DEV Community

Miguel Isidoro
Miguel Isidoro

Posted on • Originally published at blogit.create.pt on

How to protect sensitive information in SharePoint Online using Purview Sensitivity Labels

This post explains how we can use Microsoft Purview Sensitivity Labels to protect sensitive information stored in a SharePoint Online site.

What are Sensitivity Labels?

Microsoft Purview Sensitivity Labels are a data classification and protection system that helps organizations identify, classify, and protect sensitive information across Microsoft 365 and other services. They help you:

  • Classify your data: Define different levels of sensitivity for your data, such as Confidential, Highly Confidential, and Public.
  • Protect your data: Apply protection settings to different levels of sensitivity, such as encryption, access restrictions, and data loss prevention.
  • Track your data: Track the movement of sensitive data and identify potential data breaches.

Here are some of the benefits of using Microsoft Purview Sensitivity Labels:

  • Reduces the risk of data breaches: By classifying and protecting your sensitive data, you can make it more difficult for unauthorized users to access it.
  • Improves compliance: Sensitivity labels can help you meet compliance requirements for data privacy and security.
  • Increases productivity: By making it easier for users to identify and protect sensitive data, you can help them be more productive.

Allow the creation of Sensitivity Labels

The creation of Sensitivity Labels, may be disabled in your Office 365 tenant. To ensure you can create Sensitivity Labels, run the following script in a PowerShell window. Make sure to change the variables to your environment accordingly.


$AdminCenterURL = "https://dev-admin.sharepoint.com"
Connect-SPOService -Url $AdminCenterURL
Set-SPOTenant -EnableAIPIntegration $true

Import-Module AzureAD
Connect-AzureAD
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

Enter fullscreen mode Exit fullscreen mode

If you don’t have the AzureAD PowerShell module installed, install it before executing the script by running:


Install-Module AzureAD -AllowClobber

Enter fullscreen mode Exit fullscreen mode

Creating a Sensitivity Label

To create a Sensitivity Label, follow the following steps:

  • Select “Create a label”

  • Give the label a name. Example: Confidential. In the end, click Next.

  • Define the scope of the label. Choose both “Items” and “Groups & sites”. This will allow you to apply the label to both documents and SharePoint sites. In this post, I will focus on SharePoint sites.

  • Choose the protection settings for the labeled items. Select “Apply or remove encryption”. If you want to apply a content marking to the labeled items, select “Apply content marking”.

  • Define the encryption settings. Select “Configure encryption settings” with the following parameters:
    • Assign permissions now or let users decide? : Assign permissions now. With this setting, when the label is applied, the permissions we will define below will be applied
    • User access to content expires: Never. With this setting, users will not loose access after a period of time.
    • Allow offline access: Always. With this setting, users may edit documents offline.

In the end, select “Add permissions”.

  • For this example, for simplicity, in the “Assign permissions” screen, select “Add any authenticated users”.

  • Select “Choose permissions”

  • Select “Viewer” permission and click “Save” twice to close the “Assign permission” window.

With this permission, we are granting all authenticated users the Viewer permissions which will grant readonly permissions to the documents classified with this label.

  • Next, we want to add edit permissions to a group of users. Select “Assign permission” again.

  • Select “Add users or groups” and choose a group of users you want to assign edit permissions to.

  • Select the “Reviewer” permission

  • Confirm all permissions and click Next.

  • Don’t select the option “Auto-labeling for files and emails”. Click Next.

  • Select “Privacy and external user access” and “External sharing and Conditional Access” options.

  • In “Privacy” section, select “Private”. This way, only team owners and members can acess the group or team. In the “External user access”, don’t select the option “Let Microsoft 365 Group owners add people outside your organization to the group as guests.”. This way, only users from within the organization can access the SharePoint site.

  • In “Define external sharing and conditional access settings”, select “Control external sharing from labeled SharePoint sites” and “Use Microsoft Entra Conditional Access to protect labeled SharePoint sites”. In the “Control external sharing from labeled SharePoint sites” section, select “Only people in your organization”. This way, SharePoint sites labeled with this label, will only be acessed by and shared with people in your organization. In the “Use Microsoft Entra Conditional Access to protect labeled SharePoint sites”, select “Allow limited, web-only access”. This will only allow users from unmanaged devices (devices not managed by your organization, typically personal devices) to access documents in the labeled SharePoint sites using the browser (not being to synchronize the document libraries for offline access, download documents or open documents in the Office desktop applications).

  • In the “Auto-labeling for schematized data assets (preview)” section, leave the option unselected and click “Next”.

  • Review the label settings and click “Create label” to finish the label creation process.

Publish a Sensitivity Label

In order for a label to be made available, we need to publish it. To publish a label, follow the following steps:

  • In the Labels page, select the label and the option “Publish label”.

  • In “Assign admin units” page, leave the default values and click “Next”.

  • In “Publish to users and groups”, add all users and groups and then click “Next”. If you want to test the Label to a restricted group of users, select a group with the users that you want to include in test.

  • In “Policy settings”, leave all options unselected and click “Next”.

  • In Default settings for documents, select “None” for “Default label”. With this selection, labels won’t be applied by default to Office documents. Click “Next”.

  • In Default settings for emails, select “Same as document” in “Default Label” and leave the checkbox “Email inherits highest priority label from attachments” unchecked and click “Next”.

  • In “Default settings for meetings and calendar events”, select “None” for “Default label” and click “Next”.

  • In “Default settings for sites and groups”, select “None” for “Default label” and click “Next”.

  • In “Default settings for Fabric and Power BI content”, select “None” for “Default label” and click “Next”.

  • In “Name your policy”, name your policy and give it a description.

  • Review and submit the Label policy to finish the policy creation process.

NOTE: New labels may take up to 1h to be available. Updates to existing labels may take up to 24h to take effect.

Testing Access to SharePoint

To test if the label is successfully applied, we are going to create a SharePoint Team site and apply the label to the site. Follow the following steps:

  • Click SharePoint in the left top corner to go to the SharePoint homepage
  • In the SharePoint homepage, create a new site.

  • Choose a Team Site

  • Choose any template. For simplicity, I selected “Standard team”.

  • Click on “Use Template”

  • Set the site name, group email address and site address.

  • Set the sentitivity label for the new site by choosing the label we created earlier. The privacy will automatically be set to Private as we defined in the label settings.

  • Add site owners and members to the site.

  • Access the site with an unmanaged device. In this example, the site was created as a “Private” group and with the label “Confidential”. As the site was configured to only allow access from the browser and not allow the use of Office desktop applications by devices not managed by the organization, a message appears at the top of the site indicating that it is not possible to download the documents or sync the documents for offline access.

  • In the “Documents” document library, verify that it is not possible to sync documents for offline access (“Sync” command should not be available in the command bar).

  • In the “Documents” document library, verify that it is not possible to download documents (“Download” option should not be available in the document context menu).

  • In the “Documents” document library, verify that it is not possible to open a document using the desktop application and that documents can only be opened using the browser.

Related Articles

To learn why your business should migrate to SharePoint Online and Office 365, click here and here.

If you want to learn how to develop SPFx solutions, click here.

If you want to learn how you can rename a modern SharePoint site, click here.

If you want to learn how to save time time scheduling your meetings, click here.

If you want to learn how to enable Microsoft Teams Attendance List Download, click here.

If you want to learn how to create a dynamic org-wide team in Microsoft Teams with all active employees, click here.

If you want to modernize your SharePoint classic root site to a modern SharePoint site, click here.

If you are a SharePoint administrator or a SharePoint developer who wants to learn more about how to install a SharePoint 2019 farm in an automated way using PowerShell, I invite you to click here and here.

If you learn how to greatly speed up your SharePoint farm update process to ensure your SharePoint farm keeps updated and you stay one step closer to start your move to the cloud, click here.

If you prefer to use the traditional method to update your farm and want to learn all the steps and precautions necessary to successfully keep your SharePoint farm updated, click here.

If you want to learn how to upgrade a SharePoint 2013 farm to SharePoint 2019, click here and here.

If SharePoint 2019 is still not an option, you can learn more about how to install a SharePoint 2016 farm in an automated way using PowerShell, click here and here.

If you want to learn how to upgrade a SharePoint 2010 farm to SharePoint 2016, click here and here.

If you are new to SharePoint and Office 365 and want to learn all about it, take a look at these learning resources.

If you are work in a large organization who is using Office 365 or thinking to move to Office 365 and is considering between a single or multiple Office 365 tenants, I invite you to read this article.

If you want to know all about the latest SharePoint and Office 365 announcements from Ignite and some more recent announcements, including Microsoft Search, What’s New to Build a Modern Intranet with SharePoint in Office 365, Deeper Integration between Microsoft Teams and SharePoint and the latest news on SharePoint development, click here.

If your organization is still not ready to go all in to SharePoint Online and Office 365, a hybrid scenario may be the best choice. SharePoint 2019 RTM was recently announced and if you to learn all about SharePoint 2019 and all its features, click here.

Happy SharePointing!

The post How to protect sensitive information in SharePoint Online using Purview Sensitivity Labels appeared first on Blog IT.

Top comments (0)