Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites
Published Mar 11 2020 03:08 AM 23K Views
Microsoft

With the ability to label a SharePoint Online site, Teams site or O365 Group we're introduced to the first capabilities of applying sensitivity labels to "containers". Check out the webinar to understand how this works and how to use this in your organization.

 

This webinar was presented on Thu Mar 5th 2020, and the recording can be found here.

 

Attached to this post are:

  1. The FAQ document that summarizes the questions and answers that came up over the course of both Webinars; and
  2. A PDF copy of the presentation.

Thanks to those of you who participated during the two sessions and if you haven’t already, don’t forget to check out our resources available on the Tech Community.

 

Thanks!

@Adam Bell  on behalf of the MIP and Compliance CXE team

19 Comments
Copper Contributor

While the FAQ says this is Office E3 feature, I have found that not to be true.  There must be at least one (1) Azure AD Premium P1 license in your Azure AD organization (ref). 

 

Wes

Microsoft

Hi @Wes MacDonald 

 

Thanks for your observation. We have noted this in the documentation - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-assign-sensitivity...

 

Cheers,

Adam

Microsoft

Is there a plan to consider teams meetings as a container and apply a sensitivity label to meetings initiated?

My customer would like to clearly indicate that a meeting is unclassified and be sure end-users are aware before they share content.

It would also be good to prevent sharing of content that is labeled higher than that of the meeting.  

Also, is there a way to make the sensitivity label stronger visually present like we do with Banner/waterwark in documents ....today label is somewhat hidden in small print in a corner.

Deleted
Not applicable

Hi there is an error in the survey linked from the presentations  it is asking for the email address to be a number.

Iron Contributor

@Adam BellDoes SharePoint crawl the sensitivity label property applied to documents? Older AIP classic labels were being crawled and were available under crawled properties. However, the newer sensitivity labels aren't showing in crawled properties for us.

yes the label's ID is crawled and managed. Screenshot below. @Gurdev Singh ...

InformationProtectionLabelId.png

Copper Contributor

Maybe I don't understand exactly the goal of this feature, but I would like to understand what is the goal to take available sensitivity labels in sharepoint sites, but if I put/create a file in a library this file isn't automatically classified with label of site? 

 

Thank you!

@Andre_Silva You can read details here https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view.... Note Sensitivity labels are supported by office files and pdf. In SharePoint you can upload a variety of files and then control who can access, download and collaborate on them. Think about amanaging external guests, prevent download from unmanaged devices etc. 

Brass Contributor

Hello,

About Site and Group Settings, if plan to use it to allow or limit access from unmanaged devices, would be good to:

1. Allow to disable "Incompatible sensitivity label detected" messages;

2. Remove the "None" option, so only existing Sensitivity label can be applied or allow to set Default sensitivity label in SharePoint Online Template for new sites, so users cannot create a site without Sensitivity label;

3. Work with OneDrive team & integration, right now, to enable Sensitivity label per site, the general SharePoint Admin Access Control policy must be changed to "Allow full download"; If in the past, company strategy was to Limit access from unmanaged devices, this new solution force to disable this setting and set it back to "Allow full download", nothing documented about it + if we disable this setting and set back "Allow full download", this disable existing Conditional Access policies created before by this setting;

4. Explain configuration in more details, have a feeling that Conditional Access policy explanation missing in all documents about SharePoint sites with Sensitivity labeling;

5. SharePoint Sensitivity labeling solution must follow the logic of the data classification if the organization deployed as example 10+ Sensitivity labels and build internal Data Classification documentation in the past, and now we try to integrate something regarding SharePoint site labeling... makes it a little bit confusing for end-users.

@lightupdifire I will try to answer most of the question below

 

Allow to disable "Incompatible sensitivity label detected" messages;

<Sanjoyan> Yes we are giving a switch. Coming soon. ETA July end

 

2. Remove the "None" option, so only existing Sensitivity label can be applied or allow to set Default sensitivity label in SharePoint Online Template for new sites, so users cannot create a site without Sensitivity label;

<Sanjoyan> if you mark the publishing policy as Mandatory the none option will go away. Very soon we are changing publishing flow for labels. Labels that are specific to docs and emails can be seperated from labels that apply to Team/Group/Sites. So then you will be able to choose different defaults and different mandatory policies. ETA July end

 

3. regarding the conditional access I didnt understand the concern. Please connect with me in email with screenshot and detailed description {samust@microsoft.com}

 

4. Did you get a chance to read this https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

 

5. Again for number 5i didnt fully understand the concern. I am happy to discuss. Please send me details with example in email. 

 

Brass Contributor

Hello Sanjoyan,

Sure, my mail will come soon.

Copper Contributor

Hello,

 

Can we apply sensitivity labels to a Team site (no Office 365 group)/STS#3 site? We enabled the sensitivity labels using below PowerShell and then we see the labels while creating the Office 365 groups or Communication sites but not while creating a Team site (no Office 365 group).  Thank you!

 

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

Copper Contributor

Hi all,

Thanks for this interesting webinar. 

Could you just please share the flow developed for blocking files of a specific label to be uploaded to a SharePoint Site ? 

Best Regard

Copper Contributor

Helloo , 

How can I include all SharePoint Sites on the flow?  I want to automate check any mismatch for any label / any site.

Thank you 

Copper Contributor

@Sanjoyan Mustafi Can you please confirm that to use Sensitivity labels on an MS Team or SharePoint site, I must have E5 licensing.  Is this correct?

 

Does everyone in the tenancy have an E5 license or only the administrator?

 

Kind regards

Kirsty

 

 

Deleted
Not applicable

@Kirsty600  you do not need an E5 licence to add a sensitivity label to Teams or to manually add a sensitivity label to content.

 

You need E5 if you want to take advantage of automated sensitivity labelling

 

A summary of the features and licence requirements can be found here Microsoft 365 licensing guidance for security & compliance.

Copper Contributor

Hi,

I'm testing out the Policy with sensitivity labels, and seems like it can only apply if you create a New Team site from scratch.  You cannot apply sensitivity label to a Team Template.  Is this the correct experience?

Copper Contributor

I'm validating sensitivity labels (containers), specifically, the "Control external sharing from labeled SharePoint sites:"

Has anyone been able to make this work?

 

I've created/published a 'groups and sites' label that prevents guest access and 'Control external sharing from labeled SharePoint sites' and set to 'only people in your organization'. It seems to work fine to prevent owners from adding guest users to the Teams site but, it is not preventing them from going to associated sharepoint site and share specific documents with external users.

 

Note; i'm not selecting 'files and emails' option when I create the above label.

 

I'm following instructions found here.

https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view...

 

I'm trying to create a process that.... When users created a teams site labeled 'Internal', members/owners of that site can't add guest or share files to external users.

 

Hope you can help.

thank you.

 

UPDATE: Noticed that when I go to sharepoint admin and look at the site associated with the Teams site, I see that sensitivity policy says None. If I click on edit and choose the policy that I created, then everything seems to work as expected. User is no longer able to share site/files externally from that site.

So... my question is.. why is the sensitivity label policy not being applied automatically to the associated Teams site? Hope someone can help.

 

 

 

Brass Contributor

@Adam Bell is the link to the webinar still valid for you? 

 

When I attempt to access the webinar link (https://aka.ms/MIPC/Webinars/SPOLabelPerSite) I'm just directed to a bing search page.

Version history
Last update:
‎May 11 2021 01:56 PM
Updated by: