Restricting Modification of Purview Labels
We have a use case where we have a set of files that are going to have a label applied (let's say for dicussion purposes the label that is being applied is "Highly Confidential") using the Azure Purview Scanner (although any method of applying the label should suffice for this use case). That label is not going to be made visually selectable/available to any Active Directory/Azure AD account (meaning it will not be visible to those account in MS Word, MS Excel, MS Powerpoint, Sharepoint or any other application where labeling has been made available and impacts the file itself). All Active Directory/Azure AD user accounts will have access to apply 3 additional labels of "Public", "Internal", and "Confidential" to files that do not meet the qualifiers to be labeled "Highly Confidential". We want a way of preventing any one of those user accounts from modifying or removing the label only when the label applied to the file is "Highly Confidential". We also need to be able to share a subset (this subset is not a fixed number of files) of the files that have the "Highly Confidential" label applied with external parties via Exchange Online. We have attempted to use the permissions made available in the Purview product today to help achieve our use case --- but that also means we have to apply encryption (there is no "OR" option). We have tried numerous methods of applying encryption and at the same time attempting to ensure that the external email experience is seamless (or at least consistent across platforms). Unfortunately, we have been unsuccessul to date (just not a great user experience). So, either we need a way of decoupling permissions and encryption (assuming that will even achieve our end goal) or an alternate solution which allows the user to apply one of the 3 labels I mentioned without the ability to remove/modify the "Highly Confidential" label where it is applied.
