Using sensitivity labels at container level

Posted by

Sensitivity labels have been around for some time. As has the ability to classify SharePoint Online sites, Microsoft 365 groups (and Teams) using a classification model. Some time ago, Microsoft added real functionality to that classification model of site labels. At first, these labels only showed the classification of the site/team. Next came the ability to adjust the privacy-settings and the mobile access to the site/team. But now another function has been released in preview – external sharing options for content.

Sensitivity labels

Before we go there, let’s talk about the sensitivity labels a bit more. As an evolution of the Azure Information Protection labels, the function of the labels has always been threefold: classification | visual markings | protection. The scope of the labels is content: documents and e-mails, no matter where these are used, stored or shared.

At this moment, the sensitivity label can be applied to specific containers as-well. You can even use the same label for a container (Microsoft 365 Group, SharePoint Online site) and documents/e-mails. This allows for a more holistic approach to information protection in Microsoft 365. Do note however, and this is not new information, that the container based label still does not impact the content in that container. Or put another way: when labeling a teams-environment as “confidential”, this will not imply that all documents in that environment will be labeled as-well (or have a default label).

External sharing

External sharing settings for SharePoint Online and OneDrive for Business control how content (documents, folders) can be shared. The settings range from anonymous sharing to no external sharing at-all. In between you can select the options to share with new and/or existing guest users in your tenant.

These settings have two basic components:

  1. These settings are created on the tenant level and cannot be upgraded on a site/team level. In other words: you will need to set these settings as broadly as needed within your tenant;
  2. You can modify these settings on a site/team level – but this is a downgrade of the tenant-wide settings.

Normally these settings would be done by your administrator and the provisioning process for your sites/teams. But using the labels, these settings are applied based on the label. So let’s take a look.

Label settings

When creating or modifying the label you set the scope of the label. You can choose to look at content (either documents, e-mails or data in Azure [now in preview]) or the container based function. Let’s say you want to have a label specifically for teams. In this case, you will select the Groups & sites option.

Based on your requirements you can now set options for the visibility of the team (Privacy), external (guest) access to the team (External user), access for devices (Device access) and the external sharing part. All these functions are optional.

The external sharing section will be familiair to you when you’ve already worked with this on the tenant or site-collection level.


You still need to create a policy in order for your users to select the label. But these settings have also been enhanced. Because of the importance of container-based labels, you can now provide a default label and require your users to select one. If this latter one is not selected, people creating teams/sites can also select “None“.

Private channels

What about these private channels? As we all know, these channels are provided using separate SharePoint Online site-collections. When you create a private channel, the created site-collection will “inherit” the classification label and therefor the settings. So this is very cool stuff!

In action

Now let’s test this out. From the teams-client I’ve created a new team. The default label is directly shown and I can select another one. Note to self: is a user allowed to downgrade a label and why is there the “none” option? Anyway – based on the label the team will be private, external access is not allowed and external sharing is not allowed.

As for SharePoint Online – as with many of these settings, they will be added to the site-collections properties. I only hope Microsoft will add more functions to this in future – perhaps retention policies and the like? Anyway – when you’ve labeled the team and look at the SharePoint Online site-collection, you will see the label pop-up. The sharing settings have been modified as-well.

From the users-perspective, this works as-well. I’m not able to add external (guest)users and sharing has been disabled for the site-collection as well. Really nice.

Short video

In this video I show you the workings of this new functionality.

Closing thoughts

I think it is great to have the labeling functionality enhanced this way. I do believe the Microsoft 365 platform will benefit even more when additional functionality can be added to the container-based label. Some thoughts on the current (preview) functions:

  1. As a teams-admin (owner) I can change the label. There is no mandatory labeling option;
  2. When creating a team, I can select a range of labels based on the policy. This is correct. However, if the setting for the policy allows me to disregard the label – I can simply select “None”.

More info: Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites – Microsoft 365 Compliance | Microsoft Docs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s