Apply Sensitivity labels to SharePoint site, Microsoft Teams & Microsoft 365 groups – Microsoft Purview

Sensitivity labels can be applied to individual documents and emails to classify content in general. In addition to that, now you can apply sensitivity labels at container level – SharePoint site, Microsoft Teams and Microsoft 365 groups.

Below settings can be controlled by creating a classification label for a Site or Group.

  • Privacy: A Team or a Microsoft 365 can be defaulted to Private when labelled as ‘Confidential’. Baseline privacy controls can be enforced.
  • External user access: Control whether a group owner can add Guests.
  • External sharing from SharePoint sites: Guest access can be turned ON/OFF for certain sensitivity labels. Guests can be blocked on a site marked as Confidential. Guest access can be turned on if a site is classified as public.
  • Access from unmanaged devices : This option comes into play only if you have Azure AD Conditional access policies setup. You can control to Block or Allow access from unmanaged device depending on sensitivity label.
  • Authentication contexts (in preview) :  This option comes into play only if you have Azure AD Conditional access policies setup. You get to enforce MFA based on sensitivity label.
  • Default sharing link for a SharePoint site (PowerShell-only configuration): Default sharing link type (Allow editing, only users with permission can access etc) can be controlled by assigned sensitivity label for the site. These settings that help to prevent over-sharing are automatically selected when users select the Share button in their Office apps.
  • Site sharing settings (PowerShell-only configuration in preview): Another PowerShell advanced setting that you can configure for the sensitivity label to be applied to a SharePoint site is MembersCanShare. This setting is the equivalent configuration that you can set from the SharePoint admin center > Site permissions > Site Sharing > Change how members can share > Sharing permissions.
    Available options are (MemberShareAll, MemberShareFileAndFolder, MemberShareNone)

In my opinion it works best when Tenant level defaults are set to be most restrictive and relax them based on selected sensitivity.

Note : Sensitivity labels applied to a SharePoint site or Team it only impacts the classification and configuration settings for site/Team. Content in the Site/Team DO NOT inherit the labels for classification or settings for files and emails. Users can label their content in SharePoint site or team appropriately.

Enable sensitivity labels for Containers (SharePoint sites, Microsoft Teams & Microsoft 365 groups)

Step 1: Labels are created and published in the Microsoft Purview compliance portal for this Azure AD organization.

Step 2: Enable sensitivity label support in PowerShell. EnableMIPLabels is set to True in from the Azure AD PowerShell module.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-labels

License: There must be at least one Azure AD Premium P1 active license in Azure AD org.

  • Open windows PowerShell with elevated privileges.
  • Install AzureAdPreview module & connect to Azure AD

Install-Module AzureADPreview

Import-Module AzureADPreview
Connect-AzureAD
  • Run the following command to display group settings
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
$Setting = $grpUnifiedSetting
$grpUnifiedSetting.Values

If it shows up blank, a new setting should be created. If it is already enabled EnableMIPLabels = True will be the output for above command.

  • If output for above command is blank, enable the feature by running
$Setting["EnableMIPLabels"] = "True"
  • Save and apply changes
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting

Step 3: After setting is enabled, sensitivity labels created in Microsoft Purview should be synchronized to Azure AD.

Run below cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Azure AD.

Execute-AzureAdLabelSync 

This is an Azure AD feature and requires Global administrator access.

Once the above 3 steps are successfully completed, sensitivity labels are enabled for containers. ‘Groups & sites’ scope for Sensitivity label will be enabled.

Note: Creating a separate set of labels for 'Groups & sites' and 'Files & emails' will be helpful for users and admin, but it can get complex and you add more labels and if someone the names overlap. Label ordering comes into play when a labeled document is uploaded to labeled site. It can get complex real soon if not planned ahead.  It is better to have all labels sorted and policies drafted before publishing them.

 

 

Above discussed settings will be available once ‘Groups & sites’ is selected as scope. Once the settings are selected and label is created and published, it takes about 1 hour for newly published sensitivity label to be available. Once it is available, containers can be tagged with them.

Sensitivity label option will be available during creation of eligible containers (SharePoint site, Team & Microsoft 365 group).  Once classified, protection settings defined in the policy will be enforced.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Build your own Custom Microsoft List templates

Microsoft Lists are everywhere! It is available now in preview with MSA account. Great way to organize your grocery trips, home projects or any personal lists. Check it out here. Moving on to the topic, Microsoft did a great job by providing pre-built templates. There are 8 of them available as of today. Any of […]

Read More

Viewership Retention chart for Microsoft Stream

Microsoft introduced a new feature called Viewership retention chart for Stream videos stored in OneDrive & SharePoint. It helps Stream content creators to better understand their audience and  provide relevant information. This update is part of Roadmap item to help improve viewership retention and to see which parts of video is watched.  https://www.microsoft.com/en-ww/microsoft-365/roadmap?filters=&searchterms=85643 By the […]

Read More

PowerBI visualization for SharePoint Document libraries

Visualization of SharePoint list data as a PowerBI report is already available with few button clicks. This awesome functionality is now extended to Document libraries in SharePoint.  How cool is that! Business users do not have to rely on admins to generate reports on their content. Power is now transitioned in to the hands of […]

Read More