Notes: 

  • This feature requires a Microsoft 365 subscription and is available for users and organizations whose administrators have set up sensitivity labels and have not disabled end-user tracking and revocation.

  • This feature is supported only for Office file types.

  • This feature is supported only for local files and not for files in SharePoint online.

  • This feature is not supported for password-protected files.

  • The most recent user to protect the file using a sensitivity label with encryption is considered the owner of the file. As owner of the file, you can track how people are accessing the file and you can also revoke access to the file if users previously granted access should no longer have access. The tracking and revocation experience is in the Microsoft Purview compliance portal, which can be accessed from the Sensitivity menu in Word, Excel, and PowerPoint.

Accessing track and revoke from Microsoft Office apps

On the Home tab, click the Sensitivity button and select Track & Revoke Access. The Microsoft Purview compliance portal will open in the browser.

Note: You can only access the compliance portal for local files where you applied the label with encryption, using your current user account. The compliance portal is not available for cloud files, files not encrypted with a sensitivity label, or files that you do not own.

Access track and revoke via purview

Using the Microsoft Purview compliance portal to track access

In the compliance portal, you can see the successful and unsuccessful attempts by different users. Only their initial attempt will be tracked until their Rights management use license for the file expires. The default expiration is set for 30 days.  

The administrator can exempt users from being tracked. When these users try to open a file, their access attempt will not appear in the tracking portal.    

Using purview to track access

Click the Download Report button to generate a csv of all the access attempts.

Download report

Note: Files are tracked using their ContentID. Files uploaded to SharePoint or OneDrive lose their ContentID and have a different ContentID when downloaded. Access attempts to the downloaded file will not appear in the compliance portal since it will have a different ContentID.

Using the Microsoft Purview compliance portal to revoke access

Microsoft Purview allows you to remove access to encrypted files, this is called revocation. After you revoke access, users won’t be able to view this file. 

Click the Revoke access button to revoke access to a file.

Using purview to revoke access  

After the confirmation, the status of the file will change to ‘Access Revoked’.

Access Revoked

Note: When file access is revoked, access will be revoked for all files with that ContentID. If someone already viewed the file, they’ll be able to access it until their Rights management use license for the file expires. Access will not be revoked for any copies of the file with a different ContentID. 

Restoring access to revoked files  

If you want to restore access for users to a file that you previously revoked, you can reach out to your administrator. Provide your administrator with the Content ID of the file and your email address, and they can restore access to the file. 

Feature not available 

This feature may be disabled by your administrator or not currently available in your region. If that is the case, you will see a page in the compliance portal informing you of that scenario. 

Track and revoke feature disabled

See Also

For administrators: Track and revoke document access

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.