Beyond safeguarding documents and emails, sensitivity labels offer protection for content within various containers like Microsoft Teams sites, Microsoft 365 groups (previously Office 365 groups), and SharePoint sites. These labels can be applied to manage settings such as:
- Privacy (public or private) of team sites and Microsoft 365 groups
- External user access, external sharing from SharePoint sites
- Access from unmanaged devices
- Authentication contexts
- Default sharing links for SharePoint sites (configuration via PowerShell only)
- Site sharing settings (configuration via PowerShell only) and default labels for channel meetings.
Safeguarding Collaboration: Implementing Sensitivity Labels Across Microsoft Teams, Microsoft 365 Groups, and SharePoint Sites
Once sensitivity labels for containers are set up, users can view and use them for Microsoft team sites, Microsoft 365 groups, and SharePoint sites. For instance, when making a new team site in SharePoint.
Once a sensitivity label has been assigned to a site, changing that label in SharePoint or Teams requires specific roles:
- For a group-connected site: Microsoft 365 group Owners
- For a non-group-connected site: SharePoint site admin
- Learn the process of activating sensitivity labels for containers and ensuring label synchronization.
If you haven’t yet enabled sensitivity labels for containers, do the following set of steps as a one-time procedure:
Ensure that this PowerShell snippet is executed with Global Administration privileges.
Import-Module AzureADPreview
Connect-AzureAD
#Run the code snippet below if you don't have directory settings
Get-AzureADDirectorySettingTemplate
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
$Setting = $Template.CreateDirectorySetting()
#Use URL of Your Tenant
$Setting["UsageGuidelinesUrl"] = "https://Tenant.sharepoint.com/_layouts/15/sharepoint.aspx"
$Setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $Setting
$Setting.Values
#For existing settings
#$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
#$Setting.Values
#$Setting["EnableMIPLabels"] = "True"
#Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
Once you run this script in Windows PowerShell (run ISE as an Administrator), a pop-up will appear prompting you to input the credentials of the “Global Administrative Account”. Following that, review the highlighted outcome below. (Name: EnableMIPLabels Value: True)
Optimizing Group and Site Settings: A Configuration Guide
Once sensitivity labels are activated for containers as detailed earlier, you can now establish protection settings for groups and sites within the sensitivity labeling setup. Access Microsoft Purview > Information Protection > Labels > Create Label. You’ll notice that the option for “Group & sites” in the label scope is now enabled.
To access Microsoft Compliance, click here Microsoft Purview
Next, within the “Define protection settings for groups and sites” page, choose either or both provided options:
- Adjust the “Privacy and External user access” settings to configure Privacy and External user’s access.
- Adjust “External sharing and Conditional Access” settings to configure Control external sharing from labeled SharePoint sites and Use Microsoft Endpoint Conditional Access to protect labeled SharePoint sites settings.
For “Privacy and external user access settings”:
- Public: Allows anyone in your organization access to the labeled site or group.
- Private: Limits access to approved members only within your organization.
- None: Protects content with the sensitivity label while enabling users to adjust privacy settings themselves.
Your chosen setting replaces prior privacy configurations and locks it. Changing requires removing the sensitivity label first. Once removed, the labeled privacy setting remains, and users regain control.
- External user access: Manages the group owner’s ability to add guests to the group.
If you’ve chosen External Sharing, proceed to adjust these options:
- “Control external sharing from labeled SharePoint sites”: Choose from external sharing options like anyone, new and existing guests, existing guests, or only internal users.
- If your sensitivity label hasn’t been published yet, proceed by adding it to a sensitivity label policy. Users assigned to this policy, encompassing this label, will gain the ability to choose it for sites and groups.
| Select this option: | If you want to: |
|---|---|
| Anyone | Allow site owners and others with full control permission to share the site with people who authenticate. Allow site users to decide when sharing files and folders to require authentication or allow unauthenticated people to access the item. Anyone links to files and folders can be freely forwarded. |
| New and existing guests | Allow site owners and others with full control permission to share the site with people outside the organization. These people will need to sign in and will be added to the directory. Allow site users to share files and folders with people who aren’t in the organization’s directory. |
| Existing guests | Allow sharing with only people already in your directory. These users may exist in your directory because they previously accepted sharing invitations or because they were manually added. (These users have #EXT# in their user’s principal name.) |
| Only people in your organization | Prevent all site users from sharing any site content externally. |
Want to talk?
Drop us a line. We are here to answer your questions 24*7.