Forum Discussion
Solved
Let users assign permissions and keep tenant-wide access
In our organization, we have configured all documents to be labeled and encrypted as "Internal" by default. Our idea is the following: When a user wants to share a document externally, they must manually change the label to "Restricted". The restricted label is set to "let users assign permissions when they apply the label".
To enable this, I created a Sensitivity Label with the option "Let users assign permissions". However, when users apply this label, all default tenant permissions are removed, meaning they have to manually assign access again.
I’m looking for a solution that allows users to share a document with a specific person while ensuring that only that person gains access and no one else can access it.
🔍 Has anyone successfully implemented this? Any best practices or workarounds?
Hello Sophie_Bruehl,
Thanks for the follow-up, and I’m glad the suggestions were helpful!
Let me try to address your concerns.
For the issue with sensitivity labels and inherited default permissions, you’re right that enabling "Let users assign permissions" removes all default tenant permissions. Unfortunately, as far as i know, there isn’t a built-in way to keep internal access intact while allowing users to manually add external permissions. For that, one possible workaround is to use Entra Id (Azure AD) or SharePoint groups to manage internal access. By doing this, the groups won't be removed when the label is applied, so internal users will still have access, and external users can be added manually. Another option is to use PowerShell scripts or Azure Logic Apps to automatically reapply internal permissions after the label change.
Regarding Conditional Access and Microsoft Information Protection (MIP), you're right that Conditional Access won’t directly help with setting default permissions. However, it could still help control which external users can access the document based on conditions like device compliance. MIP can help with protection (encryption, rights management) but doesn’t offer a way to manage internal permissions while allowing external sharing. For now, combining MIP with manual or automated permission changes might be the most effective approach.
As for Power Automate, it’s definitely a good idea for automating permission assignment. You could set up a flow that triggers when the label changes to "Restricted," automatically reassign internal permissions, and add external users as needed. It won’t fully replace manual control, but it should help reduce the workload.
Unfortunately i do not have extensive experience setting up such workflows in production, as it is not my main area of focus, but I collaborated in a project some months ago and we were dealing with this as well, and these are our "findings".
I hope that gives you more ideas!
Kind regards.
Hi Sophie_Bruehl,
To address the issue you're facing, one potential solution could be using a combination of sensitivity labels and permissions management tools. When you apply the "Restricted" label and allow users to assign permissions, instead of fully removing tenant permissions, you could configure the label to inherit or keep the default permissions but allow users to add or modify them. This way, you won't have to remove all existing permissions, and users can still control access on a case-by-case basis.
Another option that comes to my mind is to implement Conditional Access policies or use Microsoft Information Protection (MIP) to streamline the process. You can configure permissions to automatically apply to specific users when the document is labeled "Restricted", so users don't need to manually reset permissions each time.
Finally you might also consider setting up an automated workflow using Microsoft Power Automate to help apply the appropriate permissions after the label is changed, reducing the need for manual intervention. That could ensure the document is shared only with the intended recipient without losing control over the other access settings.
Regards!!
Hi luchete ,
Thank you so much for your thoughtful suggestions! I really appreciate your input, and I’ve been looking into the options you mentioned. However, I’d love to clarify a few points and ask for your help in understanding the technical aspects better, as I’m still facing some challenges.
1️⃣ Sensitivity Labels with Inherited Default Permissions
You mentioned that I could configure the label to inherit or keep the default permissions when the "Restricted" label is applied, allowing users to modify permissions on a case-by-case basis.
I have explored this, but as far as I understand, once I enable the "Let users assign permissions" option for the label, all existing tenant permissions are removed, meaning that the internal users lose access and have to be re-added manually each time. Unfortunately, I have not found an option that would allow the default tenant permissions to be retained while still enabling users to assign permissions to external recipients. If there’s a way to make this work seamlessly, could you kindly provide more details on how I could configure it?
2️⃣ Conditional Access Policies or Microsoft Information Protection (MIP)
You also suggested implementing Conditional Access or using Microsoft Information Protection (MIP) to streamline the process. I absolutely see how Conditional Access could help control the access for external users (e.g., only allow access from corporate devices). However, I believe that Conditional Access wouldn’t help with automatically setting default permissions when a document is labeled as "Restricted".
Similarly, I’ve explored MIP, but I understand that while MIP labels can apply protections like encryption, they don’t allow for the scenario I need, where tenant users retain their default access permissions while enabling the employee to manually add permissions for specific external users. Essentially, MIP doesn’t seem to support retaining default tenant permissions while giving users the ability to add or modify permissions on a case-by-case basis. If I’m missing something, I’d love to hear your thoughts on how this could be implemented.
3️⃣ Automated Workflow with Microsoft Power Automate
I completely agree that Power Automate could help reduce manual intervention, and I’ve already considered using it to automatically assign internal users back into the document’s permissions after the label is applied. However, I’m still uncertain about how to ensure that external users can be added automatically without compromising the internal access settings.
If you’ve had experience setting up such workflows, I would be very grateful for any examples or specific steps you could share.
I really value your expertise and would love to get your feedback on whether I’m on the right track or if I might be missing something key. Please feel free to correct me and walk me through how you would recommend setting things up!
Looking forward to hearing your thoughts.
Best regards,
Sophie
Hello Sophie_Bruehl,
Thanks for the follow-up, and I’m glad the suggestions were helpful!
Let me try to address your concerns.
For the issue with sensitivity labels and inherited default permissions, you’re right that enabling "Let users assign permissions" removes all default tenant permissions. Unfortunately, as far as i know, there isn’t a built-in way to keep internal access intact while allowing users to manually add external permissions. For that, one possible workaround is to use Entra Id (Azure AD) or SharePoint groups to manage internal access. By doing this, the groups won't be removed when the label is applied, so internal users will still have access, and external users can be added manually. Another option is to use PowerShell scripts or Azure Logic Apps to automatically reapply internal permissions after the label change.
Regarding Conditional Access and Microsoft Information Protection (MIP), you're right that Conditional Access won’t directly help with setting default permissions. However, it could still help control which external users can access the document based on conditions like device compliance. MIP can help with protection (encryption, rights management) but doesn’t offer a way to manage internal permissions while allowing external sharing. For now, combining MIP with manual or automated permission changes might be the most effective approach.
As for Power Automate, it’s definitely a good idea for automating permission assignment. You could set up a flow that triggers when the label changes to "Restricted," automatically reassign internal permissions, and add external users as needed. It won’t fully replace manual control, but it should help reduce the workload.
Unfortunately i do not have extensive experience setting up such workflows in production, as it is not my main area of focus, but I collaborated in a project some months ago and we were dealing with this as well, and these are our "findings".
I hope that gives you more ideas!
Kind regards.
