Sensitivity Label for Office 365 Group and Microsoft Teams
Microsoft recently added a new feature in sensitivity Label, using this feature we can classify the Office 365 Group, SharePoint Online site, and Microsoft Teams. Previously, we used Classification Label to classify the group or site with text but this sensitivity Label feature not only supports classification by text and it is also supporting privacy, guest access, and unmanaged device access for Office365 Groups, Teams and SharePoint Site.
How to create the sensitivity Label for Office365 Groups, Microsoft Teams and SharePoint Site.
We can create the Sensitivity labels from Office 365 Security and Compliance center. Go to Office 365 security and compliance (https://protection.office.com/) β Classification β Sensitivity labels β Create label β Enable the Site and Group Settings.
Site and Groups Settings
Using this feature, we can control Site, Groups, and Teams with the following option
- Privacy
- External user access
- Unmanaged devices
Privacy
Using this setting, we can set the privacy type Private or public by applying this sensitivity label.
External user access
Using this setting, we can enable or disable guest access for the Groups, Teams, and Sites.
Unmanaged devices
Using this setting, we can manage access for the unregistered device in Azure AD. It has the following option
- Allow full access from Desktop, Mobile app, and the web app
- Allow limited Web access
- Block access
Note: This sensitivity label only controls the above features. It will not impact the store items in the Teams and SharePoint Site.
Enable and sync the Label in Office 365 Groups
Before going to apply the sensitivity label, we need to enable EnableMIPLabels in Set-AzureADDirectorySetting using AzureADPreview PowerShell module, refer the below PowerShell commands to enable sensitivity label in the tenant.
| Import-Module AzureADPreview
Connect-AzureAD
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting where -Property
DisplayName -Value “Group.Unified” -EQ).id
$Setting.Values
$Setting[“EnableMIPLabels”] = “True”
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting |
After enable, the EnableMIPLabels in AzureAD module, we need to sync sensitivity label to office 365 Group using Execute-
AzureAdLabelSync commands, refer the below PowerShell commands.
| $UserCredential . Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri (https://ps.compliance.protection.outlook.com/powershell-liveid/) -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
Execute-AzureAdLabelSync|
How to apply the Sensitivity label to Office 365 Group, Sites, and Teams
We can apply the sensitivity label when creating the Office 365 Groups, Sharepoint Sites, Microsoft Teams.
Office 365 Groups
Microsoft Teams
Sharepoint Site
How to change the sensitivity label in Office 365 Groups
Currently, there is no end-user setting to change the sensitivity label from Office365 Group settings, Microsoft Teams settings and Sharepoint site settings, but we can change sensitivity label from Azure AD portal β Groups β Select required Groups β Properties β change the label.
User Experience
For example, we created sensitivity label with following settings,
- Privacy β Private
- External user access β Disable
- Unmanaged devices -Block access
Privacy
When we apply that sensitivity label during Team creation, it will automatically select privacy as private.
External user access
In this example, we disabled external access in the sensitivity label, so we got βWe couldnβt find any matchesβ
Unmanaged devices
When we access that sensitivity label applied Teams or site from an unmanaged device, we will get the following error message.
