We have a SharePoint site with contains 80 GB data which we recently migrated from file server. Before migration, we labeled & encrypted all data with a "user defined" MIP sensitivity label. Due to file type is very special and MIP only supports "Generic Protection" to these file type. So we use that "Generic Protection" and assign certain user with access in the "user defined" label, all 80 GB files get same label and permission
Now we get trouble, because the permission to be updated. We want to add one more user into the label who should get access to it. It seems no way to label the file on SharePoint directly in batch?
If we use the way we did during the migration, we have to download all data to local or a file server then using UL Client to label (or PowerShell), this is a huge work and not practial.
I am wondering if there is possibility that we can re-label all the data on SharePoint directly without download them? I am going to suggest user to create a user group on exchange server instead of assigning user one by one in Label, so that he can assign label permission to the group and just need to manange the members in the group in future. But anyway, we have to re-label all the data on Sharepoint, any hints how to do it without download everything?
Hi Aexlz,
Thanks for the hints, I did a policy to test the function. Here I see some issues.
1. It doesn't allowed to give detail role and users/groups for "User Defined" label when I choose it in the policy.
2. And the test doesn't really work in my test, although I received the message says the policy macthed and label assigned, however it is not assigned in real world, don't know where could be the problem.
In the policy, I choose the parent folder "service 2" where I want to apply same label to all files in that folder. Since I don't need to inspect file to decide the labeling, so I choose "None" for "Inspection method". In "Governance" for SharePoint Online, (the folder is on SharePoint Online), choose the sensitivity label and select "User Defined" label which is published already. Here I see the 1st issue that no place I can give role and user/group info like what I can see from UL Client
What I can see and configure from Ul Client
Anyway, I created the policy and start the test. The test is to create or copy new files to the target folder, I learned it will not label existing files if the inspection is not enabled like in my policy setting.
I received message from "Microsoft Cloud App security" that the there is items matched policy, but when I double check the file, the given label is not assigned actually. For example the following new Excel file, it still shows default "Internal" label after I received the message.
I am not sure if the "Inspect protected files" permission must be granted in "setting" of Defender for Cloud Apps. I guess not for this test case, as "Internal" label doesn't configured with any protection or encryption behind.
