In part one of this series, we explained the principles of applying sensitivity labels at the container level within Microsoft 365, and that there are currently three containers to which sensitivity labels can be applied. These are SharePoint Sites, Microsoft Teams, and M365 groups.
We showed how to modify an existing sensitivity label and enable it for Site and group settings, and also how set up a new label with these settings. Then, we showed how to apply a chosen sensitivity label to the first of the three available containers by setting up a new SharePoint Online Team Site.
In part two of this blog series, we will demonstrate how to apply the sensitivity label to the two other container options, which are Microsoft Teams and M365 groups.
Applying sensitivity labels to Teams
Let’s take a look at Teams first. In the following example, we will apply the General \ HR label (which we created in part one of this blog) whilst setting up a brand new Team.
- First, log in to either the Teams App, or go to https://teams.microsoft.com in your browser. One of the many great things about Teams is that it looks identical cross-platform and experience. Below you can see my Teams window, and I already have some Teams setup.
2. At the bottom of the window, select Join or create a team as shown below.
3. Next, click on Create team.
4. Now you will see two choices. You may create a new team from scratch or build your Team from an existing M365 group. For this example, I will select the option to Build a team from scratch.
5. Next, we need to choose what type of team that we want this to be. Those of you who have been using Teams for a while will recognize the three choices of Private, Public, and Org-wide. However, we now also have another decision to make at this point, which is whether we wish to apply a sensitivity label to our team.
6. When you click the dropdown menu under Sensitivity you will see the labels which are available for you to assign to your team. You will only see labels that have been assigned to you directly as a user or via group membership. In the example below, I will choose our General \ HR label.
7. This choice of label immediately greys out two of the three choices of team types, leaving Private as the only possible choice. This is due to the fact that this label was set up in the Compliance center as a Private label.
8. Now we can enter a description for the new team and click Create to complete the setup.
9. After clicking to create the team, we can add some additional members if required. When we open up the new team, we can see to the left of the Meet button that the Team has been labeled with the General \ HR label. Note that this shows simply as HR however as this is a sub-label.
10. Below we can see the new team as it appears in the main Teams window following the setup process.
11. Now let’s take a look at some information about the new Team. Click on the three dots next to the team name and click on Edit team.
12. Here we can see the team name, description, and most importantly the sensitivity and privacy settings which we chose in the Team setup process.
13. If we wanted to change the sensitivity label for this Team, we can do so by clicking the dropdown as shown below.
14. For example, we could change the sensitivity to None. This would also have the effect of allowing the privacy settings for the Team to be edited once more.
So, nice and simple and we have our Team with a sensitivity label applied. Now let’s discuss the effect that sensitivity labels can have in relation to guest access in Teams.
Guest access and sensitivity labels in Teams
Our new Human Resources team has been setup using a label which is set to private and does not allow guest access. So, what happens if we try and add an external guest to our new team? Let’s take a look.
- Here I will attempt to add my Gmail account as a member of the team by clicking on Add more people.
2. When I enter my email address as shown below, we see that the account cannot be found or added. So, the sensitivity label is doing its job nicely.
What if we had an existing Team which currently allows external guests though, and we modify the Team settings to apply the private HR sensitivity label? Here’s how this works.
3. I open another Team called Purchasing, which has no sensitivity label applied to it, and contains my Gmail account as a team member.
2. Now if I change the sensitivity label for the team to General \ HR, the result is that I can no longer add an external member due to the new label settings. This is shown below where I attempt to add my Outlook.com account as a member of the team.
What happens to the existing membership for my Gmail account though? Well, if we check again under members and guests, we see that this account retains access to the team.
So, this is definitely something to be aware of. Guests will not be automatically be removed as team members when the label setting is changed to disallow guest access.
Applying sensitivity labels to M365 Groups
Now that we’ve seen sensitivity labels in Teams, let’s take a look at how they work with M365 groups. Teams and M365 groups are of course closely related. When you create a team, you either create a new or use an existing M365 group.
To examine the settings available for sensitivity labels in M365 groups we need to complete the following steps.
- Login to the Azure portal athttps://portal.azure.comand click on the three horizontal lines at the top left of the screen.
2. Select Azure Active Directory.
3. Now click on Groups.
4. If we search for Human Resources in the groups list, we can see two results as shown below.
5. The first entry is a group which is tied to the Human resources SharePoint Site which we created in part one of this series. The second entry is the group which has just been created with our new Human Resources team. You will note that this group has been setup with some random numbers added to the group email address to distinguish it from the other SharePoint group of the same name.
6. If we select this group, we can see an overview of its settings as shown below.
7. If we click on Properties, we are able to modify the group settings if required, including the sensitivity label.
8. Clicking the dropdown under Sensitivity label will allow us to make that change if desired.
How does this look when creating a new group though?
- To setup a new group, click the + New Group button.
2. The default new group choice is a Security group as shown below. Security groups do not have the option to apply sensitivity labels.
3. If, however, we change the group type to Microsoft 365, the Sensitivity label field within the new group set up comes into play as shown below.
Important note – watch out when creating new Teams and Groups that there is not already a SharePoint Team site with the same name. If this should be the case, you may decide to select a different Team or Group name or use the existing group when setting up the Team.
In this post, we have shown you how you can apply sensitivity labels to Microsoft Teams, and M365 groups. We demonstrated that labels can be applied to both new and existing Teams and Groups, and how Group or Team owners can easily change the labels at any time.
We also explained the impact of setting sensitivity labels with a Private setting, and the effect that this had with guest members within Teams.
In part three of this blog series, we will discuss the impact of apply sensitivity labels at the container level, where document level label settings are also in place. We will also show you some useful tips on the M365 audit logs’ auditing capabilities in relation to sensitivity labeling.
Peter Rising has over 25 years’ experience in IT. He has worked for several IT solutions providers and private organizations in a variety of technical roles focusing on Microsoft technologies. Since 2014, Peter has specialized in the Microsoft Office 365 platform, initially carrying out mail migrations from on-premises platforms and tenant-to-tenant migrations. Since joining Softcat PLC in 2016, Peter has shifted his focus to Microsoft 365 Security and Compliance, and Collaboration, and is now a senior consultant in Softcat’s public cloud technical practice. He holds a number of Microsoft certifications, including MCSE: Productivity; MCSA: Office 365; Microsoft 365 Certified: Enterprise Administrator Expert; and Microsoft 365: Security Administrator Associate.