{"id":851,"date":"2023-03-11T10:36:15","date_gmt":"2023-03-11T15:36:15","guid":{"rendered":"https:\/\/blog.markdepalma.com\/?p=851"},"modified":"2023-03-11T15:53:51","modified_gmt":"2023-03-11T20:53:51","slug":"microsoft-purview-information-protection-sensitivity-labels-not-showing-sensitivity-button-greyed-out-in-desktop-client","status":"publish","type":"post","link":"https:\/\/blog.markdepalma.com\/?p=851","title":{"rendered":"Microsoft Purview Information Protection Sensitivity Labels Not Showing &#8211; Sensitivity Button Greyed Out In Desktop Client"},"content":{"rendered":"\n<p>I recently was doing a PoC for Microsoft Purview Information Protection and when I started I realized I was no longer able to see sensitivity labels in the desktop version of Office. I had access to them months back without any issue. <em>Of course I had already <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/compliance\/create-sensitivity-labels?view=o365-worldwide\" target=\"_blank\" rel=\"noreferrer noopener\">followed instructions on creating and publishing the labels<\/a> to my user account.<\/em> When I checked Office for Web, the button was available and functional. This issue was specific to desktop C2R Office clients. While troubleshooting I decided to turn off TLS decryption (handled by our Palo Alto firewalls) just to rule it out and to my surprise the button became available. When I looked at the firewall logs while decryption was on, I noticed some traffic failure hits for a sub-domain under <strong>protection.outlook.com<\/strong>. I looked through the documentation and eventually found this in the <a rel=\"noreferrer noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/information-protection\/requirements#firewalls-and-network-infrastructure\" target=\"_blank\">Azure Information Protection documentation<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Unified labeling client<\/strong>. To download labels and label policies, allow the following URL over HTTPS: *<strong>.protection.outlook.com<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p>Sadly, the documentation says nothing about this needing to be excluded from any firewall\/proxy inspection. The only mention of excluding hostnames from inspection was this (which we were already doing):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>TLS client-to-service connections<\/strong>. Do not terminate any TLS client-to-service connections, for example to perform packet-level inspection, to the&nbsp;<strong>aadrm.com<\/strong>&nbsp;URL.<\/p>\n<\/blockquote>\n\n\n\n<p>We actually did have a specific sub-domain under protection.outlook.com excluded from decryption, but that was not the one being used. I removed the specific sub-domain, added *<strong>.protection.outlook.com<\/strong>, and everything was working after that. I tried to log a case to force Microsoft to update their documentation, but I got the usual runaround and they have yet to update.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently was doing a PoC for Microsoft Purview Information Protection and when I started I realized I was no longer able to see sensitivity labels in the desktop version of Office. I had access to them months back without any issue. Of course I had already followed instructions on creating and publishing the labels [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[217,218,124,99,65],"tags":[213,214,219,211,208,216,215,209,210,212],"class_list":["post-851","post","type-post","status-publish","format-standard","hentry","category-m365","category-microsoft-purview","category-networking","category-o365","category-security","tag-aip","tag-azure-information-protection","tag-c2r","tag-decryption","tag-information-protection","tag-microsoft-information-protection","tag-mip","tag-office","tag-protection-office-com","tag-sensitivity-labels"],"_links":{"self":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=851"}],"version-history":[{"count":5,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/851\/revisions"}],"predecessor-version":[{"id":876,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/851\/revisions\/876"}],"wp:attachment":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}