User-Defined Permissions Support in SharePoint Opens Up Other Solutions

I wonder how many people bother to check pages like “What’s New in Microsoft Purview” on a regular basis. Well, the August 2025 update for sensitivity labels contains the very good news that Office and PDF files stored in SharePoint Online and OneDrive for Business now support sensitivity labels with user-defined permissions (UDP). This capability was originally announced in a Microsoft Technical Community post in August 2023. Following development, Microsoft launched the update in MC1013467 (21 February 2025) and said then that they expected the feature to be available in March 2025.

In this context, support means that the content of files protected by UDP labels can be indexed. And because the content is indexed, it is searchable and can be used by any solution that depends on search, like eDiscovery and Data Loss Prevention. This closes a gap that has existed since the introduction of sensitivity labels about ten years ago.

Associated with the change, I hear that Microsoft is working to update the browser versions of the Office apps to support the application of UDP labels. Today, only the desktop Office apps support UDP labels. No date is available for when the browser Office apps will support UDP labels, but it’s a work in progress.

Two Types of Sensitivity Label Permissions

Two forms of permission assignment exist for sensitivity labels. The most common are labels that have predefined permissions (usage rights) set by an administrator. These permissions are the same for every file or email that the label is assigned to, meaning that it is easy for workloads like SharePoint Online to extract, understand, and apply those permissions.

The second type is user-defined permissions. As the name implies, instead of an administrator determining the rights assigned by a label, the user who applies a label to a file decides what rights they grant to other users to access the item. Obviously, because different permissions exist for a label, it’s more complicated for a workload to extract and protect items based on the permissions for individual items. For years, SharePoint Online and OneDrive for Business avoided the issue by simply not supporting sensitivity labels with UDPs. This has now changed, and it’s a very welcome advance in the state of the art.

Assigning User-Defined Permissions

When the author of a file or email applies a UDP label to an item, they must define the set of permissions granted to other users over that item. The UX implementation includes a set of predefined permission levels that cover the most common use cases (Figure 1): Viewer, Restricted Editor, Editor, and Owner. Item owners can quickly assign these levels to people or groups, or you can use the More Options section to customize your permissions for specific needs. The implementation also includes a “people picker” to search for and assign permission to select people or groups from the same organization or external domains.

From an implementation perspective, it’s important to understand that the SharePoint support for UDPs only extends to newly-labeled or edited files. In other words, SharePoint Online does not apply retrospective support for files protected by UDP sensitivity labels. Instead, SharePoint Online processes files with UDP labels when a UDP label is assigned to the file or when a file that already has a UDP label is edited. Given the size of the Microsoft 365 infrastructure and the number of files with UDP labels that exist inside tenants, it’s logical that Microsoft should choose to process files on an on-demand basis.

Closing a Gap

Adding support in SharePoint Online for UDP sensitivity labels is a good thing. It closes a large and obvious gap. Tenants that have avoided UDP labels in the past because of the lack of SharePoint support can now revisit that decision.

Learn about managing SharePoint Online and the rest of Microsoft 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.