Azure Information Protection Usage Rights and SharePoint Permissions

Reading Time: 3 minutes

[Update April 2022 – IMPORTANT! I will be updating the screen shots and links for this post in the coming days as they are currently referring to AIP labels defined in the classic Azure Portal. I will revise the post to refer to sensitivity labels configured in the Microsoft 365 Compliance Center. The message of the post is still valid.]

I was asked a great question in a recent Azure Information Protection (AIP) talk I gave a few weeks back. The question was about understanding the interplay between SharePoint permissions and AIP Rights Management, an important relationship to understand.

Scenario: In Contoso, we’ve enabled external users on a SharePoint site and have shared the site with them. On this site, we have a document library we want external users to collaborate on, however we also have highly sensitive documents in the same library we don’t want external users to view.

Can we protect these highly sensitive documents with AIP to prevent external users from viewing them even if their SharePoint permissions provide them access to do so?

The answer is yes! The remainder of this post will walk thru the scenario above.

Although you could certainly accomplish this using only SharePoint permissions by breaking permission inheritance for any highly sensitive documents, this assumes you will always have your secure documents stored in the correct permission-trimmed location on the site. A more secure and risk-averse method of protecting these documents is thru an AIP label with usage rights protection because it remains with the document no matter where it’s stored. If someone accidentally stores a highly sensitive document in a location external users have access to, it will still be protected.


  • Provision an AIP label called Top Secret with Protection usage rights set to only allow users from the current tenant domain,, to be Reviewers. Nobody else will be able to view it.

Protection Settings

  • Create a Modern Team site called Awesome Team. 🙂
  • Add some documents in the library on the site. One of the documents will have the Top Secret AIP label created above applied to it. (circled below)

Document Library

  • Here is the Top Secret label applied to the above document in the Word client. As soon as the label is selected, protection is applied to the document.

Document with Top Secret label

  • Configure external sharing for the Awesome Team Group site with PowerShell

Set-SPOSite -Identity -SharingCapability ExternalUserAndGuestSharing
  • Share the Awesome Team site with an external user. In this example, I shared it with my personal gmail account. The external account has Edit rights to the site by being part of the Awesome Team Members group.

Permissions of the guest


Note: since the document is protected, it cannot be viewed in Word Online, but must be opened in the desktop Word client.

  • When anyone in the Contoso domain tries to open the document in the Word client, they can do so with Reviewer rights.
  • When the gmail account tries to open the same document, they can’t. This is the message they receive:

You are not signed in to Office with an account that has permission to open this document. You may sign in a new account into Office that has permission or request permission from the content owner. (image below)

No Access

Even though the gmail account has edit rights to the document from a SharePoint perspective, the AIP Rights Management usage rights protection overrides this and prevents anyone outside of the tenant domain from viewing the document. A more secure way of protecting your content.

Make sure information workers in your organization are security-aware –  they need to know when and how to protect any sensitive information they may work with. AIP labels with usage rights protection is a great way of doing this!

Thanks for reading.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.