I ran into an issue recently that had me stumped for quite a while. I had a client running a MIP pilot and had an encrypting MIP label missing the sensitivity drop-down options within Office Client Apps. All other labels were there (Public, Internal, Confidential, etc.), including the labels that were configured to encrypt. The only one that was missing was the restricted label. This one was also encrypted, but unlike the confidential label, which had the encryption groups configured on the label itself, the restricted label allowed users to set the encryption themselves. Keep in mind; this is expected behavior if you are working on the web version of Office, where any label that prompts users to set permissions is not supported. In this case, however, we were using the standard Office 365 client.
Possible Causes to Consider
There are certain situations where this type of label will not show up in the sensitivity button.
- As mentioned above, Office Online versions (including the office interface in Microsoft Teams) are not currently supported.
- Looking at the above screenshot, you will also notice that assigning permissions is dependant on the version of office being used (2004 or newer required)
Ruling Out Office as the Culprit
As mentioned above, if your version of Office is prior to version 2004, a user-configured, encrypting MIP label will not show up in the drop-down. To get around this, if you’re not able to update your Office version, install the MIP Unified Labeling Client (AIP Unified Labeling Client). At this point, the MIP Client takes over the options in the Office app, and you will be able to set the encrypting label. In our case, though, this did not work. To ensure that Office is indeed not the culprit, select a file on your workstation, right-click and select Classify and protect.
This process opens the MIP Client without interfacing with Microsoft Office. If the problem is something other than your version of Office, then the Encrypting MIP label will be missing here too.
Encrypting MIP Label Missing in the Sensitivity Drop-Down – The Solution
Believe it or not, the culprit is an option on the MIP label that should have nothing to do with the issue being observed. When configuring the label to allow users to set the permissions, Microsoft 365 provides some options around Outlook and Word, Excel, and PowerPoint. The options are separated to provide a different experience between Outlook and the other Office apps. Within the Outlook options, an administrator can select either to enforce “Do not forward” controls or to just allow the label to encrypt the email and nothing else. In our case, we had the second option (Encrypt-only) enabled. This option, which should have nothing to do with the MIP client or Microsoft Office client integration, caused the encrypting MIP label missing in the sensitivity drop-down issue.
Changing the option to Do Not Forward and saving your changes will have the label showing up again. I tested this about six times just to make sure I wasn’t going crazy. Note: you may need to reset your MIP configuration on the workstation.
Thank for reading!
Very nice article. Just looked into this myself. It’s the client that’s to blame 🙂 As there’s now two clients (the installable UL-client and the Office native client), these behave somewhat different. The UL-client doesn’t support the “encrypt only” option (anymore), but the native client and browser-version does.
It’s weird…. The Microsoft doc’s do state this: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-client. However, if you look at the editing dates of this page, the “encrypt only”
remake was added around Juli 2021. So, this is somewhat new.
Great article and thanks!