Disclaimer
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
Target Audience
Microsoft customers who want to better understand Microsoft Purview.
Document Scope
The purpose of this document (and series) is to provide insights into various user cases, announcements, customer driven questions, etc.
Topics for this blog entry
Here are the topics covered in this issue of the blog:
- Sensitivity Labels relating to SharePoint Lists
- Sensitivity Label Encryption versus other types of Microsoft tenant encryption
- How Sensitivity Labels conflicts are resolved
- How to apply Sensitivity Labels to existing SharePoint Sites
- Where can I find information on how Sensitivity Labels are applied to data within a SharePoint site (i.e. File label inheritance from the Site label)
Out-of-Scope
This blog series and entry is only meant to provide information, but for your specific use cases or needs, it is recommended that you contact your Microsoft Account Team to find other possible solutions to your needs.
Sensitivity labels and SharePoint Sites – Assorted topics
Encryption Sensitivity Label Encryption versus other types of Microsoft tenant encryption
Question #1
How does the encryption of Sensitivity Labels compare to encryption in leveraged in BitLocker?
Answer #1
The following table breaks this down in detail and is taken from the following Microsoft Link.
Encryption in Microsoft 365 - Microsoft Purview (compliance) | Microsoft Learn
Sensitivity Labels relating to SharePoint Lists
Question #2
Can you apply Sensitivity Labels to SharePoint Lists?
Answer #2
The simple answer is NO while in the list, but YES once the list is exported to a file format.
Data in the SharePoint List is stored within a SQL table in SharePoint. At the time of the writing of this blog, you cannot apply a Sensitivity Label to a SharePoint Online tables, including SharePoint Lists.
SharePoint Lists allow for exports of the data in the list to a file format. An automatic sensitivity label policy can apply a label to those file formats. Here is an (example below of those export options.
How to apply Sensitivity Labels to existing SharePoint Sites
Question #3
Can you apply Sensitivity Labels to existing SHPT sites? If so, is this, can this be automated (ex. PowerShell)
Answer #3
You can leverage PowerShell to apply SharePoint labels to multiple sites. Here is the link that explains how to accomplish this.
Look for these two sections in the link below for details:
- Use PowerShell to apply a sensitivity label to multiple sites
- View and manage sensitivity labels in the SharePoint admin center
How Sensitivity Labels conflicts are resolved
Question #4
If you have an existing file with an existing Sensitivity Label that is stricter than the Sensitivity Label being inherited from SharePoint Site label, which Sensitivity Label is applied to the file?
Answer #4
Please refer to the link and table below for how Sensitivity Label conflicts are handled. Notice that any Higher priority label or user applied label, would not be overridden by a site label or an automatic labeling policy.
File label inheritance from the Site label
Question #5
Where can you find the documentation on SharePoint Site labels and how label inheritance applies to files in that SharePoint site?
Answer #5
Here are 2 links that can help you with Sensitivity Labels and how they relate to SharePoint sites:
When it comes to default Sensitivity Labels for SharePoint sites/libraries (what I have called “label inheritance” above, this link is of use.
"When SharePoint is enabled for sensitivity labels, you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don't already have a sensitivity label, or they have a sensitivity label but with lower priority.
For example, you configure the Confidential label as the default sensitivity label for a document library. A user who has General as their policy default label saves a new file in that library. SharePoint will label this file as Confidential because of that label's higher priority."
Appendix and Links