Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups

This post is about protecting information in your Teams, SharePoint, and Microsoft 365 group data by using Microsoft Information Protection (MIP) sensitivity labels. In July 2020 sensitivity labels were announced GA by Microsoft. It provides an answer on How to protect information in Teams, SharePoint Online and Microsoft 365 groups. In this post I walk through the configuration.

Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Sensitivity labels in Teams, SharePoint sites and Microsoft 365 groups

What are sensitivity labels?

Sensitivity labels are some kind of persistent data or information labels to protect sensitiv and business-critical information. The following security measures are available with sensitivity labels, in general:

  • Enforce encryption or watermarks
  • Cross platform/device content protection
  • Third-party app and service content protection to detect, classify, label and protect content with Microsoft Cloud App Security, e.g. SalesForce, Box, DropBox
  • Third-party app and service extensibility by using Microsoft Information Protection SDK
  • Classify content (without protection)

Policy scoping or association options

For Microsoft Teams, 365 Groups and SharePoint Online you can decide or configure options/actions/exclusions based on

  • privacy
  • external user membership
  • unmanaged device access

For instance, any Team, SharePoint Online Site, or M365 group created with a certain label can be forced to be a private one. In consequence, the owner is not allowed and cannot add external users plus users utilizing unmanaged devices can only access the contents via web access.

Requirements

Licensing

I’m not going into details regarding licensing requirements, therefore you can find a link at the bottom of this post. Please note, that there is a difference in license requirements depending on manual vs. automatic labeling. For the latter you need Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2.

Continue your Microsoft 365 learning with the full day deep dive tutorial The Microsoft 365 Ecosystem: What You Should Know with Tracy van der Schyff at ESPC21 Online. Read more here.

Permissions/roles

To manage/create sensitivity label you must be assigned one of the following roles:

  • Global Administrator
  • Compliance Data Administrator
  • Compliance Administrator
  • Security Administrator

Enable sensitivity labels on Azure AD

To use sensitivity labels, you need to enable it first in Azure AD by using PowerShell, for example:

#https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels
Import-Module AzureADPreview
Connect-AzureAD
 
#Check if settings object exists or needs to be created first (that's missing in Microsoft Docs)
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
      $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 
#Enable Microsoft Information Protection (MIP) labels
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
 
Disconnect-AzureAD

How to create and publish labels?

In this section I walk through and show some settings based on screenshots, this is not yet for Microsoft Teams, SharePoint Online and Microsoft 365 Groups. A bit more down in this post you find a section showing the part and options for sensitivity labels in Teams. Nevertheless, the process, is similar for Teams, SharePoint, and groups.

To create labels you need to start in the Microsoft 365 security center.

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 1

Example – create a label

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 2
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 3
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 4

Be cautious about encryption settings because this can have make a big impact.

Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 5
Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 6

Finish this and repeat the above steps as often as required to have as much labels as required.

Example – Publish labels and create a label policy

Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 7
Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 8
Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 9
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 10
Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 11
Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 12

Depending on the labels you’ve created and your security requirements regarding information protections and groups you can also repeat the above steps for different sensitivity label policies in case you need to differentiate between certain user groups and therefore different information/sensitivity labels and respective label policy assignments.

Example – Create sensitivity label for Teams, SharePoint Online Site and M365 group

For Microsoft Teams etc. the process is similar but as you can see in the following screenshots, you can edit already created labels to add the capabilities for Teams if there were labels already in place.

Edit existing labels
Check Group & Sites
Decide for each label how you want to protect groups and sites
Decide on the privacy configuration and external access
Decide on the device access for unmanaged devices
Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
Now you’ve got some labels

Here you must not forget to also configure SharePoint Online for this to cope with unmanaged device access to make it work.

Also, if you haven’t yet published labels, you’ll have to publish the newly created labels.

Please note, that it can take several hours for this to appear, I’d recommend waiting approx. up 24 hours.

Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
If you create a new [Teams] Team it should look like this with the sensitivity label option
Sensitivity Labels in Teams, SharePoint Sites and Microsoft 365 Groups
In Azure AD groups you can also see and select a label for existing groups

Usage

The sensitivity label for Teams, SharePoint Online Sites and Microsoft 365 groups can than be applied/selected in the creation process in case you assigned the sensitivity label policy to the users which should be able to apply it.

Conclusion, opinion and summary

Sensitive labels are another good concept and means for your holistic security architecture concept to protection your organization’s information. It’s a central aspect for your Microsoft 365 service and information protection. However, the entry barrier is high because of the license requirements to use this advanced security capabilities.

Additional resources

About the Author:

I’m solution architect @abtis focusing on delivering communication and collaboration services. My goal is to enable companies and their users for a modern and digital workplace. To do so I focus on Microsoft Teams and (still) Skype for Business (Server) depending on the requirements. I’ve been working in several areas and topics in IT for more than 12 years by now.

Reference:

Kleefeldt. E. (2020). Sensitivity labels in Teams, SharePoint sites and Microsoft 365 groups. Available at: https://erik365.blog/2020/10/17/sensitivity-labels-in-teams-sharepoint-sites-and-microsoft-365-groups/ [Accessed: 24th November 2020]

Check out more great Microsoft Teams Content here or join our mailing list to stay up to date.

Share this on...

Rate this Post:

Share: