Tagged: SharePoint

Sensitivity labels in Teams, SharePoint sites and Microsoft 365 groups

This post is about protecting information in your Teams, SharePoint, and Microsoft 365 group data by using Microsoft Information Protection (MIP) sensitivity labels. In July 2020 sensitivity labels were announced GA by Microsoft. It provides an answer on How to protect information in Teams, SharePoint Online and Microsoft 365 groups. In this post I walk through the configuration.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

What are sensitivity labels?

Sensitivity labels are some kind of persistent data or information labels to protect sensitiv and business-critical information. The following security measures are available with sensitivity labels, in general:

  • Enforce encryption or watermarks
  • Cross platform/device content protection
  • Third-party app and service content protection to detect, classify, label and protect content with Microsoft Cloud App Security, e.g. SalesForce, Box, DropBox
  • Third-party app and service extensibility by using Microsoft Information Protection SDK
  • Classify content (without protection)

Policy scoping or association options

For Microsoft Teams, 365 Groups and SharePoint Online you can decide or configure options/actions/exclusions based on

  • privacy
  • external user membership
  • unmanaged device access

For instance, any Team, SharePoint Online Site, or M365 group created with a certain label can be forced to be a private one. In consequence, the owner is not allowed and cannot add external users plus users utilizing unmanaged devices can only access the contents via web access.



I’m not going into details regarding licensing requirements, therefore you can find a link at the bottom of this post. Please note, that there is a difference in license requirements depending on manual vs. automatic labeling. For the latter you need Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2.


To manage/create sensitivity label you must be assigned one of the following roles:

  • Global Administrator
  • Compliance Data Administrator
  • Compliance Administrator
  • Security Administrator

Enable sensitivity labels on Azure AD

To use sensitivity labels, you need to enable it first in Azure AD by using PowerShell, for example:

Import-Module AzureADPreview

#Check if settings object exists or needs to be created first (that's missing in Microsoft Docs)
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
      $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

#Enable Microsoft Information Protection (MIP) labels
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting


How to create and publish labels?

In this section I walk through and show some settings based on screenshots, this is not yet for Microsoft Teams, SharePoint Online and Microsoft 365 Groups. A bit more down in this post you find a section showing the part and options for sensitivity labels in Teams. Nevertheless, the process, is similar for Teams, SharePoint, and groups.

To create labels you need to start in the Microsoft 365 security center.

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 1

Example – create a label

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 2
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 3
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 4

Be cautious about encryption settings because this can have make a big impact.

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 5
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 6

Finish this and repeat the above steps as often as required to have as much labels as required.

Example – Publish labels and create a label policy

Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 7
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 8
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 9
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 10
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 11
Screenshot – Microsoft 365 security admin center \ classification \ sensitivity labels 12

Depending on the labels you’ve created and your security requirements regarding information protections and groups you can also repeat the above steps for different sensitivity label policies in case you need to differentiate between certain user groups and therefore different information/sensitivity labels and respective label policy assignments.

Example – Create sensitivity label for Teams, SharePoint Online Site and M365 group

For Microsoft Teams etc. the process is similar but as you can see in the following screenshots, you can edit already created labels to add the capabilities for Teams if there were labels already in place.

Edit existing labels
Check Group & Sites
Decide for each label how you want to protect groups and sites
Decide on the privacy configuration and external access
Decide on the device access for unmanaged devices
Now you’ve got some labels

Here you must not forget to also configure SharePoint Online for this to cope with unmanaged device access to make it work.

Also, if you haven’t yet published labels, you’ll have to publish the newly created labels.

Please note, that it can take several hours for this to appear, I’d recommend waiting approx. up 24 hours.

If you create a new [Teams] Team it should look like this with the sensitivity label option
In Azure AD groups you can also see and select a label for existing groups


The sensitivity label for Teams, SharePoint Online Sites and Microsoft 365 groups can than be applied/selected in the creation process in case you assigned the sensitivity label policy to the users which should be able to apply it.

Conclusion, opinion and summary

Sensitive labels are another good concept and means for your holistic security architecture concept to protection your organization’s information. It’s a central aspect for your Microsoft 365 service and information protection. However, the entry barrier is high because of the license requirements to use this advanced security capabilities.

Additional resources

Safe attachments and links to protect your Office 365 collaboration

In this post I describe how you can configure safe attachments and safe links in Microsoft Office 365 Advanced Threat Protection (ATP) to make your communication and collaboration a more secure. It is for your Office 365 workloads (SharePoint Online, OneDrive for Business, Exchange Online and Microsoft Teams).

Please note, that is is just one of many measures to secure your communication and collaboration in Microsoft Office 365. This is only a single part – well, two capabilities – of a more holistic and required security architecture concept. Moreover, the below description, configuration etc. might change anytime and is just an example, demo piece.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/


Let me describe it as follows short and simplified:

What are Safe Links?

Safe Links are (hyper)links/urls which are pre-checked (in a sandbox) before a user opens the link. This “pre-check” is built to check if the website behind the link is ok or might be bad, start to download malware or something else which might harm your system/s.

What are Safe Attachments?

Safe Attachment[s] is a feature which checks attachments and tries to detect if it is malicious.


You need a subscription which includes Microsoft [Office] 365 Advanced Threat Protection (ATP).

To configure this your administrative Office 365 account must have the global admin, security admin or Exchange Online Organization Management role assigned.

Configuration overview and walk-through

For both, you can start at https://security.microsoft.com/securitypolicies in the Microsoft 365 Security portal.
The following screenshots depict what I configured, so you can of course configure it another way depending on your needs and requirements.

1 Open https://security.microsoft.com/securitypolicies
2 Policies
3 + 4 Configure each (ATP safe attachments + ATP safe links)

ATP Safe Attachments

1 Enable ATP for SharePoint, OneDrive and Teams
2 Save it, to enable it
3 Protect attachments – create a new safe attachments policy

1 + 2 Give it a name + description
3 Configure handling
4 + 5 Enable redirect of potentially maliciouse attachements to another mail [don’t use a usual mailbox, create a “dumpster mailbox” just for that purpose]
6 Configure condition/s / exception/s
7 Save it

Validate input and check if the policy is enabled and the priority fits in case you create several policies.

ATP Safe Links

1 Configure the default Safe Links organization policy
2 Create Safe Link policies for specific recipients

1 Enable it for all Office 365 Apps, … iOS and Android
2 Configure “reporting” + handling

1 + 2 Give it a name + description
3 Turn it on
4 Enable real-time scanning for URLs including content for download
5 Enable it internally, too
6 Configure “reporting”
7 Enable – disables users to click the original URL from the warning page if it is blocked

1 Configure condition/s / exception/s

Validate input and check if the policy is enabled and the priority fits in case you create several policies.

Finally, test and verify your configuration. Regularly take a look into your security reports to enhance your configurations. Plus, don’t forget from time to time to check out what has changed to keep your security configurations always at a current level.

Conclusion, opinion and summary

Safe Links and Safe Attachments are very helpful features in Microsoft Office 365 to make your communication and collaboration more secure regarding sending/receiving links and attachments. These two features are options to increase your security setup with Office 365. I think it might be a good idea to enable it if you do not yet have something like this in place already.

Although it makes links and attachments safe[r] there are more and more advanced/intelligent threats and approaches available to trick and compromise users and systems. So, admin and user security awareness is also essential although you can get rid of many threats with a holistic security architecture and technical solution or service implementations.

Additional resources

B2B Sync with OneDrive for Business and SharePoint Online

In this post I like to highlight a highly handy feature update “B2B sync” regarding Microsoft OneDrive for Business for “inter-org collaboration”.

B2B sync enables users to sync not only OneDrive for Business and SharePoint Online data of their organization but of other organizations, too! This means that your collaboration experience becomes much better because if you are a guest of an external Team, which is of course hosted in another Office 365 tenant, you’ll be able to sync files from this SharePoint Online, too.

Source: https://pixabay.com/illustrations/download-cloud-icon-network-2013195/

Conclusion, opinion and summary

I like this feature because this enables you to have much more synced data exchange and collaboration with external parties also having Office 365 incl. SharePoint Online and OneDrive for Business. So, you do not need to down-/upload files via browser.

Additional resources

Speaking at abtis Microsoft Bustour 2019

Soon, I’ll speak at the Microsoft Germany HQ in Munich (09/07/2019). The event and speakers cover different topics all around the digital future, e.g. modern teamwork, interactiv conferencing systems, AI, bots, big data/analytics, hybrid data center. The event is organized by abtis and Microsoft. It’s really extraordinary because attendees and speakers not located in Munich will travel by bus to Microsoft Munich and can take the chance to ask and discuss during the time in transit.

I’ll talk about digitize and automate processes. My session “Prozesse digitalisieren und automatisieren” is about Microsoft Flow, SharePoint Online and Office 365. I’ll focus on Microsoft Flow to automate processes and I show a demo to provide an understanding of what Flow can do for you to easily digitize and automate processes.

Additional Resources

Automatically mount SharePoint Team Site Libraries for OneDrive sync in File Explorer

Microsoft rolls out a new capability which enables administrator to automatically mount / add a specific SharePoint Team Site Library being synced for users (cp. M365 Roadmap).

M365 Roadmap – Feature ID 27031 (June 2019)

Configure SharePoint Team Site Libraries Auto-mount

To configure the auto-mount you need to configure a group policy which configures the users OneDrive sync settings. (cp. link “Configure team site libraries to sync automatically”)

Prereqs, requirements and limitations

Please note that there are certain prereqs, requirements and limitations before you can start.

  • Windows 10 1709 or later
  • Library must have below 5000 files/folders.
  • Not for 1000+ devices
  • Sync is applied next time the user signs in but it can take some time until the sync starts.
  • A user cannot stop the sync.
  • You need the OneDrvie GPO Template (OneDrive.adml, ..admx) in your central GPO store (e.g. erik-klefeldt.de\sysvol\domain\Policies\PolicyDefinition) …
  • This might be subject to change (June 2019).

Configuration steps overview

  1. Create a new GPO
  2. Configure the GPO based on your needs, applied to a OU and add WMI-filtering for a more granular scoping, if needed
  3. Add the SharePoint Team Site Library ID to the GPO
  4. Verify that the GPO is applied
  5. (Verify the reg key [HKCU\Software\Policies\Microsoft\OneDrive\TenantAutoMount]”LibraryName”=”LibraryID”)
  6. Verify that it syncs on the devices

Conclusion, opinion and summary

Easy to configure, isn’t it? In my opinion it might help you to move and simplify a migration from legacy files shares to SharePoint Online. It enables you as administrator to manage a smooth transition from file shares/services towards SharePoint Online and really adds a convenient way and comfortable user experience because your users do not need to manually add the library to their OneDrive sync and “map” the SharePoint Online Team Site Library on their device.

Additional Resources