How can I re-label large amount of data on SharePoint with MIP sensitivity label?

New Contributor

We have a SharePoint site with contains 80 GB data which we recently migrated from file server. Before migration, we labeled & encrypted all data with a "user defined" MIP sensitivity label. Due to file type is very special and MIP only supports "Generic Protection" to these file type. So we use that "Generic Protection" and assign certain user with access in the "user defined" label, all 80 GB files get same label and permission

Snap47.jpg

 

Now we get trouble, because the permission to be updated. We want to add one more user into the label who should get access to it.  It seems no way to label the file on SharePoint directly in batch? 

 

If we use the way we did during the migration, we have to download all data to local or a file server then using UL Client to label (or PowerShell), this is a huge work and not practial. 

 

I am wondering if there is possibility that we can re-label all the data on SharePoint directly without download them? I am going to suggest user to create a user group on exchange server instead of assigning user one by one in Label, so that he can assign label permission to the group and just need to manange the members in the group in future.  But anyway, we have to re-label all the data on Sharepoint, any hints how to do it without download everything?

 

 

5 Replies
Assuming you are talking about Sharepoint-Online and you have Defender for Cloud Apps-Licenses you may be able to leverage the "Auto apply sensitivity labels".
Check out:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/automatically-apply-labels-t...
and
https://docs.microsoft.com/en-us/defender-cloud-apps/use-case-information-protection

@aexlz 

Hi Aexlz,

Thanks for the hints, I did a policy to test the function. Here I see some issues.
1. It doesn't allowed to give detail role and users/groups for "User Defined" label when I choose it in the policy.
2. And the test doesn't really work in my test, although I received the message says the policy macthed and label assigned, however it is not assigned in real world, don't know where could be the problem.

 

In the policy, I choose the parent folder "service 2" where I want to apply same label to all files in that folder. Since I don't need to inspect file to decide the labeling, so I choose "None" for "Inspection method". In "Governance" for SharePoint Online, (the folder is on SharePoint Online), choose the sensitivity label and select "User Defined" label which is published already. Here I see the 1st issue that no place I can give role and user/group info like what I can see from UL Client

 

ShanCSC_1-1656407740403.png

 

ShanCSC_0-1656407708982.png

 

What I can see and configure from Ul Client

ShanCSC_2-1656408070796.png

 

Anyway, I created the policy and start the test. The test is to create or copy new files to the target folder, I learned it will not label existing files if the inspection is not enabled like in my policy setting. 

 

I received message from "Microsoft Cloud App security" that the there is items matched policy, but when I double check the file, the given label is not assigned actually. For example the following new Excel file, it still shows default "Internal" label after I received the message. 

ShanCSC_3-1656408364560.pngShanCSC_4-1656408426102.png

I am not sure if the "Inspect protected files" permission must be granted in "setting" of Defender for Cloud Apps. I guess not for this test case, as "Internal" label doesn't configured with any protection or encryption behind. 

ShanCSC_5-1656408473520.png

 

 

Hi ShanCSC

surely MCAS lacks features from the UL-Client. I just hoped it could workaround your problem.
However: How much time did you pass by after you set up the policy?
I experienced MCAS taking a loooooong time crawling through all the files and do its job. As an example:
Recently I wanted to find all Non-Office-Files from SPO-/OneDrive without any label. This took around 2-3 weeks - not kidding.
Surely, sometime it takes unbelieve long time to have the result confirmed. While I received the message 10-15 minutes after i upload a new file. It is quick however the work seems not done well as expected ;-( But yap, I will take look the rest of days to see if magic happens.

But your tips do helps, I am now also look into this feature from Defender for Cloud App and see what else it can help in regarding automation.
I just get chance to talk with Microsoft engineer about this use case. unfortuanly the answer is no, there is no good way we can re-label all data on SharePoint Online without downloading them to local