Notes:Â
-
This feature requires a Microsoft 365 subscription and is available for users and organizations whose administrators have set up sensitivity labels and have not disabled end-user tracking and revocation.
-
This feature is supported only for Office file types.
-
This feature is supported only for local files and not for files in SharePoint.
-
This feature is not supported for password-protected files.
-
The most recent user to protect the file using a sensitivity label with encryption is considered the owner of the file. As owner of the file, you can track how people are accessing the file and you can also revoke access to the file if users previously granted access should no longer have access. The tracking and revocation experience is in the Microsoft Purview portal, which can be accessed from the Sensitivity menu in Word, Excel, and PowerPoint.
Accessing track and revoke from Microsoft Office apps
On the Home tab, select the Sensitivity button, and then select Track & Revoke Access. The Microsoft Purview portal opens in the browser.
Note:Â You can only access the Microsoft Purview portal for local files when you applied the label with encryption, using your current user account. This portal is not available for cloud files, files not encrypted with a sensitivity label, or files that you don't own.
Using the Microsoft Purview portal to track access
In the Microsoft Purview portal, you can see the successful and unsuccessful attempts by different users. Only their initial attempt will be tracked until their use license granted by the Azure Rights Management service for the file expires. The default expiration is set for 30 days.
The administrator can exempt users from being tracked. When these users try to open a file, their access attempt will not appear in the portal.
Select the Download Report button to generate a .csv of all the access attempts.
Note:Â Files are tracked by using their ContentID. Files uploaded to SharePoint or OneDrive lose their ContentID and have a different ContentID when downloaded. Access attempts to the downloaded file will not appear in the portal because it will have a different ContentID.
Using the Microsoft Purview portal to revoke access
Microsoft Purview allows you to remove access to encrypted files, which is called revocation. After you revoke access, users won't be able to view this file.
Select the Revoke access button to revoke access to a file.
After the confirmation, the status of the file will change to ‘Access Revoked'.
Note:Â When file access is revoked, access will be revoked for all files with that ContentID. If someone already viewed the file, they'll be able to access it until their use license for the file expires. Access will not be revoked for any copies of the file with a different ContentID.
Restoring access to revoked files
If you want to restore access for users to a file that you previously revoked, contact your administrator. Provide your administrator with the Content ID of the file and your email address, and they can restore access to the file.
Feature not available
This feature may be disabled by your administrator or not currently available in your region. If that's the case, you will see a page in the portal informing you of that scenario.
See Also
For administrators: Track and revoke document access
