Tagged: Microsoft 365

Approvals in Microsoft Teams

In this post I highlight the approvals app in Microsoft Teams. The app is now generally available from Wednesday, 13th 2021. The app enables you to build, manage and view approvals centrally in Microsoft Teams. You can directly create new approval requests within the approvals app or see other approval processes in which you are involved. The app can be installed using the Teams app store if your Teams app permission policies are permit it.

approvals app in Microsoft Teams

After you have installed the app you can see and mange existing approval processes which you may have based on Power Automate etc. Otherwise you will find a blank approval page where you can start to build your approval processes.

approvals dashboard for received approvals in Microsoft Teams

As you can see in the next picture, you can create a new approval request including

  • a request title,
  • approvers,
  • responder requirement,
  • a description,
  • an attachment
  • and a custom response, optionally, which then must be used by the approvers.
approval request creation in the approvals app in Microsoft Teams

If you are using it the first time it might take some time till it is set up for your organization.

approvals is set up to be used in your Microsoft 365 tenant
sent approval request in approvals app in Microsoft Teams

On the other side the approver gets an activity in her feed to approve or decline the request.

approval request on the approver’s Microsoft Teams
approved approval request in Microsoft Teams

Of course, if enabled, you can utilize approvals directly within Teams. But not only the approvals from Teams itself, but approvals from Power Automate and this offers a rich extensibility due to the fact that there are 350+ connectors like AzureDevOps etc.

Microsoft also announced further integrative features coming soon. For example, capturing electronic signatures, so that you can sign a document digitally, for instance with Adobe Sign.

For further details and training resources (training videos, teams approvals app availability, extending approvals, installing the approvals app manually, approvals look book) you can visit the official announcement to gain access to training material and the approvals look book to help you learn it in more detail and find suited use cases for your organization.

Conclusion, opinion and summary

In my opinion approvals in Teams is a great solution to have a central dashboard for your approval processes. And it is enriched with other approval workflows which you might run based on Microsoft Power Automate. If not you could consider it for more integrative workflows in the future.

Additional resources

Attach a SharePoint Online site as a Microsoft Teams app to the Microsoft Teams navigation bar

This post describes how you can easily add a SharePoint Online site into Microsoft Teams as an app in the Teams navigation bar. There are several ways how you can achieve the result. Hereinafter, I describe an approach to create and use a SharePoint Online standalone app in Teams which is currently (Jan 2021) still in preview and might be subject to change at any time.

Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/
Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/

Microsoft also announced in fall 2020 that there will be more integrated app for a SharePoint Online Intranet in Microsoft Teams, which is called SharePoint home site app. This is planned to be released in March 2021 as the current Microsoft 365 roadmap states. For details on this, please also see the links at the bottom of this post.

Source: Microsoft 365 Roadmap Featured ID 66584


You might want to enable employees using Microsoft Teams with easier access to a certain SharePoint Online site, for instance, your company’s intranet. Furthermore, you might want that the most important information can be found directly in Microsoft Teams without leaving. So, there won’t be any need to open the a separat web browser to access your intranet site. In this article you can read and see how this could look like.

Microsoft Teams on Windows – SharePoint Online site in Microsoft Teams navigation

Screenshot – Microsoft Teams on Windows – SharePoint Online site in Microsoft Teams navigation

Microsoft Teams on iOS- SharePoint Online site in Microsoft Teams navigation

Screenshot – Microsoft Teams on iOS- SharePoint Online site in Microsoft Teams navigation


First of all, are there requirements to make this work? Yes, there are. Basically, you might have to configure settings that allow apps in your tenant and Teams (org-wide app settings, permission policies, setup policies). This depends on your configuration as-is. Furthermore, this works only with modern SharePoint site or page (in SharePoint Online). Plus it’s in preview (Jan 2021). Mobile support is developer preview as the documentation states.

How to create a Microsoft Teams SharePoint Online standalone app Steps (example)

In this section l described what steps are required and guide you through with some screenshots.

  • Go to your target SharePoint Online site or page you want to add
Screenshot – SharePoint Online Intranet example site
  • Copy the URL somewhere so that you can use it as needed later on
  • Install Teams App Studio (if not installed) via the Teams App Store
  • Open App Studio in Teams
  • Go to the Manifest editor
  • Create a new app
  • Fill out the app details, e.g. App name, description …
  • Generate a App ID by clicking the button “Generate”
  • Enter an unique package name like com.domain.teams.apptestxyz
  • Enter a version number
  • Complete the description area
  • Fill out the developer information
  • Fill out the app URLs
  • Customize the app icon (optional)
  • Go ahead to “Tabs” on the left
  • Add a personal tab
  • Fill out the personal tab details, e.g. Name
  • Enter a unique entity ID, I go with the creation date in this case. If you create more personal tabs you might want to append the time e.g. 202012280930.
  • Use and prepare the earlier copied SharePoint Online site or page URL

The content URL must look like this, for example: https://<yourtenant-unique-anem>.sharepoint.com/_layouts/15/teamslogon.aspx?SPFX=true&dest=/sites/erikslabintranet/SitePages/Home.aspx
Alternatively, you can also use a syntax as described in the documentation, e.g. https://contoso.sharepoint.com/sites/ContosoHub/_layouts/15/teamslogon.aspx?SPFX=true&dest=/sites/ContosoHub even if this is a hub site as I tested this it only showed the primary page and not the hub pages as such with it’s SharePoint hub site navigation.

  • If your are done with adding personal tabs, go to domains and permissions
  • Check that your SharePoint Online root URL is listed in “Domains from your tabs”
  • Configure SSO with AAD
  • Enter the static AAD App ID 00000003-0000-0ff1-ce00-000000000000
  • Enter the SSO URL for your SharePoint Online root URL
  • Go to test and distribute in the left hand navigation bar
  • Install the app in your Teams client for your user to test it
  • Pin the app to your Teams navigation for testing
  • After successful tests you can download and/or publish the app for Teams.
  • If you download the app you get a zip-file and/or can upload it via the Teams Admin center or in the Teams Client in the apps space. Depending on your permissions/configuration.

Deploy the app to targeted users

Finally, you can rollout the app to users via the Teams Admin Center.

  • Go to the manage apps section
  • Check if your app is available (upload the zip or permit the submitted/uploaded custom app)

Please note, that publishing (see prevouse steps “test and distrbute” and submitting an app might take some time to complete. In my case it took (very) long.

Now, that there is the app you can configure a setup policy to assign the app to the Microsoft Teams navigation.

  • Create a new custom setup policy or use an existing setup policy
  • Add your app to be pinned in the Microsoft Teams navigation bar for users who’ll get the setup policy assigned

That’s it. You’ve now have deployed a standalone SharePoint Online app to Microsoft Teams.

Conclusion, opinion and summary

The described configuration is straightforward and easy to implement. As mentioned at the start, it’s just one approach which can be used.

What I discovered during my tests is that I was unable to directly use the SharePoint Online root site which did not work for me as I tested it. Also, I could not find a way with this method to fully integrate a hub site with its “native” SharePoint Online Hub Site navigation. Maybe this is possible but as far as I tested it, it did not work the way I tried it.

In my opinion, to attach a SharePoint Online site or several sites as a tab to the Microsoft Teams navigation bar is easy and suited as-is for fewer SharePoint Online sites with no need of a more complex navigation. For more sophisticated SharePoint Online sites you might need to use another option to integrate your SharePoint Online Intranet to Microsoft Teams, e.g. Power Apps. Or you might wait some more time until you can test the SharePoint Home Site App which might be available after March 2021.

Additional resources

Survivable Branch Appliance for Microsoft Teams Direct Routing

This post describes what a SBA for Teams Direct Routing is and how it can increase your telephony reliability and service availability. At the time of writing this post, the SBA is in public preview.

Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/
Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/

What is a SBA?

A survivable branch appliance (SBA) is an on-premise service component to deal with an outage and keep (basic) telephony going for Microsoft Teams Direct Routing. Maybe you’ve already heard about this in the past in regards of Skype for Business Server and Enterprise Voice. A SBA provides voice resiliency towards the case that the sip trunk connection between Microsoft 365 Phone System and a Session Border Controller (SBC) fails. In anticipation of this worst case scenario the SBA keeps you telephony online as long as this affects only the link between SBC, Teams Clients and Microsoft 365 [Teams] Phone System.

The SBA code is provided by Microsoft to SBC vendors which embed it or provide it separately, e.g. for operation on a virtual machine.

Microsoft Teams Direct Routing – SBA Architecture Overview

In case the SIP trunk between SBC and PSTN provider fails, too, there is no more telephony possible. Except you have any re-routing and other high availability configurations in place.

Please note, you should have a holistic high availability concept in place if you heavily rely on these services. To do so you’ll have to start from the bottom up (building’s connections, building’s cabling, building power supply, provider connectivity (options), cloud & IT infrastructure …).

Architecture Overview

The following drawing depicts the SBA as a part of a Teams Direct Routing deployment and it’s capabilities in case of a temporary connection outage between SBC and Microsoft 365 [Teams] Phone System

Microsoft Teams Direct Routing – SBA Capability Overview

Assumptions, requirements and parameters

  • Teams Direct Routing for the (branch) site is configured for media bypass (SBC + Teams Phone System)
  • PSTN (SIP) Trunk is still online and fully operational
  • All (local) clients are still able to connect to the (local) SBC/SBA
  • SBA supports TLS1.2
  • Supported Microsoft Teams DR SBA clients: Windows and MacOS

Known issues and limitations

The most important issues or limitations which are listed on the products documentation are as follows:

  • No reverse number lookup against Azure AD contacts
  • No support for call forwarding settings
  • No support for for dynamic emergency calling (E911)

Conclusion, opinion and summary

At the moment the SBA capabilities are rather limited in particular the supported clients, which are Windows and MacOS only. So, no desk phones or lobby phones which to me might be more relevant because these devices are often used as emergency devices. However, in many cases I’ve seen that there are still analog devices deployed which removes the dependency towards the Microsoft 365 Phone System anyway. Or people have mobile devices with sufficient cell coverage for (emergency) calls.

It’s a start to have a SBA and has the potential to increase resiliency at branch sites for people in the office in front of a PC or Mac. My first thoughts on deploying a SBA – It could be placed where your internet link is very shaky and unreliable but on the second thought – asking – is there is a local PSTN connection (is it SIP and going over the same internet link)? Well, if you have a (single) shaky internet link which is used for the SBC to connect to the Microsoft 365 Phone System as well as the your PSTN SIP Trunk – there is no added value for a SBA because your local branch telephony will fail if your internet link fails.

In my humble opinion it might make sense to deploy a SBA in scenarios where your PSTN connection is not dependent on the same local shaky internet breakout, e.g. PSTN via (old) E1/T1 or other local dedicated PSTN connection (other internet breakout for voice-only).

Based on the above three more thoughts and questions came to my mind:

  1. Is there no way to get a more reliable internet connection to that (branch) site or are backup link via LTE, StarLink/Satelite or else?
  2. What’s the (cumulated) downtime for Microsoft 365 Phone System or Teams over one year impacting your business? … 8, 4, 1 hours/year? [I haven’t found any statistics regarding this.]
  3. Is there a real need for a SBA at that branch site?
    [I mean, if there is no internet, is your branch staff still able that they can work at all?]

Although I haven’t heard or ready anything regarding this, I hope that the SBA will get support for Teams IP phones, too, in the next several months.

Additional resources

Microsoft Teams UX improvements for calling

This post is about a planned change for the Microsoft Teams user experience (UX) in the call section for Teams on Windows and Mac. Microsoft announced in fall 2020 that simplifications in the user experience are in development. In December the announcement could be read in the Microsoft 365 message center with the message ID MC229945. The update says that you’ll have a more compact view in the section for calls which shows contacts, voicemail and calling history on the same page. As of now, the rollout of the change is planned to begin in mid Januar 2021.

Source: Microsoft 365 Admin Center Message Center Message ID MC229945

Conclusion, opinion and summary

This change is really helpful because it will save you time by avoiding several clicks to find or get to what matters most for telephony. I’m looking forward to this, especially because this is a great improvement for the user experience. Users will get the most important information and options in the calling section directly at a glance without the need to find the required information (contact, call history…) in any sub-menu.

Additional resources

Optimize Microsoft Teams notifications on Windows 10

A few days I ago I noticed that Microsoft Teams was updated and enabling nativ Windows notifications. This is a very welcome change which helps you to use the Windows notifications instead of the Teams one. At the time of writing this post the feature seems to be in public preview.

This post explains where you can switch on Microsoft Teams notifications to use Windows 10 notification capabilities.

Microsoft 365 Roadmap Microsoft Teams: Windows native notifications in Teams Feature ID: 66742

Switch to Windows 10 notifications in Teams

In the settings area of Microsoft Teams on Windows 10 you can go to the notification section and change the notification settings to what you prefer, as depicted below.

Screenshot Microsoft Teams settings
Screenshot Microsoft Teams settings \ notifications

Notifications in Windows 10 action center

To make this work your Windows 10 notifications must be turned on. You can configure notifications in Windows 10 in the system’s settings. To go there follow the listed steps below.

  • Open Start
  • Open settings
  • Go to system
  • Go to notifications & actions

In this notification area you can furthermore decide which apps are allowed for sending notifications. At this point you should scroll through the senders list and check if Microsoft Teams is listed and enabled to send you notifications. That’s it.

Conclusion, opinion and summary

A better notification integration in Windows 10 was overdue in my opinion. Lately, I was experiencing a disturbing notification behavior so that notifications did not pop up in front of any other open window on Windows 10. This was a little bit uncomfortable because in case I was working with other apps especially in full screen I had to minimize the full screen app to see and answer an incoming message or call. Of course, you might say in case of answering a call, that I could just press a button on your headset or put it on, true. But I’m used to see and decide based on the incoming notification how I’ll deal with it, answering a call now, answering a message now or later or else. I’m not saying that this was not possible, what I’m saying is that lately the native Teams notification behavior took me more time to reach the same goal. By using Windows 10 notifications for Teams the behavior for notifications is better as far as I tested it.

Additional resources

Microsoft Skype for Business Online Connector EOL

In this post I want to highlight that Microsoft announced the end of life (EOL) of the Skype for Business Online Connector. It can be read in the Microsoft 365 Message Center notification MC230065 Skype for Business Online Connector retirement. The SFBO Connector was needed to connect to Skype for Business Online (SFBO) to run remote PowerShell cmdlets for SFB Online. However, this is no longer needed due to the fact that Microsoft has merged the SFBO cmdlets into the Microsoft Teams PowerShell module. You have time till February 15, 2021 to change and update your scripts to use the new Teams module if not done yet.

Source: https://cdn.pixabay.com/photo/2016/07/28/23/39/cottage-1550083_960_720.jpg

Connect to Teams and SFBO with PowerShell

Here, I put together how you can connect to Microsoft Teams and also use Skype for Business Online cmdlets. You might want to uninstall the SFBO connector module first to avoid cmdlet interferences.

#Connect to Teams and SFBO
#Download and install module from online repo
Install-Module MicrosoftTeams
#Import module
Import-Module MicrosoftTeams

#Connect Teams
#Connect SFBO
$sfboconnection = News-CsOnlineSession <youradminupn>
Import-PSSession $sfboconnection -DisableNameChecking -AllowClobber

###your script code###

#Disconnect sessions
Remove-PSSession $sfboconnection

Additional resources

Microsoft Teams Call Queue and Attendant Reporting with Power BI

In this post I describes how you can get some reporting for your Microsoft Teams Call Queues and Auto Attendants by using Microsoft Power BI. Microsoft recently added reporting capabilities for Teams Call Queues and Auto Attendants which show you some data on:

  • Auto Attendant | calls to Auto Attendants
  • Call Queue | calls to Call Queues
  • Agent Timeline | agent activity in calls via Call Queues
Source: https://pixabay.com/vectors/statistic-survey-website-template-1606951/


  • Power BI subscription
  • Power BI desktop app (can be download in the Microsoft Store)
  • Power BI CQD Power BI Query Templates https://www.microsoft.com/en-us/download/details.aspx?id=102291
  • Teams Call Quality Dashboard (CQD)
  • Teams Call Quality Dashboard (CQD) access permissions
  • Microsoft Teams Tenant Data Location, actually the CQD data pipeline region

Get Microsoft Teams Tenant Data Location

#Connect to Teams (optional)
Connect-Microsoft Teams
#Connect to SFBO
$sfbosession = New-CsOnlineSession
Import-PsSession $sfbosession

#Get your tenant overview (optional)
#Get your cqd data pipeline region
#Save the output in notepad, to re-read it later, if required

#Disconnect – THX
Remove-PsSession $sfbosession

Result example

Ready PowerBi

  • You now have to download the CQD Power BI Query Templates.
  • Unzip the CQD-Power-BI-query-templates.zip

It should look like this in your file explorer.

  • Open “CQ and AA combined Analytics 20201105.pbit” using PowerBI
  • Select the correct region
  1. Click on “Load”
  2. You’ll get asked to authenticate (it might popup in the background)

So, data is getting fetched/updated.

See results

It might open the report with sample data, that’s why you need to click refresh in the PowerBI menu pane.

After this you should be able to see some data if you were already using Microsoft Teams Call Queues and Auto Attendants and there is some data. In my case there is not much data because this is my test tenant with not so much data.

After you’ve accomplished to see the data you might want to publish it into your Power BI workspace so that you can easily access it in the future or even share it with your fellow Teams Voice administrators or else.

There are two known issues as stated on the documentation but I’m sure that they’ll be resolved soon.

Conclusion, opinion and summary

Although the feature and reports are in preview – at the time of writing this post – it looks very promising. It helps you to see and understand what was going on with your Teams Call Queues und Auto Attendants. Moreover, the other Power BI reports may also help you to better visualize and understand your Teams metrics to improve your service operations for your telephony with Microsoft Teams.

Additional resources

Teams Meeting Recording button greyed out

In this post I want to write up how you can enable to store meeting recordings when the recording button for meetings is greyed out. As of now, if your Microsoft 365 tenant with its Teams data is located in a Microsoft data center region – where the Microsoft Stream service is not running – you cannot or you were unable to record meetings in Teams. Due to the fact that this is very unhandy Microsoft recognized this constrained and added an option to enable recordings if the Teams and Stream data location is not alike. The Teams data location, you can check in your Microsoft 365 Admin Center\Settings\Org-wide settings\Organisation Profile\Data Location.

Source: Microsoft 365 Roadmap

So, to fix the greyed out meeting recording button you have to use PowerShell to enable AllowRecordingStorageOutsideRegion. Please note, that you must have completed all the other prerequisites, too, e.g. correct license assigned to user/s, correct policy with meeting recordings enabled assigned etc.

#Teams Meeting Recording
#Enable meeting recordings if Teams and Stream data are not alike
#Example code 
#Still using the old SFBO module you can also use the new way/Teams module for this
Import-Module SkypeOnlineConnector
if ($cred -eq $null) {$cred = Get-Credential}
#W/O MFA: 
$sfbosession = New-CsOnlineSession -Credential $cred
#$SFBOsession= New-CsOnlineSession ADMIN-UPN
#Import module
Import-PSSession -Session $sfbosession -AllowClobber
Set-CsTeamsMeetingPolicy -Identity Global – AllowCloudRecording $true -AllowRecordingStorageOutsideRegion $true
<#Please note
although it's set quickly it can take quite some time till it is really applied.
Remove-PsSession $sfbosession

I hope this helps.

Additional resources

Reverse Number Lookup Enhancements in Microsoft Teams Calling

This post is about enhancements in Microsoft Teams Calling regarding the reverse number lookup (RNL). It’s an incredibly important and small feature with high impact on usability for Teams calling capabilities.

In general, RNL resolves a caller’s phone number to contact information (for instance the contact’s display name). E.g. if +49 711 987654321 is calling me and this number is stored in my contacts as Anna it will tell me that she called me in my journal etc.

Microsoft’s 365 roadmap says that the following aspects are improved:

  • Display name in your Activity Feed
  • Display name in your Call History
  • Display name in your Voicemail
Source – Microsoft 365 Roadmap – Feature
Screenshot – Teams Contact
Screenshot – Teams Call History
Screenshot – Teams Voicemail
Screenshot – Teams Activity Feed
Screenshot – Teams Voicemail in Outlook – my status was away

Conclusion, opinion and summary

As far as I could see, it’s already live in my tenant. Still, obviously not the full display name is shown in the activity feed. It looks like it is trimmed to the first word of the display name.

I’m hoping to see the full name there, too, or a changed order, e.g. the last word of the display name (last name, usually). The latter is helpful especially if you receive many calls a day from people outside your organization. For what I can say, here in Germany, it’s more common to talk to someone using his/her last name except you already know the person for a longer period and/or agreed on a more informal form to talk to each other using “Du” instead of “Sie”. That’s why it would be nice to see the full name directly in the activity feed, too, in case you directly call back the caller listed in your activity feed as missed called.

Additional resources

Sensitivity labels in Teams, SharePoint sites and Microsoft 365 groups

This post is about protecting information in your Teams, SharePoint, and Microsoft 365 group data by using Microsoft Information Protection (MIP) sensitivity labels. In July 2020 sensitivity labels were announced GA by Microsoft. It provides an answer on How to protect information in Teams, SharePoint Online and Microsoft 365 groups. In this post I walk through the configuration.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

What are sensitivity labels?

Sensitivity labels are some kind of persistent data or information labels to protect sensitiv and business-critical information. The following security measures are available with sensitivity labels, in general:

  • Enforce encryption or watermarks
  • Cross platform/device content protection
  • Third-party app and service content protection to detect, classify, label and protect content with Microsoft Cloud App Security, e.g. SalesForce, Box, DropBox
  • Third-party app and service extensibility by using Microsoft Information Protection SDK
  • Classify content (without protection)

Policy scoping or association options

For Microsoft Teams, 365 Groups and SharePoint Online you can decide or configure options/actions/exclusions based on

  • privacy
  • external user membership
  • unmanaged device access

For instance, any Team, SharePoint Online Site, or M365 group created with a certain label can be forced to be a private one. In consequence, the owner is not allowed and cannot add external users plus users utilizing unmanaged devices can only access the contents via web access.



I’m not going into details regarding licensing requirements, therefore you can find a link at the bottom of this post. Please note, that there is a difference in license requirements depending on manual vs. automatic labeling. For the latter you need Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2.


To manage/create sensitivity label you must be assigned one of the following roles:

  • Global Administrator
  • Compliance Data Administrator
  • Compliance Administrator
  • Security Administrator

Enable sensitivity labels on Azure AD

To use sensitivity labels, you need to enable it first in Azure AD by using PowerShell, for example:

Import-Module AzureADPreview

#Check if settings object exists or needs to be created first (that's missing in Microsoft Docs)
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
      $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

#Enable Microsoft Information Protection (MIP) labels
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting


How to create and publish labels?

In this section I walk through and show some settings based on screenshots, this is not yet for Microsoft Teams, SharePoint Online and Microsoft 365 Groups. A bit more down in this post you find a section showing the part and options for sensitivity labels in Teams. Nevertheless, the process, is similar for Teams, SharePoint, and groups.

To create labels you need to start in the Microsoft 365 security center.

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 1

Example – create a label

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 2
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 3
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 4

Be cautious about encryption settings because this can have make a big impact.

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 5
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 6

Finish this and repeat the above steps as often as required to have as much labels as required.

Example – Publish labels and create a label policy

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 7
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 8
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 9
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 10
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 11
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 12

Depending on the labels you’ve created and your security requirements regarding information protections and groups you can also repeat the above steps for different sensitivity label policies in case you need to differentiate between certain user groups and therefore different information/sensitivity labels and respective label policy assignments.

Example – Create sensitivity label for Teams, SharePoint Online Site and M365 group

For Microsoft Teams etc. the process is similar but as you can see in the following screenshots, you can edit already created labels to add the capabilities for Teams if there were labels already in place.

Edit existing labels
Check Group & Sites
Decide for each label how you want to protect groups and sites
Decide on the privacy configuration and external access
Decide on the device access for unmanaged devices
Now you’ve got some labels

Here you must not forget to also configure SharePoint Online for this to cope with unmanaged device access to make it work.

Also, if you haven’t yet published labels, you’ll have to publish the newly created labels.

Please note, that it can take several hours for this to appear, I’d recommend waiting approx. up 24 hours.

If you create a new [Teams] Team it should look like this with the sensitivity label option
In Azure AD groups you can also see and select a label for existing groups


The sensitivity label for Teams, SharePoint Online Sites and Microsoft 365 groups can than be applied/selected in the creation process in case you assigned the sensitivity label policy to the users which should be able to apply it.

Conclusion, opinion and summary

Sensitive labels are another good concept and means for your holistic security architecture concept to protection your organization’s information. It’s a central aspect for your Microsoft 365 service and information protection. However, the entry barrier is high because of the license requirements to use this advanced security capabilities.

Additional resources