How to protect your Microsoft Teams, Groups and Sites

Container sensitivity labels

How secure are your Microsoft 365 Groups and Teams?

Did you know that your Guest access and external sharing controls are managed at the tenant level? As a result, security becomes ‘one size fits all’, rather than providing granular security controls based on Teams, Groups, and Sites’ confidentiality requirements.

For example

  • When guest access is enabled, Team owners can add external guests to all Microsoft Teams, Groups and SharePoint sites.
  • When you create a new Team or a Group, the default SharePoint external sharing is set to New and existing guests unless your tenant setting is more restrictive. So Team members can share Teams content externally.

Check out the information below to learn how you can use sensitivity labels to apply granular security controls to Teams, Groups, and Sites.

Why allow guest access in Microsoft 365

Most organisations must collaborate with external parties, customers, suppliers or partners.

If IT has been overzealous and blocked guest access in Microsoft 365, then external collaboration will continue via shadow. In this scenario, you have lost control over external communications and collaboration.

A better way to manage the risk of external collaboration is to enable guest access in Microsoft 365. This way, you have complete control of managing and monitoring external communications and collaboration.

However, just enabling guest access in Microsoft 365 introduces the risk of data overexposure because when guest access is enabled, it is enabled for all Teams, Groups, and SharePoint team sites by default. Therefore there is a risk that Team owners add guests to Groups and Teams with confidential and sensitive data that external people should not be able to access.

The way to mitigate this risk is to implement container sensitivity labels that allow or block guest access at the individual Group, Team, and Site level rather than at the tenant level.

What are Sensitivity labels for containers?

In addition to using sensitivity labels to protect Office files and emails, you can use sensitivity labels to protect containers: Microsoft Teams sites, Microsoft 365 Groups and SharePoint sites. Note that files stored in those containers do not inherit the labels. Container labels are complimentary to item labels. 

Sensitivity labels for containers provide the following configuration settings:

  • Privacy (public or private) access
  • External user access
  • External sharing from SharePoint sites
  • Access from unmanaged devices
  • Authentication contexts
  • Default sharing link for a SharePoint site (PowerShell-only configuration)
  • Site sharing settings (PowerShell-only configuration)

The sensitivity label is displayed at the top of each Group, Team or Site. For example, the screenshot shows a sensitivity label indication on a Team.

These container sensitivity labels complement the sensitivity labels used to protect the content. The table below shows different use cases.

FunctionalityContainer labelItem label
Used withTeams, Microsoft 365 Groups and SharePoint SitesOffice files, emails and Power BI items
Visual indicatorYesYes
Default labelYesYes
Target labels to group of usersYesYes
Headers, footers & watermarksNoYes
Encrypt itemsNoYes
Automatically apply labelNoYes
Container privacyYesNo
External sharingYesNo
External guest accessYesNo
Access from unmanaged devicesYesNo
Default sharing scope & linkYesNo
Authentication contextYesNo

What can you control?

Privacy

  • Private
  • Public
  • User selects

External access

  • Internal only (block guests)
  • Allow guests

SharePoint site sharing settings

  • Internal only
  • Existing guests
  • Existing & new guests
  • Anyone

Access from unmanaged devices

  • All
  • Web-only
  • Block

Default sharing scope for a SharePoint site

  • Organisation
  • Specific people
  • Anyone

Default sharing link for a SharePoint site

  • Edit
  • View

Site sharing settings

  • Site owners and members can share files, folders, and the site. People with Edit permissions can share files and folders.
  • Site owners, members, and people with Edit permissions can share files and folders, but only site owners can share the site.
  • Only site owners can share files, folders, and the site

Considerations

  • Update existing sensitivity labels for containers to apply external sharing controls.
  • These labels do not apply to Yammer-created groups.
  • Requires Azure AD Premium licencing.
  • Example sensitivity labels for Teams.
  • Once applied, only the owner of the Team can remove or change the sensitivity label.
  • If you have parent/child sensitivity labels, only the parent labels is displayed on the Team.
  • Multiple display languages are not supported.
  • A default sensitivity label can be applied to all Teams

Enable Sensitivity labels for Groups, Teams and Sites (Container labels)

Before creating your container labels, they must be enabled in the Azure AD using PowerShell first. This is a one-time action.

Read the following Microsoft article for instructions. Assign sensitivity labels to groups – Azure AD – Microsoft Entra | Microsoft Learn

Once enabled, the Groups and sites option becomes available.

You can now create sensitivity labels with privacy and access control settings for Teams, SharePoint sites, and Microsoft 365 Groups.

Create sensitivity labels

Sensitivity labelPrivacyGuestsSharePoint sharingUnmanaged devicesAuthentication context
PublicPublicNoInternalYesNone
InternalPrivateNoInternalYesNone
ExternalPrivateYesNew & Existing guestsWeb-onlyGuests’ Terms of Use
Highly ConfidentialPrivateNoInternalBlockEnforce MFA

From the Microsoft Purview Admin center https://compliance.microsoft.com

  • Select Information Protection
  • Select labels
  • Create a label
  • Add the name tooltip tip for your label

Define the scope of this label

Sensitivity Labels are used for both items and Groups & Sites.

  • Items = Configure protection settings for labelled emails, Office files, and Power BI items.
  • Groups and site = Configure privacy, access control, and other settings to protect labelled Teams, Microsoft 365 Groups, and SharePoint sites.

Important. If the Groups and sites option is still greyed out, then the Sensitivity labels for Groups, Teams and Sites have not been enabled.

Define the protection settings for groups and sites

The privacy and external user access settings

both boxes to control both the external sharing settings and external guest access.

Define privacy and external user access settings

Privacy settings

  • Public = Anyone can join. Users can search for and join public Teams, Groups or Sites.
  • Private = Only the owners or admin can add members. Non-members cannot see Team, Group and Site names.
  • None = The user selects Private or Public at the point of creation.

External user access

  • Leave unticked if you want to stop guests from joining the Team, Group or Site.
  • Tick to allow guests to join the Team, Group or Site.

Define external sharing and conditional access settings

Decide who can access the SharePoint Content

  • Only people in your organisation = You cannot share content with external users or guests.
  • Existing Guests = You can share content with guests who already have an Azure AD B2B account.
  • New and existing guests = You can invite guests and share content with them.
  • Anyone = You can share content with external users who are not guests in Teams.

Decide whether users can access labelled sites from unmanaged devices.‚Äč

PowerShell only controls

The following controls can only be applied using PowerShell.

  • Settings for the default sharing link and scope
  • Site sharing permissions

Create your labels first and then update them via PowerShell using the Set-Label command. The -Identity is the unique id for the sensitivity label. For example

Set the default sharing link type to Specific People:

Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultSharingScope="SpecificPeople"}

Set the default sharing link type permissions to Edit:

Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultShareLinkPermission="Edit"}

Set the Site sharing permissions to Only site owners can share files, folders, and the site:

Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{MembersCanShare="MemberShareNone"}

For more information and instructions, see Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive and Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites – Microsoft Purview (compliance) | Microsoft Learn

Microsoft References

Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites – Microsoft Purview (compliance) | Microsoft Learn

Assign sensitivity labels to groups – Azure AD – Microsoft Entra | Microsoft Learn

Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive

Keep Reading

PreviousNext