Sensitivity labels in Microsoft Teams, Microsoft 365 groups, and SharePoint sites

Note: When you follow instructions provided by Microsoft, beware that “Connect-AzureAD” works only in Windows .net framework – i.e. PowerShell 5.1.
if you try to run it in PowerShell 7 – you can get “Connect-AzureAD: One or more errors occurred. (Could not load type ‘System.Security.Cryptography.SHA256Cng’ from assembly ‘System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’.)” Error.
(check Connect-AzureAD Could not load type ‘System.Security.Cryptography.SHA256Cng’ from assembly)

Configuring Sensitivity Labels

Sensitivity labels are configured under Microsoft Purview (Compliance Center), Solutions, Information Protection. You’d need a global admin or “Compliance Administrator” or “Azure Information Protection Administrator” (?) role:

Since we are talking sensitivity labels for SharePoint Sites (not documents), we define label scope as “Groups and Sites”: “Configure privacy, access control, and other settings to protect labeled Teams, Microsoft 365 Groups, and SharePoint sites.”

Then we define which protection settings for groups and sites we should configure on the next steps:
– Privacy and external user access settings – Control the level of access that internal and external users will have to labeled teams and Microsoft 365 Groups.
– External sharing and conditional access settings – Control external sharing and configure Conditional Access settings to protect labeled SharePoint sites.

If we selected previously “Privacy and external user access settings” – now we need to select group/team privacy (These options apply to all Microsoft 365 Groups and teams, but not standalone sites). When applied, these settings will replace any existing privacy settings for the team or group. If the label is removed, users can change privacy settings again. You can also allow external user access – if group owner will be able to add guests:

Next step – define external sharing and conditional access settings. Specifically, if the content of the SharePoint site can be shared with Anyone (anonymously) or with authenticated users (new or existing) or no external sharing is allowed:

And you can either control the level of access users have from unmanaged devices or select an existing authentication context to enforce restrictions:

Configuring sensitivity labels policies

Sensitivity label policy is basically which label should be available to apply for what users and some other settings like
– do users need to provide justification before removing a label or replacing it with one that has a lower-order number or
– will users be required to apply labels and optionall the default label

View existing sensitivity labels

“Global reader” role allows view existing sensitivity labels configuration:

Wording would be a little different, but all aspects of the label configuration will be mentioned. E.g. when editing GUI says label scope is “Groups & sites”, read-only label summary defines Scope as “Site, UnifiedGroup”.

Gotchas

Site sensitivity label is applied to site collection only and cannot be applied to subsite (web object).

Applying sensitivity labels programmatically

To apply a label to a m365 group or Teams site with a group behind: MS Graph API support only Delegated permissions.

Set-PnPSiteSensitivityLabel” works in the current site context.
Description says “If the site does not have a Microsoft 365 Group behind it, it will set the label on the SharePoint Online site and will not require Microsoft Graph permissions and will work with both delegate as well as app only logins.”
In fact (7/22/2022) app permissions are not working. This cmdlet can assign label to a standalone or a group-based site only with delegated permissions.

Set-PnPTenantSite” allows you to remove or apply site sensitivity label to both standalone and group-based sites with app permissions. Furthermore, group and team settings respect this. I.e. if you apply label to a group-based site – group will pick this up.

Channel sites should inherit sensitivity label from root site.
I’m not sure if it’s a bug but
– when you create a team and select sensitivity label as part of team creation process – all the channel sites you create after (Private or Shared) will inherit sensitivity label immediately
– when you apply sensitivity label to an existing team – with existing channel sites – in this case Private channel sites inherit team sensitivity label immediately, but with Shared channel sites it’s strange: GUI shows sensitivity label assigned, but site object model does not.

References

Leave a Reply

Your email address will not be published. Required fields are marked *