This post is about protecting information in your Teams, SharePoint, and Microsoft 365 group data by using Microsoft Information Protection (MIP) sensitivity labels. In July 2020 sensitivity labels were announced GA by Microsoft. It provides an answer on How to protect information in Teams, SharePoint Online and Microsoft 365 groups. In this post I walk through the configuration.

What are sensitivity labels?

Sensitivity labels are some kind of persistent data or information labels to protect sensitiv and business-critical information. The following security measures are available with sensitivity labels, in general:

• Enforce encryption or watermarks
• Cross platform/device content protection
• Third-party app and service content protection to detect, classify, label and protect content with Microsoft Cloud App Security, e.g. SalesForce, Box, DropBox
• Third-party app and service extensibility by using Microsoft Information Protection SDK
• Classify content (without protection)

Policy scoping or association options

For Microsoft Teams, 365 Groups and SharePoint Online you can decide or configure options/actions/exclusions based on

• privacy
• external user membership
• unmanaged device access

For instance, any Team, SharePoint Online Site, or M365 group created with a certain label can be forced to be a private one. In consequence, the owner is not allowed and cannot add external users plus users utilizing unmanaged devices can only access the contents via web access.

Requirements

Licensing

I’m not going into details regarding licensing requirements, therefore you can find a link at the bottom of this post. Please note, that there is a difference in license requirements depending on manual vs. automatic labeling. For the latter you need Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2.

Permissions/roles

To manage/create sensitivity label you must be assigned one of the following roles:

• Global Administrator
• Compliance Data Administrator
• Compliance Administrator
• Security Administrator

Enable sensitivity labels on Azure AD

To use sensitivity labels, you need to enable it first in Azure AD by using PowerShell, for example:

#https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels
Import-Module AzureADPreview
Connect-AzureAD

#Check if settings object exists or needs to be created first (that's missing in Microsoft Docs)
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
      $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

#Enable Microsoft Information Protection (MIP) labels
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

Disconnect-AzureAD

How to create and publish labels?

In this section I walk through and show some settings based on screenshots, this is not yet for Microsoft Teams, SharePoint Online and Microsoft 365 Groups. A bit more down in this post you find a section showing the part and options for sensitivity labels in Teams. Nevertheless, the process, is similar for Teams, SharePoint, and groups.

To create labels you need to start in the Microsoft 365 security center.

Example – create a label

Be cautious about encryption settings because this can have make a big impact.

Finish this and repeat the above steps as often as required to have as much labels as required.

Example – Publish labels and create a label policy

Depending on the labels you’ve created and your security requirements regarding information protections and groups you can also repeat the above steps for different sensitivity label policies in case you need to differentiate between certain user groups and therefore different information/sensitivity labels and respective label policy assignments.

Example – Create sensitivity label for Teams, SharePoint Online Site and M365 group

For Microsoft Teams etc. the process is similar but as you can see in the following screenshots, you can edit already created labels to add the capabilities for Teams if there were labels already in place.

Here you must not forget to also configure SharePoint Online for this to cope with unmanaged device access to make it work.

Also, if you haven’t yet published labels, you’ll have to publish the newly created labels.

Please note, that it can take several hours for this to appear, I’d recommend waiting approx. up 24 hours.

Usage

The sensitivity label for Teams, SharePoint Online Sites and Microsoft 365 groups can than be applied/selected in the creation process in case you assigned the sensitivity label policy to the users which should be able to apply it.

Conclusion, opinion and summary

Sensitive labels are another good concept and means for your holistic security architecture concept to protection your organization’s information. It’s a central aspect for your Microsoft 365 service and information protection. However, the entry barrier is high because of the license requirements to use this advanced security capabilities.

Additional resources

• General Availability: Microsoft Information Protection sensitivity labels in Teams/SharePoint sites
• New capabilities for Teams Management | July 2020
• Learn about sensitivity labels
• Microsoft Information Protection [Licensing requirements]
• Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory