected PDF, you need a reader which understands how protection works. Microsoft posts a list of supported readers online, the most common being Adobe Acrobat (Figure 2).

Viewing access rights for a protected PDF with Adobe Acrobat
Figure 2: Viewing access rights for a protected PDF with Adobe Acrobat

Reading PDFs in Edge Chromium

It’s nice to have a supported reader; it’s even better when the browser supports access to protected PDFs. The latest version of the Chromium-based Edge browser can read protected PDFs (I base this article on Version 83.0.478.61). Reading protected PDFs doesn’t work with private browser sessions, probably because some dependency exists on having a signed-in account.

Browser support for reading protected PDFs means that you can open protected PDFs from the SharePoint Online or OneDrive for Business browser clients or OWA. In this case of SharePoint Online, the protection can stop people taking screen captures. If you try to grab a capture (I tried with Snagit), you end up with a capture that’s all black. As Figure 3 shows, I was forced to take a photo of the screen to illustrate the point.

Reading a protected PDF stored in SharePoint Online
Figure 3: Reading a protected PDF stored in SharePoint Online

Some get very worried when applications don’t prevent users copying information from protected content. As demonstrated with SharePoint Online, the application can take the steps necessary to block access, but inventive people will find a way to share the information.

You can’t apply, change, or remove sensitivity labels from PDFs stored in SharePoint Online or OneDrive for Business. Instead, you must download the file and process it with the unified labeling client, and then upload it again.

Reading Protected PDFs with OWA

To test how OWA deals with protected PDFs, I attached the same file to an email and sent it. As you can see in Figure 4, OWA doesn’t stop screen captures even though the same permissions are assigned to the reader. The upside is that you can see the permissions and visual markings used to highlight the protected nature of the content to users.

OWA opens a protected PDF attached to a message
Figure 4: OWA opens a protected PDF attached to a message

Reading PDFs in Other Browsers

To show what happens when you try to access a protected PDF with another browser, I opened a SharePoint session with Brave. Figure 5 shows what results when I chose to open the file in the browser. The same is true in Chrome or Internet Explorer. To read the file, I had to download it and open the PDF with Acrobat Reader.

Figure 5: The Brave browser can’t read a protected PDF

Good Feature to Have as Sensitivity Labels Become More Common

Some might consider building the ability to read protected PDFs into Edge a small and unimportant feature. It might not be the killer feature to convince people to move from Chrome or another browser, but I think the capability will be more appreciated over time, especially as the usage of protected content grows within Office 365 and more protected files are stored in SharePoint Online and Exchange Online.


Need more information about Office 365 sensitivity labels? Look no further than Chapter 24 of the Office 365 for IT Pros eBook. Its 60 pages will inform and delight you about how to use rights management to protect content in Office 365.

2 Replies to “Reading PDFs Protected by Sensitivity Labels with the Edge Browser”

  1. Hi Tony,
    Thank you very much for the post, really helpful. When I try to protect a pdf with UL client I m getting the following error , do you know how can I trouble shoot this.
    Session ID: 24a64095-f86c-427b-a9d5-1e9da87d8537
    Error – An unknown error occurred. If this problem persists, contact your administrator or help desk.
    See this post where I asked this question .
    https://techcommunity.microsoft.com/t5/azure-information-protection/protecting-pdf-using-unified-labelling/m-p/1518888

    Thanks in advance.

    1. Sorry. Ask your admin or file a support request… and make sure that you’re running the latest version of the UL client as a first step.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.