Sensitivity labels help to maintain content in your organization. In opposite to classification labels which are more like additional metadata for O365 groups/SP sites where custom policies have to be enforced by internal tools or custom PowerShell scripts (i.e. don’t have O365 policies assigned to them) sensitivity labels have policies behind and allow to use O365 infrastructure to maintain sensitive data in your organization.
Sensitivity labels may be enabled from several places:
- Security and compliance center: https://protection.office.com
- Microsoft 365 security center: https://security.microsoft.com
- Microsoft 365 compliance center: https://compliance.microsoft.com
By default they can be used for files in emails but in order to enable them for “container” (SP online sites, Teams and O365 groups) several additional steps should be done:
1. First of all enable sensitivity labels from PowerShell using the following script:
Import-Module AzureADPreview Connect-AzureAD $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id $Setting["EnableMIPLabels"] = "True" Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
2. After that we need to sync them to AzureAD using the following script:
Install-Module -Name ExchangeOnlineManagement Import-Module ExchangeOnlineManagement $UserCredential = Get-Credential Connect-IPPSSession -Credential $UserCredential Execute-AzureADLabelSync Disconnect-ExchangeOnline
If you will have error "It is about Unable to resolve package source https://www.powershellgallery.com/api/v2” then start new PowerShell session as administrator and run the following command as 1st command in the session:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
and then run above script again.
After these steps you will be able to create sensitivity labels for SP sites, Teams and O365 groups. Let’s see how it looks like in Security and compliance center > Classification > Sensitivity labels. Pay attention that there is now the following note:
You can now create sensitivity labels with privacy and access control settings for Teams, SharePoint sites, and Microsoft 365 Groups.
Click Create a label – after that New label wizard will be opened. On the first step we need tp specify name and description and on 2nd step it will be possible to choose both Files & emails and Groups & sites:
Here we are interested in Groups and sites so let’s keep only this option checked. Skip next step for Files and emails and open next step “Define protection settings for groups and sites”. On this step we may set “Privacy and external user access settings” and “Device access and external sharing settings”:
E.g. if we will check “Privacy and external user access settings” then on the next step we will be able to set privacy and external users settings for sites/teams/groups for which this label will be applied:
On the final step we will need to publish our new label (this will open own wizard).
After label has been published it will take up to 10 minutes before it will appear in O365 UI:
This is how you may enable sensitive labels for SP sites, Teams and O365 groups. Hope this information will help someone.
No comments:
Post a Comment