This post is about protecting information in your Teams, SharePoint, and Microsoft 365 group data by using Microsoft Information Protection (MIP) sensitivity labels. In July 2020 sensitivity labels were announced GA by Microsoft. It provides an answer on How to protect information in Teams, SharePoint Online and Microsoft 365 groups. In this post I walk through the configuration.
What are sensitivity labels?
Sensitivity labels are some kind of persistent data or information labels to protect sensitiv and business-critical information. The following security measures are available with sensitivity labels, in general:
- Enforce encryption or watermarks
- Cross platform/device content protection
- Third-party app and service content protection to detect, classify, label and protect content with Microsoft Cloud App Security, e.g. SalesForce, Box, DropBox
- Third-party app and service extensibility by using Microsoft Information Protection SDK
- Classify content (without protection)
Policy scoping or association options
For Microsoft Teams, 365 Groups and SharePoint Online you can decide or configure options/actions/exclusions based on
- privacy
- external user membership
- unmanaged device access
For instance, any Team, SharePoint Online Site, or M365 group created with a certain label can be forced to be a private one. In consequence, the owner is not allowed and cannot add external users plus users utilizing unmanaged devices can only access the contents via web access.
Requirements
Licensing
I’m not going into details regarding licensing requirements, therefore you can find a link at the bottom of this post. Please note, that there is a difference in license requirements depending on manual vs. automatic labeling. For the latter you need Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2.
Continue your Microsoft 365 learning with the full day deep dive tutorial The Microsoft 365 Ecosystem: What You Should Know with Tracy van der Schyff at ESPC21 Online. Read more here.
Permissions/roles
To manage/create sensitivity label you must be assigned one of the following roles:
- Global Administrator
- Compliance Data Administrator
- Compliance Administrator
- Security Administrator
Enable sensitivity labels on Azure AD
To use sensitivity labels, you need to enable it first in Azure AD by using PowerShell, for example:
#https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels
Import-Module AzureADPreview
Connect-AzureAD
#Check if settings object exists or needs to be created first (that's missing in Microsoft Docs)
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
#Enable Microsoft Information Protection (MIP) labels
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
Disconnect-AzureAD
How to create and publish labels?
In this section I walk through and show some settings based on screenshots, this is not yet for Microsoft Teams, SharePoint Online and Microsoft 365 Groups. A bit more down in this post you find a section showing the part and options for sensitivity labels in Teams. Nevertheless, the process, is similar for Teams, SharePoint, and groups.
To create labels you need to start in the Microsoft 365 security center.
Example – create a label
Be cautious about encryption settings because this can have make a big impact.
Finish this and repeat the above steps as often as required to have as much labels as required.
Example – Publish labels and create a label policy
Depending on the labels you’ve created and your security requirements regarding information protections and groups you can also repeat the above steps for different sensitivity label policies in case you need to differentiate between certain user groups and therefore different information/sensitivity labels and respective label policy assignments.
Example – Create sensitivity label for Teams, SharePoint Online Site and M365 group
Here you must not forget to also configure SharePoint Online for this to cope with unmanaged device access to make it work.
Also, if you haven’t yet published labels, you’ll have to publish the newly created labels.
Please note, that it can take several hours for this to appear, I’d recommend waiting approx. up 24 hours.
Usage
The sensitivity label for Teams, SharePoint Online Sites and Microsoft 365 groups can than be applied/selected in the creation process in case you assigned the sensitivity label policy to the users which should be able to apply it.
Conclusion, opinion and summary
Sensitive labels are another good concept and means for your holistic security architecture concept to protection your organization’s information. It’s a central aspect for your Microsoft 365 service and information protection. However, the entry barrier is high because of the license requirements to use this advanced security capabilities.
Additional resources
- General Availability: Microsoft Information Protection sensitivity labels in Teams/SharePoint sites
- New capabilities for Teams Management | July 2020
- Learn about sensitivity labels
- Microsoft Information Protection [Licensing requirements]
- Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory
About the Author:
I’m solution architect @abtis focusing on delivering communication and collaboration services. My goal is to enable companies and their users for a modern and digital workplace. To do so I focus on Microsoft Teams and (still) Skype for Business (Server) depending on the requirements. I’ve been working in several areas and topics in IT for more than 12 years by now.
Reference:
Kleefeldt. E. (2020). Sensitivity labels in Teams, SharePoint sites and Microsoft 365 groups. Available at: https://erik365.blog/2020/10/17/sensitivity-labels-in-teams-sharepoint-sites-and-microsoft-365-groups/ [Accessed: 24th November 2020]
Check out more great Microsoft Teams Content here or join our mailing list to stay up to date.
