Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sensitivity Labels - External Sharing in SharePoint

Copper Contributor

I have created a Sensitivity Label that prevents External Sharing. I have applied this Sensitivity Label to a new Team that I have created and it has successfully applied to the Group and the SharePoint Site associated with the Team. 

 

It does what is expected and prevents guests from being invited to the Team/Group/Site but it does not prevent files/folders within the Site being shared with External parties. External Sharing on the SharePoint Site is enabled by default for new/existing guests but I would have expected the Sensitivity Label to change/overrule this and prevent files/folders from being shared as well as preventing guests from being invited.

 

Is this expected behaviour and if so is this a feature expected to be released once it goes into GA?

6 Replies

Hey @CraigWatson,

 

For now, this is expected behaviour.  The label settings don't apply to any content in the container, only the container.  In the example of external sharing, you are prohibiting adding guests to the group or site, but not its files.

 

Last I checked, there is currently a private preview of applying sensitivity labels automatically to files in SPO.

Thank you for the response @Ru, much appreciated :)

 

I am hoping this function in private preview prevents the file/folder that has the sensitivity label applied prevents it from being shared, regardless of the External Sharing setting on Sharepoint, as currently you CAN apply a sensitivity label to a file, but it does not prevent it from being shared

 

This would negate the need for a powershell script that identifies all Sharepoint Sites with an "Internal" sensitivity label and setting the SPOSharingCapability to "Disabled"

 

Lets see what the future brings - Thanks again!

Hey, no problem. There are better DLP experts than me who might have other ideas to help in the meantime, but you could try enabling 'sensitive by default' although it's tenant wide. For any file uploaded it won't let it be shared until DLP processes. Then it's just a case of making sure you have DLP in place to stop sharing on sites you don't want when it does process. Not sure how this works for folders though.
FYI: you can tag documents with labels automatically utilizing MCAS. Really nice to do it this way: https://docs.microsoft.com/en-us/cloud-app-security/use-case-information-protection

Thank you for the responses guys, I am investigating the Auto-Labeling functions and they seem.. detailed!

 

I dont know if I need to set up a separate post for this but I need some assistance with a Sharepoint Online Powershell Script, essentially I want it to run across all SPO Sites in our environment on a schedule and do the below

 

Get-SPO Site where "SensitivityLabel" -eq blank

 

For-each SPOSite | Set-SPOSite -SensitivityLabel "GUID of Internal Sensitivity Label"

 

Get-SPOSite where Sensitivity Label -eq "GUID of Internal Sensitivity Label"

 

For each SPO Site | Set-SPOSite -SharingCapability Disabled

 

I am struggling to find a way in the script of identifying all SPO sites with no Sensitivity Label applied to the put into a variable and then apply a sensitivity label.

 

Can anyone help with a script to execute the logic above?

 

Craig

@CraigWatson 

Sensitivity Label now has control to disable external sharing for files & folders in a site based on the applied label.Label creation with no external sharing for a siteLabel creation with no external sharing for a siteSensitivity Label applied siteSensitivity Label applied site