Site sensitivity labels in Teams, Groups and SharePoint

##UPDATE## I’ve spent the weekend updating my session ready for SPC20 in Las Vegas in May where I’ll be demoing this updated experience along with other Conditional Access Scenarios!
If you register with Speaker code HUNT or from this link here, you can get $50 off the registration price!

Update to Site Collection Scoped policies with Site Sensitivity Labels

I’ve been talking about conditional access in Office 365 at events for some time now and whenever we talk about Site Collection Scoped policies, I’ve always said the missing link is for the End User to be able to select them without IT intervention and for this we need Site Sensitivity labels that actually do something!

For those that aren’t familiar with Site Collection Scoped policies, these can be set through PowerShell on any Site Collection in SharePoint Online, which when coupled with a suitably configured Conditional Access rule, lock down the end users ability to take certain actions based on one of three scopes.. Full Access, Limited Access and No Access.

The key blocker for me and the missing link in the whole piece has been the IT involvement step.. What user is going to create a site and then raise a call with their IT department to have the site locked down? Pretty certain the answer to that is a big resounding.. NONE!

Microsoft has been talking about Site Sensitivity Labels since Ignite in 2018 and despite seeing a few previews, we’ve not seen much about them until they announce the private preview at Ignite 2019 and then just last week on 28th February 2020, they announced that the feature had finally hit public preview… The missing link has arrived!

The missing link – Site sensitivity labels!

The missing link - Site sensitivity labels

To enable the preview feature, you first need to read this page on and follow the steps in “Enable sensitivity label support in PowerShell”.

Then read the preview documents from MS (available on here.) and follow steps 2 and 3 in “Enable this preview and synchronise labels” (Step 1 was to do the PowerShell bits!)

Now you need to create or edit your sensitivity labels to include the new Site and Group Settings in the Label configuration under Classification in the old protection portal (You may find this in the compliance portal in your tenant.)


As you can see, the settings are fairly straight forward and allow you to control the privacy of the group, whether External Users can be added and what access unmanaged devices have to the site. Once you’ve configured a Sensitivity Label or 3, create a publishing Policy that contains a few test users and hit publish… (Just bear in mind, that when a label is applied to a Site or Group, only the Site and Group settings applied to the site, there is no inheritance of the label on content…so no encryption, watermarking etc!)

Then wait up to 24 hours!.. Yep can take 24 hours for your labels to be pushed out. Mine took 14 hours in the end, so be prepared to wait.

Once the labels have been applied, you should see them in 4 main places:

  • Office 365 Group Creation experience in Azure
  • Teams creation experience in the Teams client (or browser)
  • SPO Creation experience in SharePoint Online.
  • SharePoint Administration Page (modern experience)


I’m going to dig a little deeper into the conditional access side of how this all works in my next post, but for now I want to talk about the user experience as there’s a couple of little issues currently. I’ve notified the product group of these through the MVP channels and hopefully by the time this reaches GA, we’ll have got them all resolved.

The first issue is one of confusion. As a SharePoint user, if I go to a limited access site, I get a really nice banner at the top of the page that highlights that due to the device I’m using, I’m not permitted to perform certain actions like downloading or printing.


If I attempt to go to a blocked site, I’ll receive a stern but clear access error:


If however I’m a teams user, I can access the Team quite happily, but if I try and switch to the files tab, I receive a rather nasty error that suggests someone has deleted the list or I don’t have access (which is somewhat close to the truth!)


The second issue is rather less annoying and more one of consistency. When I create a new Office 365 Group or a Microsoft Team (Option B), I can choose to use a Sensitivity Label or leave it set to None.. When creating a new site in SharePoint (Option A), you MUST select a label which could prove limiting as it then requires you to change the label if you want to change the group between Public/Private etc.


That’s all for now. In the next post I’m going to cover some of the technical controls that you need to put in place, and a few good practices to consider for the short term!


Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.