Forum Discussion
Apply sensitivity labels using PowerShell
Is it possible to apply sensitivity labels to documents in SharePoint (not sites or groups) using PowerShell?
- There is no cmdlet to apply labels to individual files, afaik. Set-AIPFileLabel only works on local files. Using the MIP SDK is probably the way to go, at least until Microsoft introduces a cmdlet/Graph API endpoints.
Funnily enough we do have a cmdlet to remove labels: https://office365itpros.com/2021/03/25/decrypt-sharepoint-online-documents-graph/
JSlei VasilMichev I reached out to a connection with over a decade as "AIP" MVP and got the response.
"It is definitely possible to solve with a script, however, with the MIP SDK. But why bother, MCAS can put a label on all documents in an SP site. Then Microsoft is rebuilding SharePoint online right now to force all files that do not have a manually set label in an SP site based on its container label."
The latter being the roadmap item I linked to above scheduled for release in December.
JSlei About MCAS and Auto-labeling Microsoft Cloud App Security and Sensitivity Labels – Joanne C Klein
(a bit old but still relevant)
- JSleiBrass Contributorthank you for following up on this. I am aware of the auto-labeling policies but they can only label files based on content of the file. I was looking for a solution that allows me to label the files based on different requirements and I believe building a solution that calls the MIP SDK is the way to go.
- Niraj TenanyCopper ContributorWe have applied labels in sharepoint using MIP SDK and it has worked very well for us. While auto-classification is good, there are situations where organizations are not able to create classification rules and maintain them. We call this approach Project Based Label approach or Location based label approach. User requests a SharePoint SIte or teams and at that time we programatically create the labels and assign those labels to the site with appropriate permissions. When a document is uploaded to the site, we protect it using the label. This is an extensive topic and it took us a year to build out the complete capability but it works extremely well.
- cillo838383Copper ContributorHi Niraj!
Could you elaborate on your approach? I'm looking to do the same thing. We automate the creation of our client sites. It would make sense to classify these sites and all the documents within them with a default sensitivity label when they're created.- WJN78Copper Contributor
How would someone using PowerShell change a label on a document? For example, a document was classified as Confidential. A request has come in to have the document reclassified as Internal. Is there a way for the Security Admin to change the classification of the document assuming we do not allow our base to change the classification themselves?
- Jhong3030Copper Contributor
Niraj Tenany Can you share your approach? we are trying to use the same approach where find files with sensitivity label X and replace it with sensitivity label Y.
- WJN78Copper Contributor
Here is an example:
# Define the folder path and label IDs $folderPath = "C:\temp\fileswithlabels" $currentLabelId = "<Current_Label_GUID>" # Replace with the GUID of label X $newLabelId = "<New_Label_GUID>" # Replace with the GUID of label Y # Iterate over each file in the folder Get-ChildItem -Path $folderPath -File | ForEach-Object { $file = $_.FullName # Check if the current file has the target label $fileStatus = Get-AIPFileStatus -Path $file if ($fileStatus.LabelId -eq $currentLabelId) { try { # Apply the new label Set-AIPFileLabel -Path $file -LabelId $newLabelId Write-Host "Label changed for file: $file" } catch { Write-Host "Failed to change label for file: $file" } } }
Requirement: AIPService Module for Powershell.
- JSleiBrass Contributorthis is just for operations in the admin center, I need to be able to add the labels to the documents programmatically
- You can now use Security & Compliance Center PowerShell to create and configure all the settings you see in your labeling admin center. This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies.
- David CaddickIron Contributor
JSlei VasilMichev ChristianJBergstrom
Hi All,
Just bringing a slightly similar scenario to this thread - and wondering if anyone can confirm if it's possible? We have a Client with millions of Docs in Sharepoint 2013 OnPrem today where they have been very rigorous in using TermSet from the TermStore to tag all sensitive docs/files with the appropriate MetaData and this has been in use for some 6 - 7 years.
We are now assisting with the Sharepoint Migration and the question becomes - what is the *best* (least painful/best chance of success) method of ensuring that all the contents get from - Sharepoint 2013 onPrem to Sharepoint Online:
- It appears that SIT's and AutoLabelling cannot identify TermSet?
- This being the case - should we be looking at applying SL's before the move?
- This seems the lower risk?
- Should we focus on MIP SDK or simply script this via PowerShell to Identify each file and add the appropriate SL?
Create and manage terms in a term set - SharePoint in Microsoft 365 | Microsoft Docs
One of the key things we are trying to achieve is do this "at scale" without having to open each file individually - if AutoLabelling is the way to go then fine, but from what we have reviewed so far this is NOT a case where we need to identify docs based on SIT's - the intent is to simply identify docs/files based on TermSet attributes and then apply the matching SL
Any advice or suggestions welcome, we're still researching, but thought it might be worth checking if anyone else has come across this?
- Michael SegnerBrass Contributor
The challenges with a manual approach are user error and scalability. Not to mention that once you have completed the project it will only be for a moment in time and if an employee creates a sensitive file 15 minutes after you've finished then it will be missed.
The best way to do this may be this third-party tool (Data Validation & Classification Tools | AvePoint) which will automate this process with AI rules. Disclaimer- I am currently employed by AvePoint.
Hope this helps.