Can Microsoft unlock my password-protected Word or Excel file?

No. Microsoft Support cannot decrypt an Office file for you — not because of policy but because of mathematics. AES-128 file encryption is performed locally before the file is saved or uploaded. Microsoft never sees the key. This is confirmed in the official support article KB 276517.

Are OneDrive personal-vault files the same as password-protected files?

No. Personal Vault files are regular Office files stored in a folder that requires 2FA to open. The files themselves are not additionally encrypted with a user password. If you lose access to your Microsoft account, you lose access to the vault — but the individual files are not mathematically locked.

What is IRM / AIP / Sensitivity Labels?

Information Rights Management (IRM), Azure Information Protection (AIP) and the newer Sensitivity Labels all apply organisation-controlled encryption. A tenant admin can revoke or reassign access. Unlike file passwords, these are policy-based and can be unlocked by your IT department through the Microsoft Purview portal.

Co-authoring does not work on password-protected files. Why?

Real-time co-authoring in Microsoft 365 requires the server to read parts of the file to merge edits. A file protected with AES-128 local encryption cannot be read server-side, so Microsoft disables co-authoring. Use Sensitivity Labels instead if you need both protection and co-authoring.

Account vs File Encryption

Microsoft 365 Password vs Document Password

Q: I reset my Microsoft 365 account password but my Excel file still asks for a password. Why?

Because there are two completely separate passwords. Your Microsoft account password controls the sign-in to outlook.com, OneDrive and Office.com. A document password is stored inside the file itself as AES-128 encryption. Resetting your account does not touch the file — the file was encrypted with a key derived from a separate password you typed when saving.

"I reset my Microsoft password but my Excel file still asks for one." This is the single most common support email we get. The reason is simple: Microsoft 365 uses at least four distinct password and encryption mechanisms, and users routinely confuse them. This page explains each one, which IT Support can help with, and where a recovery service like ours is the only option.

The Five Password Mechanisms in Modern Office

Mechanism	What it protects	Who can reset it	Recovery tool
Microsoft account password	Sign-in to outlook.com, OneDrive, Office.com, Xbox	You, via account.microsoft.com	"Forgot password" link, SMS / 2FA
Work / school (Azure AD / Entra) password	Corporate Microsoft 365 tenant sign-in	Your IT admin	Self-service password reset (SSPR) if enabled, else a ticket
OneDrive Personal Vault	Folder access gated by 2FA	You, via account recovery	Authenticator app or SMS re-verify
Document password (AES file encryption)	Opening the file (inside Word/Excel/PPT)	No one	GPU recovery, this site
Sensitivity label / IRM / AIP	Tenant-policy controlled access	Your IT / Compliance admin	Microsoft Purview portal, re-issue rights

Mechanism 1: The Microsoft Account Password

This is the password you set when you created a @outlook.com, @hotmail.com or personal Gmail-linked Microsoft account. It controls every consumer Microsoft service: OneDrive (personal), Office.com, Xbox, Skype. If you forget it, go to account.microsoft.com/password/reset. Microsoft sends a code to your backup email or phone.

What resetting this password does NOT do. It does not remove encryption from any document you saved locally with File → Info → Protect Document → Encrypt with Password. Those files carry their own AES-128 key derived from a password you typed separately at save time — often years ago, on a different device.

Mechanism 2: The Work Account (Entra / Azure AD)

If you sign in to Microsoft 365 as first.last@company.com, you are authenticating against your organisation's Entra ID tenant (formerly Azure AD). Password reset goes through your IT department — either self-service on passwordreset.microsoftonline.com if SSPR is enabled, or a helpdesk ticket otherwise.

Work accounts are also the hook for Mechanism 5 (sensitivity labels). If a colleague sends you a file marked "Confidential — Internal" via email, the file opens because your Entra sign-in proves you are an employee — but if you leave the company, the file stops opening even on your personal machine. This has nothing to do with file passwords; it is policy-based encryption that the tenant admin can revoke at will.

Mechanism 3: OneDrive Personal Vault

Personal Vault is a special folder inside consumer OneDrive that requires an extra 2FA challenge every time you open it. The files inside the Vault are regular Word/Excel/PDF/JPEG; they are not individually password-protected. The "lock" is on the folder — unlock it with your authenticator app and every file inside opens normally.

If you can no longer receive your 2FA code, the recovery path is the standard Microsoft account-recovery form, which may take days and may refuse if you cannot prove ownership. There is no "vault password" that can be cracked locally — everything the Vault protects depends entirely on your Microsoft account being accessible.

Mechanism 4: Document Password (Real Encryption)

This is the mechanism that brings users to recovery services. When you save a file with File → Info → Protect Document → Encrypt with Password, Office asks for a string, derives a key from it using PBKDF2 (SHA-512 at 100,000 iterations since Office 2013), and encrypts the file body with AES-128.

Key facts.

The password lives only in your head — and optionally, in a text you wrote to yourself.
Microsoft never receives the password. The file encryption is performed entirely on your device before save.
Changing your Microsoft account password has zero effect.
Uninstalling and reinstalling Office has zero effect.
Moving the file to a different computer has zero effect.

The only paths to recover a forgotten document password are (a) trying candidate passwords until one works (what GPU recovery services do), (b) finding an old note in a password manager or email, or (c) exploiting a weak encryption version if the file is old enough — see our Excel version comparison for specifics.

Mechanism 5: Sensitivity Labels, IRM and AIP

Microsoft 365 lets tenants enforce policy-based encryption on documents. You have probably seen labels like "Confidential — Internal", "Highly Confidential — Contoso" or simply "Do Not Forward". These are Sensitivity Labels (the modern incarnation) or their predecessors Information Rights Management (IRM) and Azure Information Protection (AIP).

Unlike a file password, a labelled document is encrypted with a tenant-owned key, not a user-derived key. When you open the file, Office contacts your tenant's rights server, verifies your sign-in token against the label's policy, and receives the decryption key. This is why labelled files can be revoked even after they have been emailed out — the tenant just refuses the decryption token next time.

If you cannot open a labelled document, a recovery service is the wrong tool. Contact your IT admin. They can either reassign rights through the Microsoft Purview compliance portal or strip the label entirely. We cannot help — there is no math attack against correctly configured tenant-owned keys.

Why "Forgot Password" Does Not Unlock Your File

Walk through the mental model. When you click "Forgot password" on outlook.com, Microsoft verifies your identity through your backup email, phone or passkey, and then sets a brand-new password for your Microsoft account. This overwrites whatever was in Microsoft's database.

Your Excel file is not in Microsoft's database. It is on your disk (or OneDrive), encrypted with an AES key derived from a password that was never, ever sent to Microsoft. There is no row in any Microsoft server that says "user X encrypted file Y with key Z". So there is nothing for Microsoft to reset.

This is by design. It is a feature of the threat model — if Microsoft could reset your file password, so could anyone who compromised Microsoft. The industry-standard choice is to make the file owner solely responsible for the file password, and accept that forgetting it is catastrophic.

Common confusions

"Excel Online says 'password protected' — I just need to sign in again." No — sign-in accesses OneDrive; the password prompt is on the file itself.
"I can open the file on my work laptop but not at home." You probably have a sensitivity label — your home sign-in cannot obtain the tenant decryption token.
"My IT reset my 365 password but it is still asking." The file prompt is an extra, independent password baked into the document.
"Office says 'Enter password to modify' — can I skip?" That is the modify-only password (editing lock); you can open the file read-only without it.

Co-Authoring With a Password — It Does Not Work

Microsoft 365 real-time co-authoring needs the server to read the file to merge changes. AES-128 file encryption prevents that by design. So if you apply Encrypt with Password to a shared workbook, everyone else in the co-author list loses live-edit access the moment they re-open.

If you want both collaboration and encryption, use a sensitivity label. Labels let the server hold the key and apply it per-user, preserving co-authoring while still restricting access to authorised staff. This is what large tenants roll out through Microsoft Purview / Compliance Center.

Troubleshooting Decision Tree

File opens in Excel / Word but a yellow banner says "Marked as Final" — click Edit Anyway. Not encrypted.
File prompts for a password before any content appears — AES document encryption. Recovery via our service.
File opens read-only and a banner says "Contact [admin] for permissions" — sensitivity label / IRM. Contact your IT admin, not us.
OneDrive says "Unlock Personal Vault" — account-recovery problem. Follow Microsoft's 2FA reset flow on account.microsoft.com.
Excel Online refuses to open, works in desktop Excel — file has a password; Excel Online does not support password-protected workbooks. Open in desktop.
SharePoint says "The file is checked out to another user" — not a password; ask that user to check it back in or an admin to override.

Stuck on mechanism 4? That is what we do

Document-password recovery for Word, Excel and PowerPoint is the service we built. For old-format .xls, .doc and .ppt files we guarantee recovery. For modern files we run a free check first so you know the odds before paying.

Upload file for free check

Frequently Asked Questions

I reset my Microsoft 365 account password but my Excel file still asks for a password. Why?

Because there are two separate passwords. Your account password unlocks OneDrive/outlook.com sign-in. A file password is AES encryption stored inside the file itself. Resetting the account does not touch the file's internal key.

Can Microsoft unlock my password-protected file?

No — not a policy choice, a cryptographic one. AES file encryption happens on your device before save. Microsoft never sees the key, even on OneDrive-stored files.

Is OneDrive Personal Vault the same as password protection?

No. The Vault is a folder gated by 2FA. The files inside are not individually encrypted with a user password. Lose your Microsoft account access and the Vault is inaccessible — but there is no per-file password to recover.

What about sensitivity labels / IRM / AIP?

Tenant-managed encryption. Only your IT admin can reassign or remove it via the Microsoft Purview / Compliance Center. GPU recovery does not apply.

Does co-authoring work on password-protected files?

No. Real-time co-authoring requires the server to read parts of the file to merge edits, which AES encryption prevents. For both collaboration and protection, use sensitivity labels instead.