๐น Feature: Extended SharePoint Permissions (ESP)
๐น What It Does: Your SharePoint permissions โ extended everywhere. Lose access in SharePoint, and the downloaded file wonโt open anymore. Anywhere.
๐ก Thesis: The perimeter follows the file, not the other way around.
What is it giving you:
โ
Permissions That Travel: SharePoint site permissions are automatically applied to files when downloaded, copied, or moved off the site โ no manual labeling required.
โ
Just-in-Time Protection: If permissions are revoked, the file is deleted, the site goes inactive, or the file is moved โ the downloaded copy stops opening. Instantly.
โ
Live Permission Sync: Change a userโs SharePoint access and the change reflects immediately on every downloaded copy of the file.
โ
Move/Copy Lockdown: Files canโt be moved or copied to a different site. Within the same site only if the user has list create/delete rights.
โ
Zero-Effort Rollout: Applies to unlabeled files and files with non-encrypting labels โ perfect for organizations early in their labeling journey.
โ
Permission Mapping Built-In: SharePoint Owner/Edit/Read maps directly to RMS usage rights (Owner/Editor/Viewer) โ no custom rights policies to design.
โ ๏ธ Worth knowing:
Requires Microsoft 365 Apps 2402+ (Current/Monthly Enterprise/Semi-Annual)
Files wonโt open offline โ connection to the original site is required
Copilot can reference but not summarize ESP-protected files
Mutually exclusive with default labels that donโt apply encryption
Enabled per-tenant via: Set-SPOTenant -ExtendPermissionsToUnprotectedFiles $true
๐ https://learn.microsoft.com/en-us/purview/sensitivity-labels-sharepoint-extend-permissions
