Learning from the MIP Pros
If you’re interested in Microsoft Information Protection (MIP), you should consider joining the Yammer group where the MIP team share information about how their products work. Which is where I came across a thread covering a situation where someone (for whatever reason) deletes an RMS protection template. This isn’t good because RMS (Rights Management Services) templates underpin components like the sensitivity labels used by people to protect Office documents and PDFs. Essentially, the fear expressed was that if someone removes a template, people would be locked out of documents and email protected by the sensitivity label based on that template. It’s a reasonable concern.
The Publishing License Backstop
As explained in the thread, the publishing license helps to rescue users from the problem of a deleted template. The publishing license (PL) holds details inherited from the template when a document owner applies a sensitivity label to an item. The PL holds the access control list specified in the template (think of a list of email addresses (including the special addresses like anyone in the tenant or any authenticated user) and the rights assigned to each person). For example:
|Everyone in Office365itpros.com||View, Print|
|Any authenticated user||View|
|Senior.Executives@Office365itpros.com||View, Print, Edit|
The PL is encrypted so that only the rights management service can access its contents and is signed by the client, meaning that every client can see who applied the template.
When someone attempts to open an item protected by a sensitivity label, they obtain a use license (UL) from the rights management service. Clients that support offline access, like Outlook, can preload use licenses. The UL is an XrML certificate stating the user’s rights to access an item. The UL also holds the encryption key needed to access the item content and has an expiry date (usually 30 days from the time of grant). When the UL expires, it is renewed through user authentication. At this point, any changes to the preassigned rights in the sensitivity label become active. Ad-hoc or user-defined permissions stay in place unless updated on an item.
The combination of UL and a rights account certificate (RAC) allows access to a protected file. The RAC is obtained when someone first uses rights management on a workstation and renewed automatically every 31 days.
Let’s assume that someone goes ahead and deletes the Confidential template, which is used by the Confidential sensitivity labels (these days, most templates are created when sensitivity labels are created, so they have the same name). Many documents assigned the Confidential label are stored in SharePoint Online and OneDrive for Business. When a user with the right to access one of these documents attempts to open the file. At this point, the app (SharePoint Online) requests UL from the rights management service and includes the PL from the file. Because the RMS service cannot find the template, it falls back on the PL and issues a use license based on whatever access rights are noted there. Usually this means that users who expect to have access can continue to access the file, and all is well. However, if administrators have made changes to the access list over time, it could be that the PL from a document does not match the latest access list in the template before its removal. In this case, the users not in the access list cannot open the file.
Don’t Remove Templates
The thread concludes with a strong recommendation not to remove templates. Although the PL backstop exists and works (within reason), it’s not something that you want to depend upon. If you want to stop using a sensitivity label and its template, remove the label from all publishing policies so that users can no longer apply the label to new content. For more information about how MIP uses licenses, read this post (old but still informative).