M365 was recently updated to allow admins to enable sensitivity labels on Microsoft 365 groups and SharePoint sites. This means that any container in M365 supported by a Microsoft 365 or SharePoint group can have sensitivity controls applied. This includes Microsoft Teams and OneDrive for Business. In this post, we'll walk through the steps to enable sensitivity labels for your tenant's SharePoint site and M365 Groups.
Enable sensitivity labels for Office files in SharePoint and OneDrive
The feature that will be enabled is actually called "Sensitivity labels for Office files in SharePoint and OneDrive", but it's a gimmick. It doesn't actually exist to set the sensitivity labels for the content inside the container. Instead, it provides support for sensitivity labels by adding the following features:
- Users can use Microsoft Search to find files stored in SharePoint and OneDrive and protected (encrypted) by Microsoft Information Protection.
- Note: This doesn't give them access to the files, but it does make them discoverable. Previously, even if a user had access to the file, he couldn't find it with search
- Even if files are encrypted, DLP policies can be applied to content in SharePoint Online and OneDrive for Business.
- Users can collaborate on files in SharePoint and OneDrive that are protected (encrypted) by Microsoft Information Protection using Microsoft Word Online, Excel Online, and PowerPoint Online.
- The sensitivity label of a file in SharePoint and OneDrive can be displayed in a built-in sensitivity metadata column
Enabling the feature can be done through the management console or PowerShell
Enabling through the Compliance Center
- navigate tohttps://compliance.microsoft.com
- Click Show All
- Click on Information Governance
- If the feature has not yet been activated, you will see a banner with information about the feature and a button to activate it. Clicking the button will activate the feature immediately.
Activate via PowerShell
Using SharePoint Online Management Shell to PowerShell login to your tenant. To enable the feature, run the following command:
Establecer-SPOTenant -EnableAIPIntegration $true
Enable sensitivity labels on Microsoft 365 groups and SharePoint sites
The previous step doesn't get us where we want to go. It will provide additional support for content with sensitivity labels within the containers themselves, but enabling sensitivity labels for Microsoft 365 groups and SharePoint sites allows controls to be applied directly to a site based on the sensitivity label assigned to it. See Creating a Sensitivity Label for Groups and Sites for more information on this feature.
Enabling the feature requires using the Azure AD PowerShell module.
Install-Module AzureADPreviewConnect-AzureAD#Sign in with admin credentials global$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id$Setting.Values$Setting[ "EnableMIPLabels "] = "True" Set-AzureADDirectorySetting -Id $Configuration.Id -DirectorySetting $Configuration
The final step is to connect the Microsoft 365 Compliance Center to Azure AD (for unified label integration). This is completed by the Exchange Online V2 (EXO V2) PowerShell module.
Import-Module ExchangeOnlineManagement#UPN is your account information using the format User Principal Name (drever@mydomain.com)Connect-IPPSSession -UserPrincipalName <UPN> Execute-AzureAdLabelSyncDisconnect-ExchangeOnline
Once these features are enabled, sensitivity labels can now be applied directly to M365 groups and SharePoint sites.
Thanks for reading!
FAQs
Enable sensitivity labels on Microsoft 365 groups and SharePoint sites? ›
Verify that the user account that's signed in to Outlook is a Microsoft 365 subscriber. Verify that the sensitivity labels are published in the Microsoft Purview compliance portal. Verify that the Outlook version meets the requirements that are listed in Sensitivity label capabilities in Outlook.
Why are my sensitivity labels not showing in Office 365? ›Verify that the user account that's signed in to Outlook is a Microsoft 365 subscriber. Verify that the sensitivity labels are published in the Microsoft Purview compliance portal. Verify that the Outlook version meets the requirements that are listed in Sensitivity label capabilities in Outlook.
How to identify sensitive data in ms Teams and SharePoint Online? ›The platform includes a set of predefined sensitive data types that cover many common requirements. To see them, open the Microsoft 365 compliance center (https://protection.office.com/sensitiveTypes) and go to Classification -> Sensitive info types.
How do I enable labels in SharePoint library? ›Open the document library. Select Library settings. On the Settings page, under Permissions and Management, select Apply label to items in this list or library. On the Apply Label page, select the drop-down box, then select the label that you want to apply.
How do I enable sensitivity label support in Microsoft 365? ›- Sign in to the Microsoft Purview compliance portal as a global administrator, and navigate to Solutions > Information protection > Labels.
- If you see a message to turn on the ability to process content in Office online files, select Turn on now:
- From the Microsoft Purview compliance portal, select Solutions > Information protection > Labels.
- On the Labels page, select + Create a label to start the new sensitivity label configuration:
- When composing an email, select .
- Select Add Sensitivity or Edit Sensitivity.
- Choose the sensitivity label that applies to your email.
The default sensitivity label policy makes the labels available for users to start labeling their documents and emails with sensitivity labels. It has the following configuration: Publish the default labels to all users in your tenant.
Why can I not see sensitivity labels in Outlook? ›Go to Home > Sensitivity to change the label. In editing view, labels with watermarks will only appear in the document header area. Switch to Viewing mode to see the watermarks in the body of the document as expected.
What can you specify in Microsoft 365 sensitivity labels? ›You can configure a sensitivity label to: Encrypt emails, meeting invites, and documents to prevent unauthorized people from accessing this data. You can additionally choose which users or group have permissions to perform which actions and for how long.
How to tell if a SharePoint site is a team site or communication site? ›
Communication sites have two distinct user personas.
Team sites use Microsoft 365 Groups for permissions. Communication sites use SharePoint groups. As an example, consider your Human Resources (HR) department.
- On your website or team site, click Settings. ...
- On the Site Settings page, under Users and Permissions, click Site Permissions.
- Select the check box next to the user or group to which you want to assign the new permission level.
- On the Permissions tab, click Edit User Permissions.
- In SharePoint, navigate to the document library > Settings > Library settings.
- From the Library settings flyout pane, select Default sensitivity labels, and then select a label from the drop-down box. For example:
Licensing Sensitivity Labels
Users require Office 365 E3 or above to apply a label manually, while automatic policy-driven application of labels requires Office 365 E5 or the Microsoft 365 E5 compliance licenses.
Instructions. Step 1 - On the Home tab, select New Email. Step 2 - On the message window menu, click the down arrow to expand the Sensitivity menu. Step 3 - Choose the label that applies to your message from the Sensitivity drop-down list.
How do I remove sensitivity labels in Office 365? ›Using Office apps to remove labels and protection from documents and emails. From the Home tab, select the Sensitivity button on the ribbon, and clear the currently selected label.
Can sensitivity labels be applied automatically? ›When you create a sensitivity label, you can automatically assign that label to files and emails when it matches conditions that you specify. This ability to apply sensitivity labels to content automatically is important because: You don't need to train your users when to use each of your classifications.
What is the difference between Office 365 sensitivity labels and Azure information protection? ›Azure Information Protection is a more advanced subscription with more capabilities than what exists using the Office 365 Security & Compliance center's “Sensitivity labels”—again, at least for now. The main difference to note is that AIP is better suited to hybrid environments.
How do I enable sensitivity labels for groups and sites? ›Sign in to the Azure portal. Browse to Azure Active Directory > Groups, and then select New group. On the New Group page, select Office 365, and then fill out the required information for the new group and select a sensitivity label from the list. Save your changes and select Create.
How do I use labels in Office 365? ›- Go to Mailings > Labels.
- Select Options and choose a label vendor and product to use. ...
- Type an address or other information in the Address box (text only). ...
- To change the formatting, select the text, right-click, and make changes with Font or Paragraph.
- Select OK.
What is the difference between SharePoint group and Microsoft 365 group? ›
Microsoft 365 Groups give permission to all Microsoft 365 applications, including SharePoint Online (only 2 Groups: Owners and Members). SharePoint Groups give only permission to SharePoint content and the advantage is that the permissions are free configurable.
What is the difference between a SharePoint team site and group? ›To put it simply, Teams is where users actually communicate to get their work done, SharePoint is where they can store and access this work, and Groups manages how users can use these apps together on the back-end.
What is the difference between a SharePoint site and a communication site? ›In the case of a communication site, there will be a small group of people who will create and publish the content, but a large audience will consume it. By default a SharePoint team site is private. You have to give access to the user with whom you want to share the information or documents.
What is the difference between group and site permissions in SharePoint? ›A SharePoint group is a set of users that can be managed together. A permission level is a set of permissions that can be assigned to a specific group for a specific securable object. SharePoint groups and permission levels are defined at the site collection level and are inherited from the parent object by default.
What is the difference between SharePoint site permissions and group membership? ›The content and the menu options that you see on a site vary according to the permissions that are assigned to you. A site owner usually grants you permissions to a site by adding you to a SharePoint group, such as Visitors. The group has a permission level that you receive by being a member of the group.
How do I manage SharePoint permissions security groups? ›Go to Sharing in the SharePoint admin center, and sign in with an account that has admin permissions for your organization. Under External sharing, expand More external sharing settings. Select Allow only users in specific security groups to share externally, and then select Manage security groups.
How to assign permissions to specific users and groups sensitivity label? ›On the Assign permissions pane, select Add specific email addresses or domains. In the text box, enter the email address of the first user (or group) to add, and then select Add. Select Choose permissions. On the Choose permissions pane, select the permissions for this user (or group), and then select Save.
What administrator or administrators can create sensitivity labels? ›By default, a global administrator can create and manage sensitivity labels. Admins need to give compliance officers delegated access or add them to role groups that support sensitivity labels to manage labels. Once created, users can apply the labels manually or get them applied automatically.
Can I store sensitive data on SharePoint? ›Sensitive data may be stored and shared in SharePoint, but must be stored and shared in a secure manner (see “How to Use SharePoint Securely” below).
What is the difference between retention labels and sensitivity labels? ›Sensitivity labels are published differently than retention labels. Sensitivity labels are published to users or groups and will appear in Office apps for users and groups. Retention labels are published to locations such as Exchange mailboxes.
Who can change sensitivity label? ›
If a Sensitivity label is no longer required, the owner of the document can remove the label. Permissions can also be changed instead of removed if necessary. To remove permissions: Open the document.
Are sensitivity labels and Teams classification labels same? ›Sensitivity labels are different from Teams classification, also known as Azure AD group classification. Classifications are text strings that can be associated with a Microsoft 365 group but don't have any actual policies associated with them.
When using Microsoft 365 sensitivity labels a single item of content can have which of the following labels applied? ›A sensitivity label in the Office apps appears to users like a tag on an email or document. Each item of content can have a single sensitivity label applied to it. An item can have both a single sensitivity label and a single retention label applied to it.
How to enable sensitivity labels for containers and synchronize labels? ›- Enable sensitivity labels for containers and synchronize labels. ...
- Configure “Groups & sites” settings in the sensitivity labeling wizard. ...
- Publish sensitivity labels that are configured for sites and groups.
You can activate in Site Collection Administration > Site Collection Features > In Place Records Management. Within List Settings > Information management policy settings > Item > Enable Barcodes. Add the "Barcode" column to your view and it will show up.
How do I get a team sensitivity label? ›You can apply sensitivity labels when you create or edit a team in the Microsoft Teams admin center. Sensitivity labels are also visible in team properties and in the Classification column on the Manage teams page of the Microsoft Teams admin center.
How do I assign permission levels to a SharePoint group? ›- On your website or team site, click Settings. ...
- On the Site Settings page, under Users and Permissions, click Site Permissions.
- Select the check box next to the user or group to which you want to assign the new permission level.
- On the Permissions tab, click Edit User Permissions.
On the permissions page for the list, on the Edit tab, click Grant Permissions. Type the name of the group or the individual you want to grant access to in the Users/Groups box. Choose the level of permissions you want the group or individuals to have. Click OK.
How do I change permissions on SharePoint group? ›- 1 Open the SharePoint site.
- 2 Click on Site Actions (gear icon) and then select Site Settings.
- 3 Under the Users and Permissions category, click Site Permissions.
- 4 Select the check box next to the group whose permission you wish to modify.
- 5 Go to the Permissions tab and click Edit User Permissions.
- Right-click the conversation you want to label.
- Select Assign policy > Labels.
- Choose the label you want to apply to your conversation.
How do I assign Labels to groups? ›
From the All groups page, select the group that you want to label. On the selected group's page, select Properties and select a sensitivity label from the list. Select Save to save your changes.
How to configure reporting Labels in Microsoft Teams admin center? ›Configure reporting labels for Microsoft Teams
To configure reporting labels, you can use the same file formate as the building data upload and upload it in the TAC under “Analytics & Reporting” -> “Reporting Labels” as shown in Figure 4.