Microsoft Purview’s sensitivity labels are brilliant for protecting your organisation’s data—until they’re not. While the encryption capabilities of labels like “Highly Confidential” and “Internal Only” provide robust security, they can also create unexpected roadblocks that’ll have your users reaching for the IT helpdesk.
I’ve previously written several blog post on the subject that you can read
- When inheriting (a label) is an issue
- Deep dive in PDF labelling and data protection
- eReaders with Microsoft Purview
Adding to what I’ve already mentioned above, let’s explore the seven other common issues when encryption through sensitivity labels meets the real world.
1. Third-Party Cloud Storage Platforms
What breaks: Dropbox, Adobe Creative Cloud, DocuSign, and similar platforms
Why it happens: Purview treats these as external environments and blocks access to encrypted content. Your beautifully protected document becomes a digital paperweight the moment someone tries to edit it outside the Microsoft 365 ecosystem.
The impact: Users can’t collaborate on sensitive documents stored in Dropbox or send encrypted contracts through DocuSign—two very common business scenarios.
2. AI and RPA Systems
What breaks: Third-party artificial intelligence tools and robotic process automation systems
Why it happens: These systems need to read and process your data, but encryption renders the content unreadable to external AI engines.
The impact: Your automated processing stops working, chatbots can’t access knowledge base documents, and data extraction workflows grind to a halt.
3. Business Intelligence Dashboards
What breaks: Third-party analytics platforms that pull data from encrypted Excel files.
Why it happens: BI tools can’t decrypt and read the underlying data in your spreadsheets, leaving your dashboards empty or displaying errors.
The impact: Executive reports fail to update, sales dashboards show no data, and business intelligence grinds to a halts
4. Legacy Adobe PDF Readers
What breaks: Adobe versions older than Adobe Reader/Acrobat 22
Why it happens: Older Adobe versions lack the necessary components to handle Purview’s encryption standards.
The impact: Users with older software installations can’t open encrypted PDFs, creating accessibility issues across different departments or external partners.
As per Microsoft the version that supports labelling is version 22.003.20258
Adobe’s official documentation is more update and it shows version 23.003.20201.1ec7624
In my personal experience, I’ve seen devices that has Acrobat 21, 19 and 15 not even be able to open up encrypted PDF files.
5. Online PDF Viewers
What breaks: Browser-based PDF viewers (with the exception of Microsoft Edge) and 3rd party PDF reader apps.
Why it happens: These lightweight PDF viewers (ex. Nitro PDF and PDFgear) don’t have the decryption capabilities required for Purview-protected documents.
The impact: Document previews fail, web-based workflows break. Users using 3rd party reader apps either is not able to open the files or gets an error message when they open an encrypted PDF.
6. Open Source Office Suites
What breaks: LibreOffice, OpenOffice, and similar free alternatives
Why it happens: These applications lack the proprietary decryption libraries needed to handle Microsoft’s encryption.
The impact: Your vendors, remote branch offices or sub-member firms who runs their own IT systems who are using these free office software suddenly can’t access company documents, creating a two-tier system of document access.
I’ve checked the LibreOffice documentation and could not find any mention of support for RMS.
7. Non-Microsoft Productivity Platforms
What breaks: Google Workspace (Docs, Sheets, Slides) and Apple iWork (Pages, Numbers, Keynote)
Why it happens: Competing platforms don’t support Microsoft’s encryption standards—hardly surprising, but often overlooked during planning and deployment.
You can read more about that here:
Also, Google Workspace has a competing data classification scheme: Enable or disable a classification label which is why I think it not likely that Google will make this cross-platform work.
The impact: Cross-platform collaboration becomes impossible, and BYOD policies clash with security requirements.
If you encounter any of these, read part 2 with my recommended actions/ workarounds.