Shared editing of encrypted docs now possible but not for everyone

Microsoft has announced that Office desktop apps (Windows and Mac) can now co-author encrypted documents.  Until now, encrypted docs could only have shared editing using Office on the web.  What’s in the fine print is often overlooked, this feature isn’t for everyone.

The announcement in bold from Microsoft has got all the media attention, as the company intended.

Co-authoring on Word, Excel, and PowerPoint documents encrypted with sensitivity labels is now generally available for Windows and Mac.”

Sounds great and it’s accurate but worded to deceive the unwary. ‘Generally available’ does not mean all Office users, not even all Microsoft 365 business and enterprise customers.  Microsoft 365 consumer customers? … don’t even think about it.

Source: Microsoft

Sensitivity Labels

The key phrase is ‘sensitivity labels’.  Only high-end Microsoft 365 plans have them.

Sensitivity Labels are more than just tags on documents like ‘Secret, Highly Confidential, Confidential, Company only or Public’.  The Labels are linked to encryption, watermarks and other required document content and, of course, who can access the document.

The ability to share authoring of an encrypted document requires the file to have a Sensitivity Label. Sensitivity Labels are only available to the very high-end (expensive) Microsoft 365 plans.

At the very bottom of the announcement of this feature is the vital detail, which Microsoft 365 plans get co-editing of encrypted documents.:

*Requires Microsoft 365 E3/A3/G3/E5/A5/G5 license.

That’s a shame because document security is vital for all users. While shared access to an encrypted document is hard, it should be available to all paying customers. There’s no good reason that ‘AutoSave’ should be disabled for paying customers using Microsoft Office and OneDrive.

More complications

If you’re an admin for an organization on one of the chosen Microsoft 365 plans, carefully read the documentation (not the blog announcement) for all the vital details.

Shared authoring of encrypted documents isn’t just ‘flicking a switch’. There’s important setup required, especially if third-party tools are involved.

And there are ‘show stopping’ devils buried in the details like this:

Co-authoring and AutoSave aren’t supported and don’t work for labeled and encrypted Office documents that use any of the following configurations for encryption:

Let users assign permissions when they apply the label and the checkbox In Word, PowerPoint, and Excel, prompt users to specify permissions is selected. This configuration is sometimes referred to as “user-defined permissions”.

User access to content expires is set to a value other than Never.

Double Key Encryption is selected.

The second on that list is ‘show stopper’ for many. It means any content with an expiry date can’t use shared encrypted document co-authoring.

OneDrive Personal Vault, deep inside and tricks
Ransomware protection in OneDrive isn’t everything Microsoft says