The structure described in this guide is used when there is a security requirement to restrict document access to all users except the document owner.
There are two methods for creating sensitivity labels based on this encryption configuration: one is somewhat complex, while the other is very straightforward. This guide walks through both approaches.
Related Concepts
IPC_USER_ID_OWNER:
A reserved user ID that represents the document owner.
(*IPC: Information Protection and Control)
Method 1: Using Rights Definition Objects
Step 1: Create a Rights Definition Object for Owner-Only Access
First, connect to the Azure Information Protection service and create a rights definition object:
Connect-AipService
$rights_definition = New-AipServiceRightsDefinition -EmailAddress "IPC_USER_ID_OWNER" -Rights "OWNER"
The `New-AipServiceRightsDefinition` cmdlet creates an object within your PowerShell session. The rights definition object stored in the `$rights_definition` variable will have the following structure:
JSON:
{ "Identity": "IPC_USER_ID_OWNER", "Rights": [ "OWNER" ] }
Step 2: Define Protection Template Names and Descriptions
Define the template name and description variables using hash tables for multi-language support:
$names = @{}
$names[1033] = "Template Name in English"
$names[1042] = "템플릿 이름 (한국어)"
$descriptions = @{}
$descriptions[1033] = "Description in English"
$descriptions[1042] = "설명 (한국어)"When creating a protection template with New-AipServiceTemplate, the Names and Descriptions parameters must be specified as hash tables. First, create an empty hash table (@{}), then map the template name and description by using the appropriate LCID (Windows Language Code Identifier) as the key.
Step 3: Create a Protection Template
$protection_template = Add-AipServiceTemplate `
-Names $names `
-Descriptions $descriptions `
-RightsDefinitions $rights_definition `
-Status Published
The creation result of the protection template stored in the $protection_template variable is as follows.
Store the template ID from the created protection template in a variable for later use:
$id = $protection_template.TemplateId.ToString()
Step 4: Create a Sensitivity Label
New-Label `
-Name "Label Name" `
-DisplayName "Label Display Name" `
-Tooltip "Tooltip Text" `
-Comment "Description" `
-EncryptionEnabled $true `
-EncryptionProtectionType Template `
-EncryptionTemplateId $TemplateIdMethod 2: Using the EncryptionEnabled Parameter
For a simpler approach, you can create a sensitivity label directly using the New-Label cmdlet with the EncryptionEnabled parameter enabled.
New-Label `
-Name "Label Name" `
-DisplayName "Label Display Name" `
-Tooltip "Tooltip Text" `
-Comment "Label Description" `
-EncryptionEnabled $trueResults
Both methods produce identical results. When you view the encryption permissions of the created sensitivity label in the Purview portal, you will see that Full Control permissions are assigned to IPC_USER_ID_OWNER.
You can verify this in PowerShell by running the Get-Label command. The rightsdefinitions key value will contain the rights definition object:
LabelActions : {{"Type":"encrypt","SubType":null,"Settings":[{"Key":"disabled","Value":"false"},{"Ke
y":"protectiontype","Value":"template"},{"Key":"templateid","Value":""},{"Key":"templatearchived","Value":"False"},{"Key":"linkedtempl
ateid","Value":""},{"Key":"contentexpiredondatein
daysornever","Value":"Never"},{"Key":"offlineaccessdays","Value":"0"},{"Key":"rightsd
efinitions","Value":"[{\"Identity\":\"IPC_USER_ID_OWNER\",\"Rights\":\"OWNER\"}]"}]}}Reference Documentation
This article is based on official Microsoft documentation, practical testing experience, and the author's personal interpretation. Implementation may vary depending on your environment, policies, and timing. Please use this guide as a reference.