Blog Post

Healthcare and Life Sciences Blog
4 MIN READ

Microsoft Purview in the Real World (April 21, 2023) - Sensitivity Labels and SharePoint Sites

James_Havens's avatar
James_Havens
Icon for Microsoft rankMicrosoft
Apr 22, 2023

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

 

All the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

Microsoft customers who want to better understand Microsoft Purview.

 

 

Document Scope

The purpose of this document (and series) is to provide insights into various user cases, announcements, customer driven questions, etc.

 

Topics for this blog entry

Here are the topics covered in this issue of the blog:

  • Sensitivity Labels relating to SharePoint Lists
  • Sensitivity Label Encryption versus other types of Microsoft tenant encryption
  • How Sensitivity Labels conflicts are resolved
  • How to apply Sensitivity Labels to existing SharePoint Sites
  • Where can I find information on how Sensitivity Labels are applied to data within a SharePoint site (i.e. File label inheritance from the Site label)

 

Out-of-Scope

This blog series and entry is only meant to provide information, but for your specific use cases or needs, it is recommended that you contact your Microsoft Account Team to find other possible solutions to your needs.

 

Sensitivity labels and SharePoint Sites – Assorted topics

 

Encryption Sensitivity Label Encryption versus other types of Microsoft tenant encryption

 

 

Question #1

How does the encryption of Sensitivity Labels compare to encryption in leveraged in BitLocker?

 

Answer #1

The following table breaks this down in detail and is taken from the following Microsoft Link.

Encryption in Microsoft 365 - Microsoft Purview (compliance) | Microsoft Learn

 

 

Sensitivity Labels relating to SharePoint Lists

 

 

Question #2

Can you apply Sensitivity Labels to SharePoint Lists?

 

Answer #2

The simple answer is NO while in the list, but YES once the list is exported to a file format.

 

Data in the SharePoint List is stored within a SQL table in SharePoint.  At the time of the writing of this blog, you cannot apply a Sensitivity Label to a SharePoint Online tables, including SharePoint Lists.

 

SharePoint Lists allow for exports of the data in the list to a file format.  An automatic sensitivity label policy can apply a label to those file formats. Here is an (example below of those export options.

 

 

 

How to apply Sensitivity Labels to existing SharePoint Sites

 

Question #3

Can you apply Sensitivity Labels to existing SHPT sites?  If so, is this, can this be automated (ex. PowerShell)

 

Answer #3

You can leverage PowerShell to apply SharePoint labels to multiple sites.  Here is the link that explains how to accomplish this.

Look for these two sections in the link below for details:

  • Use PowerShell to apply a sensitivity label to multiple sites
  • View and manage sensitivity labels in the SharePoint admin center

 

 

Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites - Microsoft Purview (compliance) | Microsoft Learn

 

How Sensitivity Labels conflicts are resolved

 

Question #4

If you have an existing file with an existing Sensitivity Label that is stricter than the Sensitivity Label being inherited from SharePoint Site label, which Sensitivity Label is applied to the file? 

 

Answer #4

Please refer to the link and table below for how Sensitivity Label conflicts are handled.  Notice that any Higher priority label or user applied label, would not be overridden by a site label or an automatic labeling policy.

 

Configure a default sensitivity label for a SharePoint document library - Microsoft Purview (compliance) | Microsoft Learn

 

 

File label inheritance from the Site label

 

Question #5

Where can you find the documentation on SharePoint Site labels and how label inheritance applies to files in that SharePoint site?

 

Answer #5

 

Here are 2 links that can help you with Sensitivity Labels and how they relate to SharePoint sites:

 

 

 

 

When it comes to default Sensitivity Labels for SharePoint sites/libraries (what I have called “label inheritance” above, this link is of use.

 

 

"When SharePoint is enabled for sensitivity labels, you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don't already have a sensitivity label, or they have a sensitivity label but with lower priority.

 

For example, you configure the Confidential label as the default sensitivity label for a document library. A user who has General as their policy default label saves a new file in that library. SharePoint will label this file as Confidential because of that label's higher priority."

 

 

Appendix and Links

 

 

 

 

 

 

 

 

 

 

 

Updated Apr 22, 2023
Version 1.0
No CommentsBe the first to comment