Enabling Sensitivity Labels

Sensitivity Labels are a long-standing but often underutilised Microsoft 365 tool that enable users to protect emails and documents.

They allow users to label the content they’re working on to ensure only people authorised to view, edit or collaborate on it can do so.

In this guide, we take a closer look at how sensitivity labels works at container level, show you how to configure existing labels and share some useful tips and best practice to help you get the most of Microsoft 365’s auditing capabilities.

What are sensitivity labels?

The sensitivity of information is a measure of how likely that information, if make publicly available, would cause damage to the owner of the information. For example, a person’s private diary that might contain information they don’t want broadly known as it may contain personal thoughts.

In business the sensitivity of a document relates to the damage that would be done to the owner if that information was released. For example, a chocolate manufacturer would want their “secret” recipe to be protected – it is sensitive information.

In the past documents were printed with a “Protective Marking” attached to them – it might have read “TOP-SECRET” or maybe “COMMERCIALLY SENSITIVE”. This alerted people of the need to be careful with the information but in the end it could not ensure that the paper copy wasn’t (say) left on a train or in a cafe.

Sensitivity labels in Microsoft 365 are a means of digitally marking information as being of a sensitive nature and needing to be protected. They allow a document to be marked visually but also enforce digital controls on the information. When combined with data loss prevention technologies they can control what can be done with information as well as who it can be shared with.

Why apply them to Sharepoint Sites?

Sensitivity labels in Microsoft 365 can be applied to emails and files by users selecting the label they wish to apply when they create the email or file in the Microsoft Office suite. But this requires a user to remember to apply the label or be prompted to apply the label.

Sharepoint Online is the part of Microsoft 365 that provides a full document management system and is split into sites. Suppose for a moment you have a site that holds sensitive information – maybe you are a chocolate manufacturer and have a “Recipes” site, or perhaps your organisation works with children and has a “Safeguarding” site. In both of these examples it is important to your organisation that this sensitive information is controlled more tightly that your other information so you want to treat this information with special care. You might want the site as a whole to have a default sensitivity label.

Don't they work out of the box?

Strange as it might seem the Microsoft 365 “Out of the box” experience doesn’t allow you to create a sensitivity label for application to a Sharepoint site.

The below picture shows the second step of creating a sensitivity label, you’ve given the label a name and a description and now you are about to define its scope.

Sensitivity Labels Configuration - Not available for Sharepoint

Notice that whilst the first box “Files & emails” is available and ticked, the second box “Groups & sites” is greyed out and cannot be ticked. Before you can apply labels to Sharepoint sites you need to reach the point where this box can be ticked. That is what this blog post is about.

Preparation

Before we can get into the detail of enabling labels for Sharepoint we need to ensure that WinRM client basic authentication is set to true. This is because in order to connect to Microsoft 365 Compliance Center you need basic authentication at the client end. This is true even with the modern authentication experience.

You will notice that below I have “Basic = true” (highlighted in yellow).

Ensuring your authentication settings are correct

When I started out on this process this read:

Basic = false [Source="GPO"]

This was because I had a Microsoft Endpoint Manager (formally Intune) Security Baseline configuration item that was enforcing the value as “false”.

If you don’t have the GPO setting here but it still shows “true” you should be able to modify the value using the command line command below:

winrm set winrm/config/client/auth @{Basic="true"}

Microsoft Endpoint Manager

If you have a similar situation to mine, where you cannot modify the value because it has been set by Microsoft Endpoint Manager, start out by looking at Endpoint Security Manager, in the Endpoint security section at the security baselines you have configured. In particular in the “Remove Management” section.

You will notice in the below screenshot I have now got “Basic authentication” set to “Not configured”. It took about 12 hours before this policy was implemented on my device but making this change to the policy in Microsoft Endpoint Manager effected the change on my device.

Check your Microsoft Endpoint Manager Security Baseline

Enabling Sensitivity Labels in Powershell

Enabling Sensitivity Labels in Sharepoint Online is a multistage process that involves:

  • enabling Microsoft 365 groups (also called “Unified Groups”) to be managed by Powershell
  • enable Microsoft Information Protection labels for Microsoft 365 groups through Powershell
  • sync labels between Azure AD and Microsoft 365 Compliance Center

In a slightly bizarre quirk of Azure AD powershell the required commands to complete the first two of these elements are only available in the “Azure AD Preview” module rather than the normal “Azure AD” powershell module. You might think that this means they are relatively new commands but this appears to have been the situation for quite some time.

Install the Azure AD Preview Module

Before we can progress to enabling sensitivity labels in Azure AD we need to remove the Azure AD powershell module and install the Azure AD Preview module. You can see in the below code excerpt that I have not got the former installed but have got the later installed.

PS C:\WINDOWS\system32> 
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-InstalledModule -Name "AzureAD"
PackageManagement\Get-Package : No match was found for the specified search criteria and module names 'AzureAD'.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\2.2.5\PSModule.psm1:9445 char:9
+ PackageManagement\Get-Package @PSBoundParameters | Microsoft. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.Power...lets.GetPackage:GetPackage) [Get-Package], Exception
+ FullyQualifiedErrorId : NoMatchFound,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackage


PS C:\WINDOWS\system32>

Connect to Azure AD

Next we need to connect to Azure AD in order to enable unified groups.


PS C:\WINDOWS\system32> Connect-AzureAD -AccountId andrew.horler@[URL-removed]

Account Environment TenantId TenantDomain AccountType
------- ----------- -------- ------------ -----------
andrew.horler@[domain-removed] AzureCloud [domain-removed] [domain-removed] User

Enable Unified Groups

To configure Microsoft 365 groups through powershell we create a variable array based on a template, we then modify the values of variables in the array, then we apply the variable back to Azure AD against the default policy for groups such that it updates that policy. More information on how this works can be found on the Microsoft website here, I am by no means a Powershell expert so my explanation won’t necessarily be 100% correct.

PS C:\WINDOWS\system32> $TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ

PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> $Setting = $Template.CreateDirectorySetting()

PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> $Setting.Values

Name Value
---- -----
EnableMIPLabels False
CustomBlockedWordsList
EnableMSStandardBlockedWords False
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation True

Enable Microsoft Information Protection Labels

If you look at the previous section you will see that “EnableMIPLabels” was configured as false. We need this variable to be set to “True” in order for sensitivity labels to be applied to Microsoft 365 groups.

Once we have modified the variable in our $Setting array we need to apply it back to Azure AD in order for it to be effective.

PS C:\WINDOWS\system32> $Setting["EnableMIPLabels"] = "True"

PS C:\WINDOWS\system32> New-AzureADDirectorySetting -DirectorySetting $Setting

Id DisplayName TemplateId Values
-- ----------- ---------- ------
2f1202a4-1cc4-474c-be65-2dbaa87275d4 62375ab9-6b52-47ed-826b-58e47e0e304b {class SettingValue {...




PS C:\WINDOWS\system32> $Setting.Values

Name Value
---- -----
EnableMIPLabels True
CustomBlockedWordsList
EnableMSStandardBlockedWords False
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation True




PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>

Connect to Microsoft Compliance Center

Once we have enabled Microsoft Information Protection labels for Microsoft 365 groups we need to ensure that this configuration is synchonised with Microsoft 365 Compliance Center. So we connect to Microsoft 365 Compliance Center using Powershell.

PS C:\WINDOWS\system32> 
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Connect-IPPSSession -UserPrincipalName andrew.horler@[domain-removed]
WARNING: Your connection has been redirected to the following URI: "https://gbr01b.ps.compliance.protection.outlook.com/Powershell-LiveId?BasicAuthToOAuthConversion=true;
PSVersion=5.1.19041.610 "

PS C:\WINDOWS\system32>

Enable Azure AD Label Sync

Once connected to Microsoft 365 Compliance Center we need to enable the Azure AD label sync function.

PS C:\WINDOWS\system32> 
PS C:\WINDOWS\system32> Execute-AzureAdLabelSync

PS C:\WINDOWS\system32>

Verify Sensitivity Labels can be used with Sites

The final step now is to verify that the configuration changes have worked and that sensitivity labels can now be applied to Sharepoint Sites – is the “Groups & sites” tick box now available?

Sensitivity Labels - Now available for Sharepoint

Now you can progress through setting up sensitivity labels and then apply them to Sharepoint sites as required.

 

If this blog has been helpful and enabled you to get labels working in Sharepoint Online that’s great. Please feel free to share the article on social media or link to it. If you have read this and decided you need help to enable sensitivity labels in your environment, give us a call on 01332 322588.

And if you would like to stay up to date with the latest news, views and insight on everything going on in the ICT and technology sector, subscribe to our FREE email newsletter.

Want to know more?

Why not subscribe to our FREE Newsletter to receive regular updates from us on ICT, technology and what we’ve been doing?