Table of Contents
Reporting Files with Labels
Let’s assume that your users have applied Azure Information Protection or Office 365 sensitivity labels to a bunch of documents. How can you create a report of files to know which files are labelled and protected?
PowerShell to the Rescue
As it turns out, you can use PowerShell to examine the Azure Information Protection properties of files and extract the necessary information and use that to create our report. As always, an example helps to illustrate the point.
This PowerShell script looks for any Excel and Word documents in a folder (which could be a folder holding files copied by the OneDrive sync client from a SharePoint Online or OneDrive for Business document library). Each file is checked for the presence of an Azure Information Protection (AIP) or Office 365 sensitivity label (the same metadata is used). You need to be a tenant or AADRM administrator to be able to run the code.
$Report = @() $Files = (Get-ChildItem -Path "c:\temp\" -Include *.docx, *.xlsx -Recurse) ForEach ($F in $Files) { $FileName = "C:\Temp\" + $F.Name $TemplateName = $Null $Status = (Get-AipFileStatus -Path $FileName) If ($Status.IsLabeled -ne $False) { If ($Status.RmsTemplateId -ne $Null) { $TemplateId = [GUID]($Status.RMSTemplateId) $TemplateName = (Get-RMSTemplate -Identity $TemplateId.Guid ErrorAction SilentlyContinue ).Name } $ReportLine = [PSCustomObject]@{ File = $F.Name IsLabeled = $Status.IsLabeled LabelId = $Status.MainLabelId Label = $Status.MainLabelName Date = $Status.LabelDate RMSGuid = $Status.RMSTemplateId RMSTemplate = $TemplateName Owner = $Status.RMSOwner } $Report += $ReportLine }} $Report | Export-CSV -NoTypeInformation c:\Temp\LabeledFiles.csv
Outputting Details
If a file has a label, we extract details of the label and the underlying rights management template. One interesting thing that I discovered when writing the script is that the Get-RMSTemplate cmdlet fails when passed the GUID of a template used by an Office 365 sensitivity label. The GUIDs are correct, but for some reason the cmdlet fails. The output for an individual file that has a label with protection is:
File : ABPs and Teams.docx IsLabeled : True LabelId : 81955691-b8e8-4a81-b7b4-ab32b130bff5 Label : Secret Date : 13 Nov 2018 12:29:42 RMSGuid : c7fc2174-097c-4123-9cad-15f1a32cb145 RMSTemplate : Secret Owner : Tony.Redmond@office365itpros.com
Script Output
The output for the script is a CSV file that can be opened and analyzed with Excel or Power BI.

This script is included in our coverage of protecting Office 365 content in Chapter 24 of the Office 365 for IT Pros ebook. There’s another 44 pages about protection to read there…