Microsoft Information Protection (MIP) SDK FAQs and issues
This article provides answers to Frequently Asked Questions (FAQs), and troubleshooting guidance for known issues and common errors.
Frequently Asked Questions
Metadata Storage Changes
We announced that we're making a change to the label metadata storage location for Office files (Word, Excel, PowerPoint) to support new features in Office 365, SharePoint Online, and other services.
Metadata FAQ
Question: When will the first features become available that require this new storage location?
- Co-authoring for protected files in Microsoft 365 apps requires this new metadata storage location. For more details, review the Security, Compliance, and Identity blog post.
Question: Are other formats impacted, such as PDF?
- No, only Office files, specifically Word, Excel, and PowerPoint files.
Question: Is there a specific version of MIP SDK that is required?
- MIP SDK 1.7 and later are fully compatible.
Question: Is there a specific version of the Office client that will be required or use this store?
- As features are announced, the Office client will be updated to leverage the new storage location. The new storage locations will not be used until the features are enabled by tenant administrators.
Question: Will the existing metadata stored as a custom property in custom.xml be kept up to date?
- No. The first time the document is saved after the new storage location is enabled, label metadata will be moved to the new location. Metadata written via
LabelingOptions.ExtendedPropertieswill remain in custom.xml.
Question: Will it be possible to read the label metadata without MIP SDK?
- Yes, but you'll need to implement your own code to parse the file and extract the information.
Question: Currently, it's easy to "read" the label by extracting the key/value pair strings from the file. Will reading still be possible in this manner?
- Yes, the metadata is still available in the Office file XML to be read. However, it should be noted that your application will need to understand whether the new feature set is enabled to know which section is authoritative (custom.xml vs. labelinfo.xml). Review MS-OFFCRYPTO: LabelInfo versus Custom Document Properties | Microsoft Docs. for implementation details.
Question: How can I discover if the new features are enabled?
- We will share this information as we approach the feature release dates.
Question: How will labels be migrated?
- The following logic is used to determine which section is read and used to read or write label data.
| Action | Feature Not Enabled | Feature Enabled |
|---|---|---|
| Read | Label in custom.xml (unprotected) or Doc SummaryInfo (protected). | If label exists in labelinfo.xml, it is the effective label. If there is no label in labelinfo.xml, label in custom.xml or Doc SummaryInfo is the effective label. |
| Write | All new labels are written to custom.xml (unprotected) or Doc SummaryInfo (protected). | All new labels are written to labelinfo.xml. |
File Parsing
Question: Can I write to the same file that I'm currently reading with the File SDK?
The MIP SDK does not support concurrently reading and writing the same file. Any labeled files will result in a copy of the input file with the label actions applied. Your application must replace the original with the labeled file.
SDK string handling
Question: How does the SDK handle strings, and what string type should I be using in my code?
The SDK is intended to be used cross-platform, and uses UTF-8 (Unicode Transformation Format - 8-bit) for string handling. Specific guidance depends on the platform you're using:
| Platform | Guidance |
|---|---|
| Windows native | For C++ SDK clients, the C++ Standard Library type std::string is used for passing strings to/from API functions. Conversion to/from UTF-8 is managed internally by the MIP SDK. When a std::string is returned from an API, you must expect UTF-8 encoding and manage accordingly if converting the string. In some cases, a string is returned as part of a uint8_t vector (such as a publishing license (PL)), but should be treated as an opaque blob.For more information and examples, see:
|
| .NET | For .NET SDK clients, all strings use the default UTF-16 encoding and no special conversion is needed. Conversion to/from UTF-16 is managed internally by the MIP SDK. |
| Other platforms | All other platforms supported by the MIP SDK have native support for UTF-8. |
Content Marking
Question: Does the MIP SDK support content marking?
MIP SDK doesn't support direct application of content marking, including header, footer, or watermark, on any files. When writing the label metadata to a file, the File SDK will write the contentBits metadata property to indicate that protection was applied (if configured) and will not write the properties that indicate header, footer, or watermark were applied. When the file is opened in an application that supports content marking, the content marking configuration should be evaluated by the application and written to the file on save.
Compliance
Question: Is the Microsoft Information Protection SDK FIPS 140-2 compliant?
The Microsoft Information Protection SDK uses FIPS 140-2 approved ciphers but not FIPS 140-2 validated cryptographic libraries today. Applications consuming the MIP SDK need to be aware that the SDK is not considered FIPS compliant at this time. For more information, see the article on FIPS 140-2 compliance.
Issues and errors reference
Error: "File format not supported"
Question: Why do I get the following error when attempting to protect or label a PDF file?
File format not supported
This exception results from attempting to protect or label a PDF file that has been digitally signed or password protected. See New support for PDF encryption with Microsoft Information Protection for more information on protecting and labeling PDF files.
Error: "Failed to parse the acquired Compliance Policy"
Question: Why do I get the following error after downloading the MIP SDK and attempting to use the file sample to list all labels?
Something bad happened: Failed to parse the acquired Compliance Policy. Failed with: [class mip::CompliancePolicyParserException] Tag not found: policy, NodeType: 15, Name: No Name Found, Value: , Ancestors:
<SyncFile><Content>, correlationId:[34668a40-blll-4ef8-b2af-00005aa674z9]
This error indicates that you haven't migrated your labels from Azure Information Protection to the unified labeling experience. Follow How to migrate Azure Information Protection labels to the Office 365 Security & Compliance Center to migrate the labels, then create a Label Policy in Office 365 Security and Compliance Center.
Error: "NoPolicyException: Label policy did not contain data"
Question: Why do I get the following error when trying to read a label or list labels via MIP SDK?
NoPolicyException: Label policy did not contain data, CorrelationId=GUID, CorrelationId.Description=PolicyProfile, NoPolicyError.Category=SyncFile, NoPolicyError.Category=SyncFile
This error indicates that a label policy has not been published in Microsoft Security and Compliance Center. Follow Create and configure sensitivity labels and their policies to configure the labeling policy.
Error: "System.ComponentModel.Win32Exception: LoadLibrary failed"
Question: Why do I get the following error when using the MIP SDK .NET Wrapper?
System.ComponentModel.Win32Exception: LoadLibrary failed for: [sdk_wrapper_dotnet.dll] when calling MIP.Initialize().
Your application does not have the required runtime, or was not built as Release. See Ensure your app has the required runtime for more information.
Error: "ProxyAuthError exception"
Question: Why do I get the following error when using the MIP SDK?
"ProxyAuthenticatonError: Proxy authentication is unsupported"
The MIP SDK doesn't support the use of authenticated proxies. To fix this message, proxy administrators should set the Microsoft Information Protection service endpoints to bypass the proxy. A list of those endpoints is available at the Office 365 URLs and IP address ranges page. MIP SDK requires that *.protection.outlook.com (row 9) and the Azure Information Protection service endpoints (row 73) bypass proxy authentication.