How to Monitor Changes to Sensitivity Labels Used for Container Management

MVP

 

Sensitivity labels are an effective way to manage containers like Teams, Microsoft 365 Groups, and SharePoint sites. Microsoft doesn’t provide any way to track changes made to labels assigned to containers, which means that a group owner can downgrade the policy assigned through a label. This article explains a method to detect when label changes occur for containers and how to revert those changes if necessary.

 

https://practical365.com/monitor-changes-sensitivity-labels-container-management/

16 Replies
It would be great if this was an out of the box feature. It's a bit of a chore for organizations that need to lock down every Team / SharePoint except for specified sites that get group access, and make it airtight. Maybe some day.
Using a scheduled job run in Azure Automation is a good way to track changes made to groups...

I agree, however for an organization with strict rules on guest access, that's unfortunately not an airtight solution. We need to ensure users can never add a guest to a Team unless the Team is approved for guest access.

Use sensitivity labels to block guest access and apply the labels to the groups you want to keep guest-free. Then no one except an administrator can add a new member to those groups.
That was my original plan after reading your articles - but can't group owners change sensitivity labels?
They can, but it's easy to detect and reverse the changes... Just like people who try and add new members to the site used by a private channel via SharePoint, only to find that Teams overwrites the changes they made a few hours later....
And the thing is, if a group owner keeps on changing the label assigned to a group with the intention of adding guests to a team that discusses confidential information, isn't that an opportunity for HR to flex their muscles and acquaint said owner with the wonders of a disciplinary process?
That's absolutely an opportunity - But at that point the data could have already been exposed to someone who shouldn't have seen it. It sounds like there isn't really an airtight method at this point in time. I know we can get into data protection and those other options, but it seems like protecting the container and making it so it can't be changed by anyone but an admin is something that could be added to the out of the box functionality.

1. User creates Team
2. Team gets default sensitivity label prohibiting guest access that the owner cannot change
3. User requests review and approval for Team to be opened up for guest access
Can you use some of your influence to help push that along? =D
Is it possible to use Azure Monitor to alert on changes to group and site labels?
You mean an Azure Automation scheduled runbook? Sure, take the commands in the script and put them in a runbook. See https://practical365.com/azure-automation-managed-identity-exo/ for some pointers.
No, I'm referring to exporting audit log activities to an Azure log analytics workspace, then using Azure Monitor to fire alerts when a group or site label changes.
Here's a hint. Search Office365itpros.com and Practical365.com for topics related to Microsoft 365 and you never know what you might find:

site:office365itpros.com OR site:practical365.com 'Microsoft 365 Copilot'