Forum Discussion
How to Monitor Changes to Sensitivity Labels Used for Container Management
Sensitivity labels are an effective way to manage containers like Teams, Microsoft 365 Groups, and SharePoint sites. Microsoft doesn’t provide any way to track changes made to labels assigned to containers, which means that a group owner can downgrade the policy assigned through a label. This article explains a method to detect when label changes occur for containers and how to revert those changes if necessary.
https://practical365.com/monitor-changes-sensitivity-labels-container-management/
16 Replies
- Is it possible to use Azure Monitor to alert on changes to group and site labels?
- You mean an Azure Automation scheduled runbook? Sure, take the commands in the script and put them in a runbook. See https://practical365.com/azure-automation-managed-identity-exo/ for some pointers.
- No, I'm referring to exporting audit log activities to an Azure log analytics workspace, then using Azure Monitor to fire alerts when a group or site label changes.
- It would be great if this was an out of the box feature. It's a bit of a chore for organizations that need to lock down every Team / SharePoint except for specified sites that get group access, and make it airtight. Maybe some day.
- Using a scheduled job run in Azure Automation is a good way to track changes made to groups...
I agree, however for an organization with strict rules on guest access, that's unfortunately not an airtight solution. We need to ensure users can never add a guest to a Team unless the Team is approved for guest access.
