Templates and Sensitivity Labels
In my previous article, I explained the security settings available for meetings in Teams Premium. Here, I delve deeper into meeting templates and sensitivity labels, exploring how labels and templates can be used to adhere to requirements, policies, and if necessary, enforce some applicable settings in meetings.
Sensitivity Labels for Teams Meetings
Sensitivity labels traditionally protect documents and emails. Teams Premium enables sensitivity labels to be configured to enforce settings for Teams meetings, such as:
- Who can bypass the lobby
- Who can present
- Who can record and transcribe
- Encryption for meeting video and audio
- Automatic start of meeting recording
- Watermarking for screen sharing and camera streams
- Prevent or allow copying of chat contents to the clipboard
When meeting organizers apply a sensitivity label to a meeting, Teams configures the meeting options automatically. Unlike meeting templates, a sensitivity label always enforces the settings in its configuration. Meeting organizers can’t override the settings.
To use sensitivity labels for meetings and invites, organizers must have a Teams Premium license in addition to any of the following SKUs:
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/G5/F5 Compliance
- Microsoft 365 F5 Security & Compliance
- Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
- Office 365 E5/A5
Why Use Sensitivity Labels in Meetings?
Sensitivity labels help organizations by pre-configuring necessary security settings and applying the settings to meetings. Administrators can enforce the application of sensitivity labels by:
- Adding a default label for all meetings being created
- Requiring meeting organizers to select a label for all meetings (they can pick from the sensitivity labels published to their account)
- Adding a label to a meeting template
Configure Labels for Teams Meetings
To create or edit a sensitivity label for Teams meetings, create or edit a label in the Information Protection section of the Microsoft Purview Portal. When selecting the label scope, make sure to tick the “Meetings” checkbox (Figure 1).
It’s not possible to configure sensitivity labels scoped for meetings only. Due to dependencies, the scope for sensitivity labels must include files and emails before they can support meetings. The “Emails” option supports the calendar event, invitation, related email responses, and the “Files” option for related attachments. If sensitivity labels are already deployed in an organization, it makes sense to reconfigure these labels to include the meeting scope.
The next step of the wizard displays the option “Protect Teams meetings and chats.” Ticking this option will present the settings that can be configured for meetings (Figure 2).
To encrypt and add watermarking to meeting invites, “Control Access” and “Apply content marking” must be configured for emails (Figure 3).
After configuring the settings, save the label.
As with files and emails, the organization can configure a default and/or required sensitivity label for meetings using label policies. Edit a sensitivity label policy. Under Settings, a default sensitivity label for meetings and calendar events can be configured. When a default label is configured, Teams applies the label to every meeting for organizers with required licenses assigned. The label can subsequently be changed or removed by the organizer. To ensure that a label is always applied to meetings, choose the option to require a label (Figure 4).
Here’s an example of configuring a default meeting sensitivity label with PowerShell:
<em>Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{teamworkdefaultlabelid=<labelID>}</em>
To configure mandatory Labeling for meetings:
<em>Set-LabelPolicy -Identity <policy name> -AdvancedSettings @{TeamworkMandatory=<"True"/” False”>}</em>
Using default and required sensitivity labels for meetings can simplify the user experience and ensure that a minimum level of protection is applied to all meetings. However, I recommend that you align meeting settings with the label configurations for files and emails. Any of these settings can impact end-users and having different label configurations for different scopes makes adoption harder.
I do not recommend using a default label for meetings unless all users within the scope of the label policy meet the licensing requirements.
Applying a Label to an Outlook Meeting
After meeting labels are configured and published, licensed users can start using the sensitivity labels when scheduling meetings from Outlook and Teams. Figure 5 shows how to apply a meeting label in Outlook when the policy specifies a default and required sensitivity label. In this case, because the policy requires a label, the meeting organizer cannot remove the label. Any protection (encryption) settings from the label apply to the meeting invitation.
Figure 6 displays the meeting options in which end-to-end encryption and watermark are enabled and enforced due to an applied sensitivity label.
Figure 7 shows the experience of an organizer assigned to a different sensitivity label policy with no default or required label configured, scheduling a meeting in Teams. Available labels configured for meetings can be picked from the “Sensitivity” menu.
Limitations for Sensitivity Labels in Meetings
As always, some limitations exist. The important ones to highlight are:
- Sensitivity labels can’t be applied to live events, town halls, and webinars
- Assigning labels to meeting invites via a Graph API isn’t supported
- Shared mailbox calendars do not support sensitivity labels
For full details about limitations, please read this blog.
Introduction to Teams Meeting Templates
Meeting Templates enable organization administrators to design templates for Teams meetings. Different meeting types may need varied configurations, and templates that have pre-configured meeting options determined by administrators make it easier for organizers to schedule without determining the ideal settings for each meeting type themselves. Templates also help enforce the required security settings for each type of meeting. When creating a template, there are many meeting settings that overlap with those in a sensitivity label. Moreover, some settings only exist in either templates or sensitivity labels. Table 8 displays the various settings and from where they can be configured.
| Configurable Settings | Meeting templates | Sensitivity labels |
| Lobby settings | Yes | Yes |
| End-to-end encryption | Yes | Yes |
| Watermarks | Yes | Yes |
| Chat and restrict copying chat | Yes | Yes |
| Recording settings | Yes | Yes |
| Copilot for meetings options | Yes | No |
| Meeting reactions | Yes | No |
| Enable/disable QnA | Yes | No |
| Manage what attendees can see | Yes | No |
| Attendee Microphone and camera control | Yes | No |
| Notify when callers join and leave | Yes | No |
| Control who can present | No | Yes |
| Include Sensitivity label | Yes | – |
Template settings can be configured to be:
- Unlocked: Administrators set a default value that can be changed by the organizer
- Locked: Administrators set a default value that can’t be changed by the organizer (enforced)
Administrators can also hide certain settings from the meeting options pane if required.
A sensitivity label can be added to a template. It’s important to note that label settings always take precedence over template settings. Since labels always enforce configured settings (never optional), it’s important to think through and plan for a desired outcome if using both.
For example, if a sensitivity label is configured with end-to-end meeting encryption included and locked in a template, the encryption setting is greyed out in the template settings. The label setting takes precedence and enforces encryption. Sensitivity labels and meeting templates are a powerful combination if used correctly. A sensitive meeting itself can be internal or external, highly sensitive, and so on. A sensitivity label can be configured with settings applicable for all types and added to multiple meeting templates. Specific settings in each template can then be refined according to their more specific meeting type.
For instance, a sensitivity label named “Confidential” is used for files, email, and meetings. The label is configured with the minimal security baseline for all types of sensitive meetings and does not mandate end-to-end encryption. A “Highly Confidential” meeting template includes the “Confidential” label and enforces end-to-end encryption using the template setting in locked mode. The template for Confidential meetings uses the same label but only makes end-to-end encryption optional using the template setting in an unlocked mode.
Configuring Templates for Teams Meetings
Meeting templates are configured in the Meeting section of the Teams admin center. The option is only available if at least one Teams Premium license is activated in the tenant.
Click “Add” or edit an existing template. Up to 50 custom templates are supported per tenant. If creating a new template, give it a name and description. Set the default value for at least one setting and use the options to hide/show, lock/unlock each setting according to requirements. Figure 10 shows the sensitivity label “General” added and locked to the template, while the lobby setting is in an unlocked mode, and therefore can be changed by an organizer.
As with sensitivity labels, templates are published to users through a policy. You can create multiple policies and assign them to different sets of users if necessary.
Meeting templates are managed through the Meetings section of the Teams admin center. You can amend the default “Global” policy or create a new meeting template. Select a template and choose to either hide or show it from users assigned to this policy (Figure 11). Once the policy is configured, make sure to assign it to the target set of users.
Using Meeting Templates
A user with a Teams Premium license who is assigned a template policy can pick meeting templates from the “New meeting” button in Teams. The sub-headers display the template descriptions, helping organizers pick the most suitable template (Figure 12).
Conclusion
Usings sensitivity labels to configure and protect Outlook and Teams meetings requires Teams premium license on top of a valid base license. Unless users already have the required licenses, I recommend that you assign Teams Premium licenses and target policies only to users scheduling many and/or sensitive meetings. This can be a challenge in larger organizations, since IT is usually not aware of who manages what level of sensitivity regarding meetings and information.
I also want to highlight the importance of user training. Even if a meeting is configured by a template or label (or both), organizers should know the implications of various settings since a setting can limit meeting functionality. Applying strong security for the sake of security might restrain organizers from using the “correct” templates or labels. Especially since there is no way to enforce using any or specific templates (always optional).
Using meeting templates and sensitivity labels helps organizations secure and standardize various meeting types. They can also aid organizers when scheduling meetings, making them a great choice for organizations with heavy meeting volumes that have certain requirements in terms of handling and safeguarding sensitive information. Before deploying labels and templates, make sure to assess licensing, current labeling configurations, security requirements, and target audiences.
