Forum Discussion
Apply sensitivity labels using PowerShell
Is it possible to apply sensitivity labels to documents in SharePoint (not sites or groups) using PowerShell?
- There is no cmdlet to apply labels to individual files, afaik. Set-AIPFileLabel only works on local files. Using the MIP SDK is probably the way to go, at least until Microsoft introduces a cmdlet/Graph API endpoints.
Funnily enough we do have a cmdlet to remove labels: https://office365itpros.com/2021/03/25/decrypt-sharepoint-online-documents-graph/
We have applied labels in sharepoint using MIP SDK and it has worked very well for us. While auto-classification is good, there are situations where organizations are not able to create classification rules and maintain them. We call this approach Project Based Label approach or Location based label approach. User requests a SharePoint SIte or teams and at that time we programatically create the labels and assign those labels to the site with appropriate permissions. When a document is uploaded to the site, we protect it using the label. This is an extensive topic and it took us a year to build out the complete capability but it works extremely well.
Hi Niraj!
Could you elaborate on your approach? I'm looking to do the same thing. We automate the creation of our client sites. It would make sense to classify these sites and all the documents within them with a default sensitivity label when they're created.
Could you elaborate on your approach? I'm looking to do the same thing. We automate the creation of our client sites. It would make sense to classify these sites and all the documents within them with a default sensitivity label when they're created.
How would someone using PowerShell change a label on a document? For example, a document was classified as Confidential. A request has come in to have the document reclassified as Internal. Is there a way for the Security Admin to change the classification of the document assuming we do not allow our base to change the classification themselves?
WJN78 Assuming the document is in SharePoint.
Unlock-SensitivityLabelEncryptedFile (SharePointOnlinePowerShell) | Microsoft Docs
Remove encryption for a labeled document
Might as well add this too (RMS to unified labeling cmdlet mapping)
Use PowerShell with the Azure Information Protection unified labeling client | Microsoft Docs
- Hello, understand this a month later but just wanted to add that you can use sensitivity labels for containers (groups, sites, teams) with the disclaimer that they are only for controlling access and sharing really, not the files in the library. Until this is being released https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=85621 (they will inherit the library label if not protected) you'd have to either use Microsoft Defender for Cloud Apps to protect the files in that library or implement "Service-side" labeling, a.k.a auto-labeling for labeling at rest at scale, this is when content is already in OneDrive and SharePoint.
You have some other use cases in this thread mentioning the MIP SDK, but I have no experience working with that.
