Forum Discussion
Apply sensitivity labels using PowerShell
- There is no cmdlet to apply labels to individual files, afaik. Set-AIPFileLabel only works on local files. Using the MIP SDK is probably the way to go, at least until Microsoft introduces a cmdlet/Graph API endpoints.
Funnily enough we do have a cmdlet to remove labels: https://office365itpros.com/2021/03/25/decrypt-sharepoint-online-documents-graph/
Niraj Tenany Can you share your approach? we are trying to use the same approach where find files with sensitivity label X and replace it with sensitivity label Y.
Here is an example:
# Define the folder path and label IDs $folderPath = "C:\temp\fileswithlabels" $currentLabelId = "<Current_Label_GUID>" # Replace with the GUID of label X $newLabelId = "<New_Label_GUID>" # Replace with the GUID of label Y # Iterate over each file in the folder Get-ChildItem -Path $folderPath -File | ForEach-Object { $file = $_.FullName # Check if the current file has the target label $fileStatus = Get-AIPFileStatus -Path $file if ($fileStatus.LabelId -eq $currentLabelId) { try { # Apply the new label Set-AIPFileLabel -Path $file -LabelId $newLabelId Write-Host "Label changed for file: $file" } catch { Write-Host "Failed to change label for file: $file" } } }Requirement: AIPService Module for Powershell.
- Hi Niraj!
Could you elaborate on your approach? I'm looking to do the same thing. We automate the creation of our client sites. It would make sense to classify these sites and all the documents within them with a default sensitivity label when they're created.- Hello, understand this a month later but just wanted to add that you can use sensitivity labels for containers (groups, sites, teams) with the disclaimer that they are only for controlling access and sharing really, not the files in the library. Until this is being released https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=85621 (they will inherit the library label if not protected) you'd have to either use Microsoft Defender for Cloud Apps to protect the files in that library or implement "Service-side" labeling, a.k.a auto-labeling for labeling at rest at scale, this is when content is already in OneDrive and SharePoint.
You have some other use cases in this thread mentioning the MIP SDK, but I have no experience working with that. How would someone using PowerShell change a label on a document? For example, a document was classified as Confidential. A request has come in to have the document reclassified as Internal. Is there a way for the Security Admin to change the classification of the document assuming we do not allow our base to change the classification themselves?
WJN78 Assuming the document is in SharePoint.
Unlock-SensitivityLabelEncryptedFile (SharePointOnlinePowerShell) | Microsoft Docs
Remove encryption for a labeled document
Might as well add this too (RMS to unified labeling cmdlet mapping)
Use PowerShell with the Azure Information Protection unified labeling client | Microsoft Docs
