Unifiled labeling for SharePoint as a container and external sharing

Brass Contributor

Hi all,

I have created a SharePoint site Sensitivity set to Highly Confidential. In CSS I have set up this sensitivity label as follows.

The site and Group Settings -Private- Only Members can access the site 

Also unchecked - External users access- Let O365 group owner add people outside the organization to the group.

Then I have shared a document with an external user. The external user successfully can access this document. Is this expected behavior or the SharePoint site shouldn't allow an external user to access this document because the site is classified as Highly Confidential.

FYI- Document is not classified, the document sitting on the document library on the above site and the external user is not a member of the site.



5 Replies



Hi, in my testing of this, I set my label as below,


Screenshot 2020-06-20 at 12.33.47.png


Then I created a SPO Team site with this sensitivity label applied to it. I created a word doc and was able to share it to an external Gmail account (completely new test Gmail account).


However, when opening it, I was challenged to send a verification code to the Gmail account.  


Screenshot 2020-06-20 at 12.34.37.png

The code never arrives.  Have tried resending it a number of times.  I believe this is probably going to be the expected behaviour.  What I might do is leave it a while and see if anything changes.  Then I will add the Gmail account as a guest user and see if that changes anything.

best response confirmed by Nip17 (Brass Contributor)



Little bit more digging, and this article - explains how it all works brilliantly!



So what's the point of having container classification then.:lol:




I agree that this has a way to go before it's the finished article.  It's a step in the right direction though I think and I suggest keeping an eye on it to see the functionality evolve.  It's only going to get better and better.  In the meantime, you can classify and protect very effectively at the document level.

@Nip17  At the moment the sensitivity labels for containers (SharePoint/ Teams) only provide  controls that manager the container and not the content. 

They can be useful if you want to restrict guest access to specific Teams only or enforce access is only from managed devices. 


The labelling of content needs to be added separately.


Note that if you already use sensitivity labels for content and then decide you want to be ale to provide more granular levels of control to a Team using sensitivity labels (such as creating internal only and guest allowed) these labels also appear when labelling content

1 best response

Accepted Solutions
best response confirmed by Nip17 (Brass Contributor)