
How to add sensitivity labels to my existing groups, teams and sites? This was a question I was asked after one of my previous blogs on how to protect your groups, Teams and sites. If you only have a small number of groups, teams and sites, then it is easy to manually add the container sensitivity label to each group team or site. But what happens when you have thousands of groups, couples and sites?
Fortunately, there is a way to automate this task using PnP PowerShell. In this blog post, I will walk you through the steps needed first to analyze your existing groups, teams and site and then to programmatically apply container sensitivity labels to your existing Teams, Groups, and Sites in Microsoft 365 to help you protect your important data from unauthorized access and accidental sharing.
Step 1 – Define your sensitivity label policy
The first step is to define your sensitivity label policy for your Microsoft 365 Groups, Teams and SharePoint sites, referred to as container labels. This policy should determine what types of information are considered sensitive and how the data should be classified.
Step 2 – Create your sensitivity labels in Microsoft Purview
✅ I recommend starting with two labels, Internal and External, unless you have specific needs for the other labels. I also recommend keeping these container labels separate from content labels as they serve different purposes.
Once you’ve defined your container sensitivity label policy, you can create your sensitivity labels in the Microsoft Purview Admin Center> Information Protection. ⚠️If you see the message below, you must first enable sensitivity labels for groups, Teams and sites.

✅ Read my blog on How to protect your Microsoft Teams, Groups and Sites, where I described how to enable the functionality and create sensitivity labels.

Step 3 – Create a PowerShell script to identify external users and external sharing in your existing groups, teams and sites
The third step is to review the access control permissions of your existing groups, teams and sites with sensitivity labels to understand better which groups, Teams and sites have external guests and external sharing.
Use PnP PowerShell to create a CSV file of the access control permissions for your existing groups, teams and sites.
The script connects to each SharePoint site in turn and retrieves the following properties:
- Site Name
- URL
- Group Id (non-group connected SharePoint sites have a GroupId of 00000000-0000-0000-0000-000000000000)
- Site owner
- Site template (this will show the type of site, e.g. communications site, group, teams channel etc.)
- Group type
- Site sharing permissions
- Site conditional access policy
- File sharing link
- File sharing link type
- Sensitivity label
For the group-connected sites, the script connects to each group-related site (Template type GROUP#0) and returns the group-specific properties:
- Group privacy (public, private)
- Site owners (this is not the same as a group owner)
- Group owner email addresses
- Are guests allowed
- Number of external guests
✅ I ignored Teams Private and shared channels with templates TEAMCHANNEL#0 or TEAMCHANNEL#1 as the channels inherit the permissions from the parent group.
The script uses the PnP PowerShell module, which can be downloaded and installed from https://pnp.github.io/powershell
⬇️Download the PowerShell script from my GitHub Public/Groups_Teams_Site_Report_PnP.ps1 at main · nikki-c/Public (github.com)
Open a PowerShell window and connect to your SharePoint Online tenant using `Connect-PnPOnline -Url https://yourtenant.sharepoint.com`.
The CSV detailing the summary of all your existing groups, Teams and sites is created when the PowerShell script has finished.
Step 4 – Analyse your existing Microsoft 365 Groups, Teams and SharePoint sites
The fourth step is to review the CSV file and map which sensitivity label to apply to each Microsoft 365 Group, Teams or SharePoint site.
The CSV provides key information on the current access controls and whether it is connected to a group and whether that group is a group, Team, or Yammer community.

✅I recommend saving your CSV as an Excel file and formatting the data as a table so you can easily filter and create pivot tables.
✅The default site sharing permissions are different depending on the type of site:
- Communication sites = Only people in your organization
- Microsoft 365 Groups and Teams = New and existing guests.
Review each group, Team and site and establish which label should apply. For example:
- Guest count = 0 plus external sharing is disabled = Apply Internal label
- Guest count > 0 plus external sharing allowed and should be used for external sharing = Apply the External label.
- Guest count > 0 and or external sharing allowed, but the content should not be shared externally = Apply Internal label and ⚠️Importantly remove existing guests from the Team.
You can identify any issues or gaps, such as duplicate names, inconsistent naming conventions, missing owners or inappropriate site-sharing options.
✅The review and labeling of your groups, teams and sites can be an iterative process. Just make sure you label your high-risk containers first.
Step 5 – Apply labels to your existing Micro oft 365 Groups, Teams and SharePoint sites
The fifth step is to create a CSV file that lists the sites and their sensitivity labels and to use PowerShell to add a sensitivity label for each site.
✅Important. Before you update any Teams with a label that will block guest access, remember to remove any existing guests first. This is because the label does not block access for existing guests.
The script requires the sensitivity label ids rather than the display name. The sensitivity label ids are not visible in the Purview Admin center. Use Security and Compliance Center PowerShell Connect to Security & Compliance PowerShell | Microsoft Learn using an administrator account to retrieve the Guids.
Get-Label | Where-Object {$_.ContentType -EQ 'Site, UnifiedGroup'} |Format-Table DisplayName, Guid

To batch update your groups, teams and sites, create a CSV file with two columns named URL and LabelID. Add your list of site URLs and corresponding sensitivity label ids to the CSV file. ⚠️Note. You must use the sensitivity label Guid.

The script uses PnP PowerShell, imports the CSV, loops through each row, and adds the sensitivity label to each site URL. If the site is a Microsoft 365 group-connected site, the label is also applied to the Teams or group. Finally, a CSV file is created to summarize the updates.
⬇️Download the PowerShell script from my GitHub Public/Bulk_Add_Container_Sensitivity_Labels.ps1 at main · nikki-c/Public (github.com)
You can also rerun the report created in Step 3 to get an updated view of your groups, teams and sites, including the sensitivity labels.
Managing sensitivity labels
Admins can view and manage the sensitivity labels in the SharePoint Admin Center and Teams Admin Center.


Users will see the sensitivity labels at the top of the group, Team or site.


⚠️Group, team and site owners can change the container sensitivity labels, so you may want to keep track and revert to the original label. Read my colleague Alexander Holmeset’s blog post on Monitor and reset to the original Sensitivity Label if changed for your SharePoint site or M365 Group/Team! | A blog about automation and technologies in the cloud (alexholmeset.blog)
Conclusion
Applying container sensitivity labels to all your existing groups, teams and sites is a critical step in securing access to your corporate data by providing relevant access depending on the sensitivity of your data.
Following the steps outlined in this blog post, you can create and apply container sensitivity labels to all your existing groups, teams and sites.
Microsoft Reference
Connect to Security & Compliance PowerShell | Microsoft Learn