Forum Discussion
Information Protection Labels and OneDrive
Howdy! Recently we implemented the security and compliance center protections (AIP/MIP/DLP). One issue we have run into, that is slightly self-inflicted. We had to change two of our labels to remo...
Greetings APMcWilly13,
Sorry I don't have an answer for relabeling down at scale. MS doco here https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide#will-an-existing-label-be-overridden says "Automatic labeling will replace a lower priority sensitivity label that was automatically applied, but not a higher priority label."
I infer that the problem is that users want to share/collaborate on a doc and the other party cannot open the encrypted content, or is there another problem this label is creating? With that problem statement in mind, since it became possible to co-author encrypted docs https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-worldwide, we encrypt all files by default. Users can then override the label by exception. Is enabling co-authoring a possible solution to your problem while leaving the label in place? Apologies if I have misunderstood the specifics of your problem.
Thanks, Ash
Sorry I don't have an answer for relabeling down at scale. MS doco here https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide#will-an-existing-label-be-overridden says "Automatic labeling will replace a lower priority sensitivity label that was automatically applied, but not a higher priority label."
I infer that the problem is that users want to share/collaborate on a doc and the other party cannot open the encrypted content, or is there another problem this label is creating? With that problem statement in mind, since it became possible to co-author encrypted docs https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-worldwide, we encrypt all files by default. Users can then override the label by exception. Is enabling co-authoring a possible solution to your problem while leaving the label in place? Apologies if I have misunderstood the specifics of your problem.
Thanks, Ash
I don't see an equivalent of that command for SPO. In the PS cmdlet reference guide for SPO, https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/?view=sharepoint-ps there's only one label related removal cmdlet.
According to this doc
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide#remove-encryption-for-a-labeled-document
A global admin or SharePoint admin can run the Unlock-SPOSensitivityLabelEncryptedFile cmdlet, which removes both the sensitivity label and the encryption.
1: go here and install the required PS modules for SharePoint Online.
https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online
2: This command will show you all the OneDrive sites within your Tenant, which gives you the path to docs in OD.
Get-SPOSite -IncludePersonalSite $true -Filter "Url -like '-my.sharepoint.com/personal/'" |ft
3: Here is where the wheels fall off. This command does not support wildcard characters. This command will remove the label from ONE doc. Sub out the FileUrl with a path from your list of OD sites.
Unlock-SPOSensitivityLabelEncryptedFile -FileUrl "https://contoso.com/sites/Marketing/Shared Documents/Doc1.docx" -JustificationText "Need to decrypt this file"
According to this doc
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide#remove-encryption-for-a-labeled-document
A global admin or SharePoint admin can run the Unlock-SPOSensitivityLabelEncryptedFile cmdlet, which removes both the sensitivity label and the encryption.
1: go here and install the required PS modules for SharePoint Online.
https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online
2: This command will show you all the OneDrive sites within your Tenant, which gives you the path to docs in OD.
Get-SPOSite -IncludePersonalSite $true -Filter "Url -like '-my.sharepoint.com/personal/'" |ft
3: Here is where the wheels fall off. This command does not support wildcard characters. This command will remove the label from ONE doc. Sub out the FileUrl with a path from your list of OD sites.
Unlock-SPOSensitivityLabelEncryptedFile -FileUrl "https://contoso.com/sites/Marketing/Shared Documents/Doc1.docx" -JustificationText "Need to decrypt this file"