label

General Introduction

SharePoint can automatically apply sensitivity labels to a document library. New documents, both created online or uploaded and existing ones (when they are edited), will get the sensitivity label you chose.

If a document label gets manually modified, SharePoint won’t overwrite the label. This isn’t usually an issue because only a few selected number of employees should have the permissions to declassify a document.

This automation supports the following file formats:

Word: .docx, .docm
Excel: .xlsx, .xlsm, .xlsb
PowerPoint: .pptx, .ppsx
PDF (Preview)

Whilst the support for PDFs is still in preview, I still have yet to have issues with it.

This script was written because I found the steps to enable this feature a bit confusing, and so I wanted to simplify the process with a simple automation.

Before running the script, create and publish your sensitivity labels. You have to publish the label to the user setting the default sensitivity label.

After running the script, go into the labels and modify the scope to include groups and sites. You’ll have to wait a bit between running the PowerShell script and enabling groups and sites, as it’s greyed out by default.

After you have enabled groups & sites, you’ll have to wait for the setting to label a SharePoint library to show up.

To set the default label, go under SharePoint Admin Center, then Sites, Active Sites, and click on the site you wish to apply the sensitivity label to. Under Settings, you’ll find a Sensitivity label dropdown.

Limitations of default sensitivity lables

By default, documents encrypted by a sensitivity label can only be modified by one person at a time. If you wish to keep co-authoring active and use encryption labels, refer to this post by Microsoft: https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-worldwide
Doesn’t apply to data at rest, but you can follow my guide to label data at rest automatically: https://azvise.com/2021/12/10/automatically-apply-sensitivity-label-mdfca/
Double Key Encryption is not supported
User access to content cannot be configured to anything but Never
Let users assign permissions is not supported. Labels should be scoped to specific users when using this functionality

The script

I’d suggest updating your SharePoint Online Management Shell before running this script. You can download the new version here:

https://www.microsoft.com/en-us/download/details.aspx?id=35588

Modify the two variables before running the script.

# Define the variables for your enviroment. The first one is the link to your SharePoint Admin Portal. The second one is your administrator account User Principal Name

$SPAdminLink = "https://yourtenant-admin.sharepoint.com"
$AdminUPN = "youradminUPN@contoso.com"

# Connect to SPO. Replace the link with your SharePoint Admin portal

Connect-SPOService -Url $SPAdminLink

# Enable AIP Integration

Set-SPOTenant -EnableAIPIntegration $true
(Get-SPOTenant).EnableAIPIntegration

# Enable support for PDFs. Update SP Online Module if this fails. The link is https://www.microsoft.com/en-us/download/details.aspx?id=35588

Set-SPOTenant -EnableSensitivityLabelforPDF $true
(Get-SPOTenant).EnableSensitivityLabelforPDF

# Connect to AAD and enable support for labels in groups. Source: https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide

Install-Module AzureADPreview
AzureADPreview\Connect-AzureAD

$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
$Setting = $grpUnifiedSetting

# Check if EnableMIPLabels is enabled. If nothing is displayed then you have no group settings. We'll enable it. 

$grpUnifiedSetting.Values

# Enable the feature. If it fails check out this guide: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-cmdlets#create-settings-at-the-directory-level

$Setting["EnableMIPLabels"] = "True"

# Check that now it's enabled. If it's enabled you'll get
#
#Name                            Value
#----                            -----
#EnableMIPLabels                 True

$Setting.Values                                                                                                                                                                                                    

# Save 

Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting

# Now we'll import ExchangeOnlineManagement and then connect the Compliance Powershell to sync the labels

Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName $AdminUPN
Execute-AzureAdLabelSync

Sources:

https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label?view=o365-worldwide

https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide

https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-labels

https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide

There are a couple of ways to enable an automatic classification of files in SharePoint. The first one, more complete from a customization point of view, is to use a File Policy in Defender for Cloud Apps. The second one (the newer and less recommended one, to be fully released Q3/Q4 2022) is to use a Default Sensitivity Label in SharePoint Online.

If you are looking at how to enable file monitoring and file policies, follow this guide:

Enable file monitoring for Office 365 in Defender for Cloud Apps – DCA

File Policy in Defender for Cloud Apps

To create a policy that automatically matches and labels files in the root folder and the subfolders, follow the steps below:

Open the MDCA portal.
Create a new file policy.
Create a broad filter. I’ve set it as “App equals SharePoint Online” for this example.
Under “Apply to”, specify the root folder where the policy should start to apply.

Apply the governance action “Apply sensitivity label”, and select your label. Check the box below if you wish MDCA to override all user-defined labels. This will override older labels set on docs in the site and new ones defined at document creation.

Save the policy

Suppose you would like a policy to automatically apply labels to all the files and subfolders recursively from a root folder onward in SharePoint or OneDrive. In that case, you might think you can use the “Files matching all of the following” filter. Unfortunately, this won’t work, as it will not match recursively on the files contained in the subfolders.

Default Sensitivity labels in Sharepoint Online

Once you enable SharePoint to process labels, you can configure a default label for document libraries. This will ensure that any new or newly modified files get the specified label.

The feature will not apply to documents not opened since setting the default label or if the file has a higher priority label applied. Therefore, I would recommend, for the moment, using PowerShell or MDCA (as shown above) before setting the default label.

The feature will also not work if you have “User access to content expires” set anything other than Never or if you use Double Key Encryption.

I’ve recently created a quick script to enable this feature. Check it out here:

https://azvise.com/2023/07/14/enable-default-sensitivity-labels-in-sharepoint-online/