Recently M365 was updated to allow administrators to enable sensitivity labels in Microsoft 365 Groups and SharePoint sites.  This means that any container in M365 that is backed by a Microsoft 365 Group or SharePoint can have sensitivity controls applied to it.  This includes Microsoft Teams and OneDrive for Business.  Within this post we’ll walk through the steps for enabling sensitivity labels for your tenant’s M365 Groups and SharePoint site.

Enable Sensitivity Labels for Office Files in SharePoint and OneDrive

The feature to be enabled is actually called “Sensitivity Labels for Office Files in SharePoint and OneDrive” but it is a bit misleading. It isn’t actually there to set the sensitivity labels of content within the container.  Instead, it provides support for sensitivity labels by adding the following capabilities:

  • Users may use Microsoft Search to find files that are stored in SharePoint and OneDrive and are protected (encrypted) by Microsoft Information Protection.
    • Note: this doesn’t give them access to the files, but it does make them discoverable.  Previously, even if a user had access to the file, they couldn’t find it with search
  • Even if the files are encrypted, DLP policies can be applied to content within SharePoint Online and OneDrive for Business
  • Users can coauthor on files in SharePoint and OneDrive that are protected (encrypted) by Microsoft Information Protection by using Microsoft Word Online, Excel Online, and PowerPoint Online
  • The sensitivity label of a file in SharePoint and OneDrive may be displayed in a built-in Sensitivity metadata column

Enabling the feature can be accomplished via the admin console or through PowerShell

Enabling via Compliance Center
  1. Navigate to https://compliance.microsoft.com
  2. Click on Show All
  3. Click on Information Governance
  4. If the feature has not yet been enabled you will be presented with a banner providing information on the feature and a button to enable it.  Clicking on the button will enable the feature immediately.

Microsoft 365 Information Protection - Enable SharePoint OneDrive Sensitivity Labels

Enabling via PowerShell

Utilizing the SharePoint Online Management Shell for PowerShell login to your tenant.  To enable the feature run the following command:

Set-SPOTenant -EnableAIPIntegration $true

 

Enable Sensitivity Labels in Microsoft 365 Groups and SharePoint Sites

The previous step doesn’t quite get us where we want to go.  It will provide extra support for sensitivity labeled content within the containers themselves, but enabling sensitivity labels for Microsoft 365 Groups and SharePoint Sites allows for controls to be applied directly to a site based on the sensitivity label assigned to it.  See Creating a Sensitivity Label for Groups and Sites for more information on this feature.

To enable the feature requires the use of the Azure AD PowerShell Module.

Install-Module AzureADPreview
Connect-AzureAD
#Login with global administrator credentials
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"

Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

The final step is to connect the Microsoft 365 Compliance Center to Azure AD (for Unified label integration).  This is completed using the Exchange Online V2 (EXO V2) PowerShell Module.

Import-Module ExchangeOnlineManagement

#UPN is your account information utilizing the user principal name format (drever@mydomain.com)
Connect-IPPSSession -UserPrincipalName <UPN> 
Execute-AzureAdLabelSync
Disconnect-ExchangeOnline

Once these features are enabled, sensitivity labels can now be applied directly to M365 Groups and SharePoint sites.

Thanks for reading!