Microsoft has officially rolled out a critical security feature that information protection professionals have been requesting for years: the ability to apply sensitivity labels with user-defined permissions directly within Office for the web. The update, which reached general availability on March 15, 2025, covers Word, Excel, and PowerPoint, bringing browser-based productivity apps closer to feature parity with their desktop counterparts. This move integrates Microsoft Purview Information Protection more deeply into the web experience, allowing users to assign custom permissions—such as restricting who can read or edit a document—on the fly without leaving the browser.

Sensitivity labels have long been a cornerstone of Microsoft's data classification and protection strategy, but until now, web apps lagged significantly behind. Users who applied labels with predefined permissions could do so via Office for the web, but any label that required granular, user-specified settings—such as selecting specific individuals or groups, or setting an expiration date—forced a detour to the desktop apps. That friction caused workflow interruptions and, in some cases, undermined secure collaboration by nudging people toward less secure alternatives. The new capability eliminates that gap, enabling organizations to enforce consistent data governance across all endpoints.

What’s Changing: User-Defined Permissions in the Browser

The headline feature is the ability to apply a sensitivity label configured for user-defined permissions (often called “custom permissions” or “do not forward” with modifications) directly in Office for the web. When a label like “Confidential – Recipients Only” is configured in the Microsoft Purview compliance portal, administrators can choose whether to let users specify recipients and access levels at the time of assignment. Previously, if a user in Excel for the web selected such a label, the app would either fall back to a default permission setting or prompt the user to open the file in the desktop app. Now, a modern dialog box appears, allowing them to pick the level of restriction (e.g., Viewer, Reviewer, Co-Author) and add specific email addresses or groups from Azure Active Directory.

The feature works across the three core Office for the web apps—Word, Excel, and PowerPoint—and supports both new documents and those already stored in OneDrive or SharePoint. Permissions can be set to expire after a certain number of days, a setting that is especially useful for time‑bound confidential materials such as financial reports or legal drafts. Importantly, the same rights‑management settings apply regardless of whether the file is later opened in the desktop apps, ensuring a cohesive policy experience.

How It Works

The mechanism builds on Azure Rights Management (Azure RMS) under the hood, with the Microsoft Purview service handling the encryption and policy enforcement. When a user applies a label like “Restricted – Choose Recipients,” the web app calls the Microsoft Purview labeling APIs to fetch the label’s configuration, determines that user‑defined permissions are required, and presents the appropriate UI. Once the user selects recipients and permissions, the label is applied, and the document is encrypted with the corresponding RMS template. The metadata is written to the file so that other Microsoft 365 apps and services, including DLP policies and auto‑labeling, can recognize and honor the label.

Administrators must first enable the capability in the Microsoft Purview compliance portal by creating or editing a label and setting its encryption to “Let users assign permissions when they apply the label.” The label can be scoped to files, emails, or just Office documents. Once published via a label policy, users see it in the Sensitivity menu of the Office for the web ribbon. Microsoft has stated that no additional client configuration is required beyond installing the standard Microsoft 365 Apps for enterprise (or using the web apps with a supported browser).

Real‑World Impact and Use Cases

The practical effect of this change is immediate for any organization that deals with sensitive information but has a mobile or remote workforce reliant on browser access. Consider these scenarios:

  • Finance teams sharing a quarterly earnings draft with external auditors. The lead author can apply a user‑defined label in Excel for the web, grant read‑only access to the audit firm, and set the permissions to expire in 30 days.
  • Legal departments redlining contracts in Word for the web. An attorney can restrict editing to only the two named partners, and apply a watermark via the label without ever leaving the browser.
  • Healthcare providers sharing patient reports in PowerPoint for the web. A doctor can customize permissions so that only the referring physician and the specialist can view the deck.

Each of these cases previously required switching to the desktop application, disrupting the flow of work and introducing the risk that the user would skip the label entirely. Now, the path of least resistance is also the compliant path.

Comparison with Desktop Clients

While the web experience is catching up, there remain some differences between browser and desktop. In the desktop apps, user‑defined permissions also allow features like “Encrypt‑Only” and “Do Not Forward” with custom recipient selection, and the UI for selecting recipients is slightly richer (e.g., it supports address book search more fluidly). However, the core capability—selecting people and permission levels—is now identical. Microsoft has indicated that it will continue to close the gap, with future updates bringing additional label‑based controls such as content marking headers and footers directly in the web UI.

Another nuance is that Outlook on the web already supported user‑defined permissions for email messages since 2023, but the parity across the Office web apps completes the story for document-centric workflows. Teams and SharePoint integration remains consistent: when a labeled file is stored in a SharePoint library, its permissions inherit the label’s restrictions, and users accessing the file through a browser or the Teams client will see the same prompt to assign users if they attempt to apply a user‑defined label.

Availability and Licensing

The feature is available to all Microsoft 365 tenants that have Microsoft Purview Information Protection with the required licensing. Specifically, users must be licensed for Azure Information Protection Premium P1 or P2 (or the equivalent bundled licenses such as Microsoft 365 E3/E5, EM+S E3/E5, or Microsoft 365 Business Premium). The update has been rolling out automatically in the service, so no opt‑in is required; however, administrators should verify that their label policies include user‑defined permission labels and that those labels are published to the relevant users.

According to the Microsoft 365 roadmap, the feature was tracked under Feature ID 394281, and its status moved from “Rolling out” to “Launched” in early March 2025. The rollout spans all geographic regions and government clouds (GCC, GCC High, and DoD) simultaneously, though the latter may see a slight delay as is customary with compliance‑sensitive updates.

Why This Matters for Security and Compliance

The ability to apply user‑defined permissions in the web is more than a convenience; it reduces the “security tax” that often leads users to bypass protection altogether. If applying a custom label requires multiple clicks and a context switch, users are more likely to email a file unlabeled or use a less secure sharing method. Microsoft’s own telemetry has shown that when labeling is integrated seamlessly into the primary work surface, adoption rates for sensitivity labels increase by up to 40%. This directly supports zero‑trust principles by ensuring that data is protected at the point of creation or consumption, regardless of the access device.

For data loss prevention (DLP) administrators, the enhancement means that policies that trigger on unsanctioned label use or on missing user‑defined permissions will now be more effective in web‑based sessions. And for auditors, it simplifies the compliance chain: every document’s label and permission history is recorded in the Microsoft Purview audit log, even when applied via the browser.

Potential Pitfalls and Best Practices

Organizations should be aware that with greater flexibility comes potential for misconfiguration. If users are allowed to assign “Owner” permissions to a document, they can remove protection later. Microsoft recommends that labels with user‑defined permissions be combined with other controls: for example, by setting the label’s encryption to “User‑defined permissions” but also configuring a DLP policy that blocks external sharing if the document contains credit card numbers. Additionally, label admins should test the web experience with a pilot group to ensure the UI is intuitive and that users understand the meaning of each permission level.

Another consideration is external sharing. When a user adds an external email address to the permissions dialog, the label’s policy must permit external users. The default behavior respects your Azure AD external collaboration settings, so no extra configuration is needed, but you should verify that your tenant’s B2B and identity settings allow such sharing. Also, the web apps currently do not support applying a label that requires “content marking” (header/footer/watermark) at the same time as user‑defined permissions, although this works in the desktop apps. Microsoft’s roadmap indicates this gap will be addressed later in 2025.

History and Evolution of Sensitivity Labels in Office for the Web

To appreciate the significance, it’s useful to trace the trajectory. Microsoft first introduced sensitivity labels for Office for the web in 2020, starting with manual labeling without any protection. Encryption support (with predefined permissions only) arrived in 2022. User‑defined permissions for Outlook on the web followed in 2023. Now the triad of Word, Excel, and PowerPoint is complete, providing a consistent baseline for document protection. Each step reflected customer feedback that the web is a first‑class productivity environment, not a secondary one.

The rollout also aligns with Microsoft’s broader vision of a “cloud‑first” security model where policies and protections travel with the data regardless of the client. The fact that the feature lights up across the three main Office apps simultaneously shows a mature engineering engine that can deliver cross‑app experiences without staggered schedules.

Expert Analysis and Community Reaction

Information security professionals who have tested the feature during its private preview have described it as a “game‑changer for mobile workers.” In early preview channels, comments on the Microsoft Tech Community praised the seamless dialog and the near‑instant encryption application—even on large files. One administrator noted that it removed the final objection from their legal team about using the browser‑based document review process.

However, some early feedback highlighted that the user interface for selecting recipients could be daunting for users unfamiliar with Azure AD principal names. Microsoft responded by adding a “suggested contacts” drop‑down that surfaces frequently collaborated people, reducing the cognitive load. Additionally, a few users requested the ability to apply a user‑defined label as a default for all new documents in a SharePoint library. While that feature is not yet available, Microsoft has indicated it is exploring default labeling enhancements for the web.

How to Get Started

If your organization is ready to adopt the new capability, here are the steps:

  1. Review your existing sensitivity labels: In the Microsoft Purview compliance portal (https://compliance.microsoft.com), navigate to Information protection > Labels. Identify those that use encryption and check if any are set to “Let users assign permissions.” If not, consider editing an existing label or creating a new one.
  2. Enable user‑defined permissions on the label: In the label’s encryption settings, select “Configure encryption settings” and then under “Assign permissions now or let users decide?” choose the latter. Configure the label’s scope (Files, Emails) and other desired settings.
  3. Publish the label: Include the label in a sensitivity label policy and publish it to the targeted user groups. Allow time for the policy to propagate (usually within 24 hours).
  4. Communicate with users: Because the web UI differs slightly from desktop, provide a quick guide or video showing how to apply the label and select permissions. Emphasize the importance of only granting the minimum necessary access and using expiration dates for sensitive files.
  5. Monitor usage: Use the Microsoft Purview Activity Explorer and audit logs to track how often the label is applied in the web apps and what permissions users are granting. This data can help refine the label configuration over time.

The Bigger Picture: Microsoft’s Purview Strategy

This launch is more than a feature update—it’s a clear signal that Microsoft intends to make the browser a primary platform for information protection. With the rise of Chromebooks, virtual desktop infrastructure, and the growing preference for lightweight, web‑based workflows, ensuring that classification and protection are frictionless is essential. Competitors like Google Workspace have long offered similar capabilities natively, but Microsoft’s approach, grounded in the deep integration of Azure AD, RMS, and Purview, gives enterprises a more robust and unified compliance story.

Looking ahead, Microsoft’s public roadmap suggests that sensitivity labeling will become even more pervasive in the web ecosystem. Planned enhancements include: applying labels via the OneDrive and SharePoint web UI directly from a file’s details pane, extending user‑defined permissions to Visio for the web, and supporting dynamic watermarking through sensitivity labels in PowerPoint for the web. As AI‑powered auto‑labeling matures, the combination of automatic classification with user‑defined permissions will let organizations strike a balance between automation and human discretion.

Conclusion

With the general availability of user‑defined permission labels in Word, Excel, and PowerPoint for the web, Microsoft has closed one of the most significant functional gaps between its desktop and browser productivity suites. This update empowers security teams to enforce consistent data protection policies without disrupting the modern, flexible work patterns that employees rely on. It simplifies compliance, encourages proper labeling habits, and—most importantly—helps keep sensitive information safe, no matter where the user is or what device they’re using.

For organizations invested in the Microsoft 365 ecosystem, the immediate recommendation is to evaluate your current label configurations and enable user‑defined permissions where appropriate. The feature is already live in your tenant; the only remaining step is to turn it on, educate users, and watch your data protection posture strengthen effortlessly. As the line between web and desktop continues to blur, sensitivity labels that adapt to user intent will become the silent enforcers of a zero‑trust data strategy.