Sensitivity Labels – Protection template can’t be found error

I was working with a client recently where they had dabbled a little with Sensitivity labels in M365. There were already some labels present, but no policy to publish them. We configured these existing labels as we wanted, and created a new policy to publish, then deployed the Unified Labelling client to some test machines and it was all great, but we had issues with applying labels that contained protection settings. Basically the error – regarding a protection template could not be found (similar to this):

There are a number of reasons why this might happen that I have seen before; sometimes if there is a firewall blocking access back to Microsoft URLs, SSL inspection interfering with traffic, a client software installation issue this can cause problems that throw up this error. Most commonly if someone is logging in to Office with different accounts, logging out of Office and re-authenticating as the correct user and / or resetting the settings in the labelling client has been known to sort this and other label issues out.

We ruled some of these out, including testing on a vanilla test machine where I had with no firewalls / proxy, but got same error presented. I also created a brand-new fresh set of labels, and published via a brand-new policy, again same issue.

I then remembered something I had seen in the early days of “AIP” (as it once was)  where the users who could use protection on labels could be restricted by an ‘onboarding policy’. This allows the admin to control the deployment.

It was a long shot, but I connected to the AIP service via PowerShell and ran:

get-aipserviceonboardingcontrolpolicy

This showed:

Which means someone once  upon a time has set an onboarding policy to prevent anyone else other than a particular group of users using protection. I then did a search in AAD PowerShell to find the name of the AAD group

Get-AzureADGroup -ObjectId <securitygrooupobjectid>

…and discovered the GUID the command returned was an old proof of concept group someone else had configured years ago as part of some testing.

None of the test accounts we were using were in this old PoC group, so this explained why we were getting the errors in Office when trying to use labels with protection settings configured. We got permission to set the tenant back to its original default setting of allowing all users to use protection by running:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -Scope All

Rerunning the command:

get-aipserviceonboardingcontrolpolicy

Gave a result showing a different output:

Almost immediately after this, we tried on our test machine to apply a label with protection settings and it worked once the tenant onboarding control policy was configured to allow all users to use protection.

About the author