SOLVED

Apply sensitivity labels using PowerShell

Contributor

Is it possible to apply sensitivity labels to documents in SharePoint (not sites or groups) using PowerShell?

15 Replies
this is just for operations in the admin center, I need to be able to add the labels to the documents programmatically
You can now use Security & Compliance Center PowerShell to create and configure all the settings you see in your labeling admin center. This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies.
still doesn't answer my question. I'm not looking to script the creation and maintenance of the labels, that's already been done. I'm looking to script the application of the labels to documents in SharePoint. Instead of the user having to label thousands of documents manually, is there a way to script it?
You're not very clear when asking a question...

Try using the New-AutoSensitivityLabelPolicy then.
best response confirmed by JSlei (Contributor)
Solution
There is no cmdlet to apply labels to individual files, afaik. Set-AIPFileLabel only works on local files. Using the MIP SDK is probably the way to go, at least until Microsoft introduces a cmdlet/Graph API endpoints.
Funnily enough we do have a cmdlet to remove labels: https://office365itpros.com/2021/03/25/decrypt-sharepoint-online-documents-graph/
Perhaps this will solve your use case, as I don’t understand the current situation tbh.

With this update, all newly uploaded documents to a document library can “inherit” the configured label for the document library (if not already labeled).

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=85621
Vasil, that’s why there’s auto-labeling. The solution is intended to allow tenants to protect existing content at scale without needing anyone to review large quantities of documents.
thanks, this answered my question.

@JSlei Hello again, didn't you look for an option to protect at scale without anyone have to review the documents? Are you saying this isn't applicable even if using PowerShell cmdlets for it?

https://office365itpros.com/2020/01/27/microsoft-previews-auto-label-policies-sensitivity-labels/

 

"Manual application of sensitivity labels is a good way to protect new messages and documents but does nothing to deal with the mass of documents and messages that already exist inside Office 365. To address the issue, Microsoft is running a preview program for auto-labeling Word, Excel, and PowerPoint files stored in SharePoint Online sites and OneDrive for Business accounts (Exchange Online will come later). The solution is intended to allow Office 365 tenants to protect existing content at scale without needing anyone to review large quantities of documents."

@JSlei @Vasil Michev I reached out to a connection with over a decade as "AIP" MVP and got the response.

 

"It is definitely possible to solve with a script, however, with the MIP SDK. But why bother, MCAS can put a label on all documents in an SP site. Then Microsoft is rebuilding SharePoint online right now to force all files that do not have a manually set label in an SP site based on its container label."

 

The latter being the roadmap item I linked to above scheduled for release in December.

@JSlei About MCAS and Auto-labeling Microsoft Cloud App Security and Sensitivity Labels – Joanne C Klein

 

(a bit old but still relevant)

thank you for following up on this. I am aware of the auto-labeling policies but they can only label files based on content of the file. I was looking for a solution that allows me to label the files based on different requirements and I believe building a solution that calls the MIP SDK is the way to go.

@JSlei @Vasil Michev @ChristianJBergstrom 

 

Hi All,

Just bringing a slightly similar scenario to this thread - and wondering if anyone can confirm if it's possible? We have a Client with millions of Docs in Sharepoint 2013 OnPrem today where they have been very rigorous in using TermSet from the TermStore to tag all sensitive docs/files with the appropriate MetaData and this has been in use for some 6 - 7 years.

 

We are now assisting with the Sharepoint Migration and the question becomes - what is the *best* (least painful/best chance of success) method of ensuring that all the contents get from - Sharepoint 2013 onPrem to Sharepoint Online:

  • It appears that SIT's and AutoLabelling cannot identify TermSet?
  • This being the case - should we be looking at applying SL's before the move?
    • This seems the lower risk?
  • Should we focus on MIP SDK or simply script this via PowerShell to Identify each file and add the appropriate SL?

Create and manage terms in a term set - SharePoint in Microsoft 365 | Microsoft Docs

One of the key things we are trying to achieve is do this "at scale" without having to open each file individually - if AutoLabelling is the way to go then fine, but from what we have reviewed so far this is NOT a case where we need to identify docs based on SIT's - the intent is to simply identify docs/files based on TermSet attributes and then apply the matching SL

 

Any advice or suggestions welcome, we're still researching, but thought it might be worth checking if anyone else has come across this?

 

@David Caddick 

 

The challenges with a manual approach are user error and scalability. Not to mention that once you have completed the project it will only be for a moment in time and if an employee creates a sensitive file 15 minutes after you've finished then it will be missed.

 

The best way to do this may be this third-party tool (Data Validation & Classification Tools | AvePoint) which will automate this process with AI rules. Disclaimer- I am currently employed by AvePoint. 

 

Hope this helps.