Resolving Access Issues in MS Purview: A Case – Help my users have lost access to their data!

Just recently I encountered a situation at a customer where suddenly people lost access to their documents, protected by MS Purview. When having a first look, all the users, that previously had access, suddenly were blocked by the information protection service. As can be seen below:

One of the first reactions I had, was checking the labels and history. Even though you might not have access to the document itself, you could always check the label on a document by going to its details in for example SharePoint:

This made me notice, that an encrypted label was applied. Once I had the label name, I also knew what to check for in the purview portal. Doing some further analysis, I noticed that the access problem was only applicable to tine internal \ encrypted label. All other labelled items, seem to work fine.

Heading over to the purview portal at https://compliance.microsoft.com, I went and investigated the label itself. I noticed that it was scope to a specific user group. As can be seen below.

Groups are a common way to assign people and allow access to specific content and labels within Purview. However the downside of it, is that of course you have to manage these groups. So I decided to first have a look at this group inside Entra ID to make sure that all the correct users have access to this group.

To my surprise, I noticed the group was gone.

However it was still under the deleted groups. So an easy restore of the group, resulted in people regaining access to the data.

In conclusion, the issue of access loss to documents protected by MS Purview underscores the importance of diligent management of user groups and labels within the system. The investigation revealed that the problem was specifically linked to an encrypted label scoped to a particular user group. By carefully analyzing the labels and their history, and ensuring that the group settings in Entra ID were accurate, the access issues were effectively identified and addressed. This experience highlights the necessity for continuous monitoring and management of information protection settings to prevent similar disruptions in the future.