Microsoft ends desktop detour for sensitivity labels in Office web apps

Source: Help Net Security

Author: Sinisa Markovic

URL: https://www.helpnetsecurity.com/2026/04/15/microsoft-office-sensitivity-labels-permissions/

ONE SENTENCE SUMMARY:

Microsoft Office for the web now lets users apply sensitivity labels with custom permissions, aligning browser apps with desktop protection capabilities.

MAIN POINTS:

1. Update removes a long-standing limitation in web-based document protection workflows.
2. Word, Excel, and PowerPoint web apps now set user-defined permissions via sensitivity labels.
3. Previously, only pre-protected files were editable in browsers; changes required desktop apps.
4. Selecting a user-defined label opens a Permissions dialog within the web app.
5. Dialog supports adding specific users or entire domains for access assignment.
6. Available roles include Viewer, Editor, and Owner, mapping to Rights Management settings.
7. Additional settings include configuring a contact email for access requests.
8. Web apps currently lack support for custom permission expiration dates.
9. Enforcement continues under existing Purview label policies, encryption, and RMS configurations.
10. Deployment requires licensing, SharePoint/OneDrive labeling enabled, and configured user-defined labels.

TAKEAWAYS:

1. Browser-only users can now classify and protect documents without switching to desktop Office.
2. Consistent UI and terminology reduce friction between web and desktop permission management.
3. Security teams should update training and guidance to reflect new in-browser workflows.
4. Monitoring remains available through existing Microsoft Purview auditing and reporting.
5. Missing expiration-date control may require compensating governance or desktop-based processes.