Sensitivity labels can be applied to individual documents and emails to classify content in general. In addition to that, now you can apply sensitivity labels at container level – SharePoint site, Microsoft Teams and Microsoft 365 groups.
Below settings can be controlled by creating a classification label for a Site or Group.
- Privacy: A Team or a Microsoft 365 can be defaulted to Private when labelled as ‘Confidential’. Baseline privacy controls can be enforced.
- External user access: Control whether a group owner can add Guests.
- External sharing from SharePoint sites: Guest access can be turned ON/OFF for certain sensitivity labels. Guests can be blocked on a site marked as Confidential. Guest access can be turned on if a site is classified as public.
- Access from unmanaged devices : This option comes into play only if you have Azure AD Conditional access policies setup. You can control to Block or Allow access from unmanaged device depending on sensitivity label.
- Authentication contexts (in preview) : This option comes into play only if you have Azure AD Conditional access policies setup. You get to enforce MFA based on sensitivity label.
- Default sharing link for a SharePoint site (PowerShell-only configuration): Default sharing link type (Allow editing, only users with permission can access etc) can be controlled by assigned sensitivity label for the site. These settings that help to prevent over-sharing are automatically selected when users select the Share button in their Office apps.
- Site sharing settings (PowerShell-only configuration in preview): Another PowerShell advanced setting that you can configure for the sensitivity label to be applied to a SharePoint site is MembersCanShare. This setting is the equivalent configuration that you can set from the SharePoint admin center > Site permissions > Site Sharing > Change how members can share > Sharing permissions.
Available options are (MemberShareAll, MemberShareFileAndFolder, MemberShareNone)
In my opinion it works best when Tenant level defaults are set to be most restrictive and relax them based on selected sensitivity.
Note : Sensitivity labels applied to a SharePoint site or Team it only impacts the classification and configuration settings for site/Team. Content in the Site/Team DO NOT inherit the labels for classification or settings for files and emails. Users can label their content in SharePoint site or team appropriately.
Enable sensitivity labels for Containers (SharePoint sites, Microsoft Teams & Microsoft 365 groups)
Step 2: Enable sensitivity label support in PowerShell. EnableMIPLabels is set to True in from the Azure AD PowerShell module.
License: There must be at least one Azure AD Premium P1 active license in Azure AD org.
- Open windows PowerShell with elevated privileges.
- Install AzureAdPreview module & connect to Azure AD
- Run the following command to display group settings
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
$Setting = $grpUnifiedSetting
If it shows up blank, a new setting should be created. If it is already enabled EnableMIPLabels = True will be the output for above command.
- If output for above command is blank, enable the feature by running
$Setting["EnableMIPLabels"] = "True"
- Save and apply changes
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting
Step 3: After setting is enabled, sensitivity labels created in Microsoft Purview should be synchronized to Azure AD.
Run below cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Azure AD.
This is an Azure AD feature and requires Global administrator access.
Once the above 3 steps are successfully completed, sensitivity labels are enabled for containers. ‘Groups & sites’ scope for Sensitivity label will be enabled.
Note: Creating a separate set of labels for 'Groups & sites' and 'Files & emails' will be helpful for users and admin, but it can get complex and you add more labels and if someone the names overlap. Label ordering comes into play when a labeled document is uploaded to labeled site. It can get complex real soon if not planned ahead. It is better to have all labels sorted and policies drafted before publishing them.
Above discussed settings will be available once ‘Groups & sites’ is selected as scope. Once the settings are selected and label is created and published, it takes about 1 hour for newly published sensitivity label to be available. Once it is available, containers can be tagged with them.
Sensitivity label option will be available during creation of eligible containers (SharePoint site, Team & Microsoft 365 group). Once classified, protection settings defined in the policy will be enforced.