Forum Discussion

JSlei's avatar
JSlei
Brass Contributor
Sep 14, 2021

Apply sensitivity labels using PowerShell

Is it possible to apply sensitivity labels to documents in SharePoint (not sites or groups) using PowerShell?

  • JSlei VasilMichev I reached out to a connection with over a decade as "AIP" MVP and got the response.

     

    "It is definitely possible to solve with a script, however, with the MIP SDK. But why bother, MCAS can put a label on all documents in an SP site. Then Microsoft is rebuilding SharePoint online right now to force all files that do not have a manually set label in an SP site based on its container label."

     

    The latter being the roadmap item I linked to above scheduled for release in December.

  • Niraj Tenany's avatar
    Niraj Tenany
    Copper Contributor
    We have applied labels in sharepoint using MIP SDK and it has worked very well for us. While auto-classification is good, there are situations where organizations are not able to create classification rules and maintain them. We call this approach Project Based Label approach or Location based label approach. User requests a SharePoint SIte or teams and at that time we programatically create the labels and assign those labels to the site with appropriate permissions. When a document is uploaded to the site, we protect it using the label. This is an extensive topic and it took us a year to build out the complete capability but it works extremely well.
    • cillo838383's avatar
      cillo838383
      Copper Contributor
      Hi Niraj!
      Could you elaborate on your approach? I'm looking to do the same thing. We automate the creation of our client sites. It would make sense to classify these sites and all the documents within them with a default sensitivity label when they're created.
      • WJN78's avatar
        WJN78
        Copper Contributor

        How would someone using PowerShell change a label on a document?  For example, a document was classified as Confidential.  A request has come in to have the document reclassified as Internal.   Is there a way for the Security Admin to change the classification of the document assuming we do not allow our base to change the classification themselves?

         

         

    • Jhong3030's avatar
      Jhong3030
      Copper Contributor

      Niraj Tenany Can you share your approach? we are trying to use the same approach where find files with sensitivity label X and replace it with sensitivity label Y.

      • WJN78's avatar
        WJN78
        Copper Contributor

        Jhong3030 

         

        Here is an example:

         

        # Define the folder path and label IDs
        $folderPath = "C:\temp\fileswithlabels"
        $currentLabelId = "<Current_Label_GUID>"  # Replace with the GUID of label X
        $newLabelId = "<New_Label_GUID>"          # Replace with the GUID of label Y
        
        # Iterate over each file in the folder
        Get-ChildItem -Path $folderPath -File | ForEach-Object {
            $file = $_.FullName
        
            # Check if the current file has the target label
            $fileStatus = Get-AIPFileStatus -Path $file
            if ($fileStatus.LabelId -eq $currentLabelId) {
                try {
                    # Apply the new label
                    Set-AIPFileLabel -Path $file -LabelId $newLabelId
                    Write-Host "Label changed for file: $file"
                } catch {
                    Write-Host "Failed to change label for file: $file"
                }
            }
        }

         

        Requirement: AIPService Module for Powershell.   

         

    • JSlei's avatar
      JSlei
      Brass Contributor
      this is just for operations in the admin center, I need to be able to add the labels to the documents programmatically
      • You can now use Security & Compliance Center PowerShell to create and configure all the settings you see in your labeling admin center. This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies.
  • JSlei VasilMichev ChristianJBergstrom 

     

    Hi All,

    Just bringing a slightly similar scenario to this thread - and wondering if anyone can confirm if it's possible? We have a Client with millions of Docs in Sharepoint 2013 OnPrem today where they have been very rigorous in using TermSet from the TermStore to tag all sensitive docs/files with the appropriate MetaData and this has been in use for some 6 - 7 years.

     

    We are now assisting with the Sharepoint Migration and the question becomes - what is the *best* (least painful/best chance of success) method of ensuring that all the contents get from - Sharepoint 2013 onPrem to Sharepoint Online:

    • It appears that SIT's and AutoLabelling cannot identify TermSet?
    • This being the case - should we be looking at applying SL's before the move?
      • This seems the lower risk?
    • Should we focus on MIP SDK or simply script this via PowerShell to Identify each file and add the appropriate SL?

    Create and manage terms in a term set - SharePoint in Microsoft 365 | Microsoft Docs

    One of the key things we are trying to achieve is do this "at scale" without having to open each file individually - if AutoLabelling is the way to go then fine, but from what we have reviewed so far this is NOT a case where we need to identify docs based on SIT's - the intent is to simply identify docs/files based on TermSet attributes and then apply the matching SL

     

    Any advice or suggestions welcome, we're still researching, but thought it might be worth checking if anyone else has come across this?

     

    • Michael Segner's avatar
      Michael Segner
      Brass Contributor

      David Caddick 

       

      The challenges with a manual approach are user error and scalability. Not to mention that once you have completed the project it will only be for a moment in time and if an employee creates a sensitive file 15 minutes after you've finished then it will be missed.

       

      The best way to do this may be this third-party tool (Data Validation & Classification Tools | AvePoint) which will automate this process with AI rules. Disclaimer- I am currently employed by AvePoint. 

       

      Hope this helps.

Resources