Microsoft Purview - Paint By Number (Part 2b) – Add a Sensitivity Label to a Container or Site
Published Mar 08 2022 04:49 PM 1,844 Views



Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community




This document is not meant to replace any official documentation, including those found at  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.


Target Audience

The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.


Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through.

We will be creating Sensitivity Labels for net-new Teams sites only

  • Create labels
  • Publish labels
  • Add labels to a Teams site.

It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy.  For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series. 



This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Sensitive Information Types
  • Exact Data Matching
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Overview of Advanced eDiscovery (AeD)
  • Reports and Analytics available in of Advanced eDiscovery (AeD)
  • Insider Risk Management
  • Privacy Management

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

It is also presumed you are using an existing Information Types (SIT) or a Exact Data Match (EDM) you have created for your testing.

We will not be working with pre-existing Teams sites.


Overview of Document

  1. We will create 2 labels: one Private and one Public
  2. Publish your Labels
  3. Add your Label Policy to a Teams Site


Use Case

Create a Sensitivity Label and apply it to a Microsoft Team.  This will apply the protection of a Sensitivity Label to protect the files within a Microsoft Team.



  • Sensitivity Label – a metadata tag
  • Publish Label – making the metadata tag available to your tenant




  • Containers (in SharePoint) are a gate keeper for access to files inside SharePoint/Teams sites
  • Container labels do not apply labels to objects inside the container (ex. PPT and Word docs do not receive the label of the Container)
  • When there is a mismatch of the label of a container versus that of a file inside the container, then this can be audited.
  • The application of a sensitivity label at the Team container level prevents inappropriate / external team members from being added to the Team.  This prevents oversharing from occurring in the first place.
  • Privacy labels (Private, org-wide & public). These Sensitivity Labels are linked to the corresponding setting in the Container/Site configuration.
    • Private – data stays inside a certain group of users within the organization
    • Org-wide – data stays inside the organization
    • Public – data available for access outside the organization




  • Create a Sensitive Information Type (SIT) in Part 1 OR an Exact Data Match (EDM) in Part 1a of this blog series.
  • You have done the steps in Part 2a of this Paint by Number Series “Adding the ability to label Sensitivity Labels to Containers and Sites”



Configure the Sensitivity Labels

We will create 2 labels now but only user one until the testing later on.


  1. Go to your Compliance console


  1. Navigate to your Information Protection -> Labels and click New Label.


  1. Name & Description - Give the Label a name (ex. “Container Label”) and click Next.





  1. Scope - Select only Groups & Sites and click Next.





  1. Files & Emails - File related settings will be disabled.  Click Next.





  1. You can define the protection settings for groups and sites.  We will not be configuring this at the present time but you can do this later.  Select both and click Next.





  1. You will not be taken to the Privacy and External User Access Settings.
    1. For Privacy Options, the default is Public but we will change this to Private.






b. For External User Access, leave this un-selected as we will not be testing this aspect of the policy at this time.  Click Next.





  1. We will now define our External Sharing and Conditional Access Setting.


a. For the moment, enable Control External Sharing from labeled SharePoint sites.  Review your options for who can access the Group/Site data.  Notice the default is Anyone.





b. Under Azure AD conditional Access to protect labeled SharePoint sites.  This is used to facilitate allow/deny access via users with unmanaged devices.





c. Deselect both of these options and click Next.


  1. Azure Purview (preview).  This feature is not in General Availability yet.  Lleave this disabled.  Click Next.





  1. The next thing you will see in the wizard is the ability to configure auto-labeling.  As of the write of this blog, this is in Preview only and not Generally Availability.  Click Next.






  1. Now you will review your label settings. 





  1. When you are satisfied, click Create Label.





Publish your Sensitivity Labels

We will publish our 2 labels now but only user one until the testing later on.


  1. Click Publish Labels


  1. Select Choose Sensitive labels to publish and select your labels from above.





  1. Select your label and click Add.  Then click Next.





  1. Select which users and groups this will apply to.  We accept the default of All for this test.  Then click Next.





  1. For Policy Settings there is nothing to be configured.  Click Next.





  1. Now you will arrive at Policy Settings for sites and groups.  From the drop down, select the label you just creat3d.






  1. Decide if you want to require labels to you sites for these users.  When you are satisfied, click Next.





  1. Give the policy a name and description





  1. Now review the settings and when you are ready, clic Submit.





  1. You have now published your label of use.



Apply a Label to an MS Team



  1. Open Teams and Go to your Teams tab.





  1. At the bottom left, click Join or create a team.





  1. Click Create a team.





  1. I will be selecting From scratch for my team.





  1. Select your label from the drop down.





  1. Finish setting up your Team site.  I will choose the Privacy setting of Public for my test.




7. Give the team a name and description.




8. Click Create.





Apply a Label to a SharePoint Site



  1. Open your Sharepoint Administrative site


  1. Navigate to Sites -> Active Sites




  1. Click Create.





  1. For the purpose of this blog, we will select Team Site.





  1. Enter a Site name.  Enter the other information as you see fit.




  1. Click Advanced Settings





  1. Choose your Sensitivity Label




8. Click Next


9. Enter any additional owners or members you wish to add to the site.




10. Click Finish


11. To verify that the site has received its label, click on the properties for the team and navigate to the Policies tab.  You should see a Sensitivity label on the right of this tab.





12. You are now done adding a label to your SharePoint site.



Testing – Add data to a Team’s Site


  1. Click on your new team then Files – Upload  





  1. Decide if you want to upload a test file(s) or a folder with a file(s).









  1. Overview Sites to follow, in order:
    1. Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft ...



Testing – Share a Teams file via SharePoint


  1. In teams, click on the file(s)/folder you want to share. Right click the three dots next to the file and clock Open in SharePoint





  1. Click on a file





  1. Click the Share button.





  1. Enter the external email address of the users you wish to share with the file with.





  1. You should see a message such as the one above that states: “Your org doesn’t allow sharing with these people.  To continue sharing, remove the highlighted recipients.”


  1. You have now completed the testing sharing a file.


Testing – Share Teams a file via Link


  1. In teams, click on the file(s)/folder you want to share. Right click the three dots next to the file and clock Open in SharePoint





  1. Next to the file, click the 3 horizontal dots





  1. Select Copy link.





  1. Copy the link to your email and send it to an external address for your test users.  Then click Send.





  1. Hou will see a pop-up similar to this message below:





  1. Click Send Anyway


  1. Go to your external user’s mailbox.  Click on the file link and after asked to authenticate, you should encounter an message similar to the one below.





  1. You have now completed your testing of the sharing of a file link.


Testing – Owner can change the label on the container

Here we will use the second label (Public) we created previously.  We will change the label on the Teams container so we can now change an “internal” team with its associated files and make it public facing/accessible and vice versa.


  1. Right click your MS Team and click Edit Team





  1. Select Sensitivity and change the label to an external label





  1. Change Privacy to Public (or Org-wide)





  1. Click Done.


  1. Wait 15-30 minutes to allow the change to take affect in the Team.


  1. Repeat both share tests.  You should now be able to share the data inside of the file.
    1. Note – this will not change the Sensitivity Label of the file itself.


  1. You are now done with this part of the testing.




Appendix and Links















Version history
Last update:
‎Nov 03 2022 09:58 AM
Updated by: