[German]A German blog reader has just pointed out a bug in the Microsoft MPIP-AIP client for Purview Information Protection that can cause files on the OneDrive online storage to become corrupted. If you don't have a backup, these files are then lost (safe for eternity, so to speak). Microsoft has confirmed the bug, two "clients or services" work independently of each other. Let me summarize the relevant information for the reader.
Advertising
Azure Information Protection (AIP)
First, let's sort out what we're talking about – in any case, I had to see which Microsoft stable the abbreviations MPIP / AIP now fit into. The abbreviation AIP stands for Azure Information Protection. Microsoft writes:
Microsoft Azure Information Protection (AIP) is part of Microsoft Purview Information Protection (MIP) and helps organizations discover, classify, protect and manage sensitive information wherever it is located or transmitted.
Under What is Azure Information Protection? , the reader will learn that the Azure Information Protection add-in is no longer supported and has been replaced by something new. The AIP P1 standalone offering will no longer be available for new customers from January 2024.
But there is also the information that Azure Information Protection (AIP) provides the encryption service Azure Rights Management, which is used by Microsoft Purview Information Protection. In short: Something is being tried in terms of "companies, protect your data with our stuff", whereby the stuff, aka Azure Information Protection (AIP), is (Microsoft's own words):
has been undergoing a modernization and integration process for several years. The aim is to provide customers with an enhanced classification, labeling and protection stack with Microsoft Purview Information Protection and Microsoft 365. As part of this process, Microsoft is retiring the AIP Unified Labeling add-in for Office in April 2024 and is recommending that customers who use it switch to the built-in labeling capabilities in Office for better performance, reliability and classification capabilities.
At this point, I got a little confused and left with the impression that the Microsoft people themselves no longer know what's going on. But now to the reader's observation.
OneDrive files suddenly broken
Blog reader Martin contacted me by email yesterday because an (even smaller) mishap occurred in his corporate environment with the above-mentioned stuff. According to Martin, the MPIP (formerly AIP) client is used in the corporate environment to protect the information. A user saves her data with the client in question (protected) in OneDrive. Martin wrote about this:
Advertising
We had a user who applied a label with encryption to a folder in her OneDrive with right-click -> Classify and protect. This resulted in 700 of the 900 files being converted into 35 KB files …
Martin then sent me a screenshot listing the 35 KB files, all with the extension .pfile.
The computer service department then tried to remove the label with the encryption. Martin wrote: "When we tried to remove the label, we got a corrupt 0 KB Excel file."
A ticket with Microsoft and the answer
Martin then created a ticket with Microsoft in this context. After 2 (two) months there was even an answer which Martin then sent :
I apologize for the inconvenience caused.
Please note that we have discussed this issue with highest escalation in Microsoft and as per the update, unfortunately there's not going to be any public documentation for this on the MPIP side because this is not an issue regarding the MPIP but OneDrive, the client is a local client that can deal with local files, and One drive has files that are not synced that do not exist locally, so the client cannot deal with them.
If you attempt to encrypt a file that is not synced locally, the OneDrive client will try to download the file, but the MPIP client does not wait for this process to complete. As a result, you may end up encrypting the placeholder file before the actual file is downloaded by the OneDrive client.
To ensure this works smoothly and as desired, you should make the contents of the folder sync locally. Then you may apply the label with encryption.
I whole heartedly empathize with your situation in this matter but unfortunately as issue is not reproducible, our team is unable to troubleshoot further on the issue.
In a nutshell: When two (OneDrive, MPIP client) argue, it goes wrong and everyone does their own stuff. Only if synchronization with the OneDrive client is enforced does it work with the MPIP client and the protected files in the cloud. Martin has responded to this:
I've tested the described behavior and could reproduce the issue of the related user. In fact I have done the following:
- Copied a folder with Office files in my OneDrive folder
- Released the disk space with right click on it (so the file is not present on the client locally)
- Stopped the OneDrive client
- Applied the encrypted label
- The office files have now the .pfile ending
As this could lead to data corruption, I don't understand why there is no official warning form MS? Can you or someone from the internal team explain to us, why this is not documented? And it doesn't matter if it is form MPIP side or OneDrive -> all are MS products.
Our expected behavior would be the same as when you try open a file which is not synced:
Why is the MPIP Client not able to recognize that the file is not locally available and show such a message? Instead it corrupt the files.
Martin's reply scared the experts in Redmond so much that they were left speechless – so far no reply. He says: "So MS admits that all files that are classified with a label – which is also encrypted – must be loaded onto the client beforehand. This fact is not documented anywhere and can also be reproduced."
Additional information from the reader
Martin sent me some additional information after the article was published. Here is his feedback.
Unfortunately, there are problems with the Microsoft Purview Information Client when classifying entire folders. This can lead to data loss, so please pay attention to the following points when classifying an entire folder:
Make sure that the folder is always synchronized on the device.
- Right-click on the folder
- Click on "Always keep on this device"
You can see from the green circle and the white tick that the folder has now been downloaded to the device.
You should also make sure that the OneDrive client is always running. You can see this from the blue cloud at the bottom right of the clock.
As soon as the cloud is gray or has an exclamation mark or red X, something is wrong. Please check the status by clicking on it with the right mouse button and see where the problem is.
Now you can apply the label to the folder as soon as this is done. You can release the storage space again by right-clicking on the folder again and selecting "Release storage space".
The folder icon then changes to an empty cloud.
Advertising