Templates and Sensitivity Labels

In my previous article, I explained the security settings available for meetings in Teams Premium. Here, I delve deeper into meeting templates and sensitivity labels, exploring how labels and templates can be used to adhere to requirements, policies, and if necessary, enforce some applicable settings in meetings.

Sensitivity Labels for Teams Meetings

Sensitivity labels traditionally protect documents and emails. Teams Premium enables sensitivity labels to be configured to enforce settings for Teams meetings, such as:

  • Who can bypass the lobby
  • Who can present
  • Who can record and transcribe
  • Encryption for meeting video and audio
  • Automatic start of meeting recording
  • Watermarking for screen sharing and camera streams
  • Prevent or allow copying of chat contents to the clipboard

When meeting organizers apply a sensitivity label to a meeting, Teams configures the meeting options automatically. Unlike meeting templates, a sensitivity label always enforces the settings in its configuration. Meeting organizers can’t override the settings.

To use sensitivity labels for meetings and invites, organizers must have a Teams Premium license in addition to any of the following SKUs:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5

Why Use Sensitivity Labels in Meetings?

Sensitivity labels help organizations by pre-configuring necessary security settings and applying the settings to meetings. Administrators can enforce the application of sensitivity labels by:

  • Adding a default label for all meetings being created
  • Requiring meeting organizers to select a label for all meetings (they can pick from the sensitivity labels published to their account)
  • Adding a label to a meeting template

Configure Labels for Teams Meetings

To create or edit a sensitivity label for Teams meetings, create or edit a label in the Information Protection section of the Microsoft Purview Portal. When selecting the label scope, make sure to tick the “Meetings” checkbox (Figure 1).

Figure 1: Setting the meeting scope for a sensitivity label
Figure 1: Setting the meeting scope for a sensitivity label

It’s not possible to configure sensitivity labels scoped for meetings only. Due to dependencies, the scope for sensitivity labels must include files and emails before they can support meetings. The “Emails” option supports the calendar event, invitation, related email responses, and the “Files” option for related attachments. If sensitivity labels are already deployed in an organization, it makes sense to reconfigure these labels to include the meeting scope.

The next step of the wizard displays the option “Protect Teams meetings and chats.” Ticking this option will present the settings that can be configured for meetings (Figure 2).

Figure 2: Functionality and limitations for each of these settings are discussed in part 1 of this blog series
Figure 2: Functionality and limitations for each of these settings are discussed in part 1 of this blog series

To encrypt and add watermarking to meeting invites, “Control Access” and “Apply content marking” must be configured for emails (Figure 3).

Figure 3: Encryption and content marking for invites share the same settings as emails
Figure 3: Encryption and content marking for invites share the same settings as emails

After configuring the settings, save the label.

As with files and emails, the organization can configure a default and/or required sensitivity label for meetings using label policies. Edit a sensitivity label policy. Under Settings, a default sensitivity label for meetings and calendar events can be configured. When a default label is configured, Teams applies the label to every meeting for organizers with required licenses assigned. The label can subsequently be changed or removed by the organizer. To ensure that a label is always applied to meetings, choose the option to require a label (Figure 4).

Figure 4: Default and required labels can be configured separately or together
Figure 4: Default and required labels can be configured separately or together

Here’s an example of configuring a default meeting sensitivity label with PowerShell:

<em>Set-LabelPolicy -Identity &lt;policyname&gt; -AdvancedSettings @{teamworkdefaultlabelid=&lt;labelID&gt;}</em>

To configure mandatory Labeling for meetings:

<em>Set-LabelPolicy -Identity &lt;policy name&gt; -AdvancedSettings @{TeamworkMandatory=&lt;"True"/” False”&gt;}</em>

Using default and required sensitivity labels for meetings can simplify the user experience and ensure that a minimum level of protection is applied to all meetings. However, I recommend that you align meeting settings with the label configurations for files and emails. Any of these settings can impact end-users and having different label configurations for different scopes makes adoption harder.

I do not recommend using a default label for meetings unless all users within the scope of the label policy meet the licensing requirements.

Applying a Label to an Outlook Meeting

After meeting labels are configured and published, licensed users can start using the sensitivity labels when scheduling meetings from Outlook and Teams. Figure 5 shows how to apply a meeting label in Outlook when the policy specifies a default and required sensitivity label. In this case, because the policy requires a label, the meeting organizer cannot remove the label. Any protection (encryption) settings from the label apply to the meeting invitation.

Figure 5: The “Confidential” label is set as default
Figure 5: The “Confidential” label is set as default

Figure 6 displays the meeting options in which end-to-end encryption and watermark are enabled and enforced due to an applied sensitivity label.

Figure 6: Some settings are enforced by the applied label and can’t be disabled. The lock next to the setting indicate the enforcement
Figure 6: Some settings are enforced by the applied label and can’t be disabled. The lock next to the setting indicate the enforcement

Figure 7 shows the experience of an organizer assigned to a different sensitivity label policy with no default or required label configured, scheduling a meeting in Teams. Available labels configured for meetings can be picked from the “Sensitivity” menu.

Figure 7: No default or label selection is required (“None”) according to the label policy configuration
Figure 7: No default or label selection is required (“None”) according to the label policy configuration

Limitations for Sensitivity Labels in Meetings

As always, some limitations exist. The important ones to highlight are:

  • Sensitivity labels can’t be applied to live events, town halls, and webinars
  • Assigning labels to meeting invites via a Graph API isn’t supported
  • Shared mailbox calendars do not support sensitivity labels

For full details about limitations, please read this blog.

Introduction to Teams Meeting Templates

Meeting Templates enable organization administrators to design templates for Teams meetings. Different meeting types may need varied configurations, and templates that have pre-configured meeting options determined by administrators make it easier for organizers to schedule without determining the ideal settings for each meeting type themselves. Templates also help enforce the required security settings for each type of meeting. When creating a template, there are many meeting settings that overlap with those in a sensitivity label. Moreover, some settings only exist in either templates or sensitivity labels. Table 8 displays the various settings and from where they can be configured.

Configurable SettingsMeeting templatesSensitivity labels
Lobby settingsYesYes
End-to-end encryptionYesYes
WatermarksYesYes
Chat and restrict copying chatYesYes
Recording settingsYesYes
Copilot for meetings optionsYesNo
Meeting reactionsYesNo
Enable/disable QnAYesNo
Manage what attendees can seeYesNo
Attendee Microphone and camera controlYesNo
Notify when callers join and leaveYesNo
Control who can presentNoYes
Include Sensitivity labelYes
Table 8: Even though some settings overlap with sensitivity labels, templates offer the possibility to set default settings without enforcing them

Template settings can be configured to be:

  • Unlocked: Administrators set a default value that can be changed by the organizer
  • Locked: Administrators set a default value that can’t be changed by the organizer (enforced)

Administrators can also hide certain settings from the meeting options pane if required.

Figure 9: In this template end-to-end encryption and watermark have been enabled. Since encryption is “Locked”, organizers can’t disable this setting. Watermark is enabled but can be disabled if needed (“Unlocked”)
Figure 9: In this template end-to-end encryption and watermark have been enabled. Since encryption is “Locked”, organizers can’t disable this setting. Watermark is enabled but can be disabled if needed (“Unlocked”)

A sensitivity label can be added to a template. It’s important to note that label settings always take precedence over template settings. Since labels always enforce configured settings (never optional), it’s important to think through and plan for a desired outcome if using both.

For example, if a sensitivity label is configured with end-to-end meeting encryption included and locked in a template, the encryption setting is greyed out in the template settings. The label setting takes precedence and enforces encryption. Sensitivity labels and meeting templates are a powerful combination if used correctly. A sensitive meeting itself can be internal or external, highly sensitive, and so on. A sensitivity label can be configured with settings applicable for all types and added to multiple meeting templates. Specific settings in each template can then be refined according to their more specific meeting type.

For instance, a sensitivity label named “Confidential” is used for files, email, and meetings. The label is configured with the minimal security baseline for all types of sensitive meetings and does not mandate end-to-end encryption. A “Highly Confidential” meeting template includes the “Confidential” label and enforces end-to-end encryption using the template setting in locked mode. The template for Confidential meetings uses the same label but only makes end-to-end encryption optional using the template setting in an unlocked mode.

Configuring Templates for Teams Meetings

Meeting templates are configured in the Meeting section of the Teams admin center. The option is only available if at least one Teams Premium license is activated in the tenant.

Click “Add” or edit an existing template. Up to 50 custom templates are supported per tenant. If creating a new template, give it a name and description. Set the default value for at least one setting and use the options to hide/show, lock/unlock each setting according to requirements. Figure 10 shows the sensitivity label “General” added and locked to the template, while the lobby setting is in an unlocked mode, and therefore can be changed by an organizer.

Figure 10: Using the “Locked” and “Unlocked” modes, enables administrators to configure preferred settings while enforcing others in a template
Figure 10: Using the “Locked” and “Unlocked” modes, enables administrators to configure preferred settings while enforcing others in a template

As with sensitivity labels, templates are published to users through a policy. You can create multiple policies and assign them to different sets of users if necessary.

Meeting templates are managed through the Meetings section of the Teams admin center. You can amend the default “Global” policy or create a new meeting template. Select a template and choose to either hide or show it from users assigned to this policy (Figure 11). Once the policy is configured, make sure to assign it to the target set of users.

Figure 11: Users assigned to this policy will be able to display and select from all templates shown under “Viewable templates”
Figure 11: Users assigned to this policy will be able to display and select from all templates shown under “Viewable templates”

Using Meeting Templates

A user with a Teams Premium license who is assigned a template policy can pick meeting templates from the “New meeting” button in Teams. The sub-headers display the template descriptions, helping organizers pick the most suitable template (Figure 12).

Figure 12: Descriptions are a great way of adding information to help organizers pick the most suitable template for their meeting
Figure 12: Descriptions are a great way of adding information to help organizers pick the most suitable template for their meeting

Conclusion

Usings sensitivity labels to configure and protect Outlook and Teams meetings requires Teams premium license on top of a valid base license. Unless users already have the required licenses, I recommend that you assign Teams Premium licenses and target policies only to users scheduling many and/or sensitive meetings. This can be a challenge in larger organizations, since IT is usually not aware of who manages what level of sensitivity regarding meetings and information.

I also want to highlight the importance of user training. Even if a meeting is configured by a template or label (or both), organizers should know the implications of various settings since a setting can limit meeting functionality. Applying strong security for the sake of security might restrain organizers from using the “correct” templates or labels. Especially since there is no way to enforce using any or specific templates (always optional).

Using meeting templates and sensitivity labels helps organizations secure and standardize various meeting types. They can also aid organizers when scheduling meetings, making them a great choice for organizations with heavy meeting volumes that have certain requirements in terms of handling and safeguarding sensitive information. Before deploying labels and templates, make sure to assess licensing, current labeling configurations, security requirements, and target audiences.

About the Author

Adam Deltinger

I have for many years been working as a consultant mostly focusing on Microsoft products and cloud technologies. Today I work to empower my employer with the help of Microsoft 365 and modern tools - making users collaborate better, work more efficient and to be more productive - in a secure environment. I'm also a Microsoft MVP with since 2019, focusing on collaboration and productivity

Leave a Reply