Are you using Microsoft Purview sensitivity labels to control access to Microsoft Teams, Groups and Sites? If not, why not?
Did you know that your Guest access and external sharing controls are managed at the tenant level? As a result, security becomes ‘one size fits all’ rather than providing granular security controls based on Teams, Groups, and Sites’ confidentiality requirements.
For example
- When guest access is enabled, Team owners can add external guests to all Microsoft Teams, Groups and SharePoint sites.
- When you create a new Team or a Group, the default SharePoint external sharing is set to New and existing guests unless your tenant setting is more restrictive. So Team members can share Team content externally.
Check out the information below to learn how you can use sensitivity labels to apply granular security controls to Teams, Groups, and Sites.
Why allow guest access to Microsoft Teams
Most organisations must collaborate with external parties, customers, suppliers or partners.
If IT has been overzealous and blocked guest access in Microsoft 365, then external collaboration will continue via shadow. In this scenario, you have lost control over external communications and collaboration.
A better way to manage the risk of external collaboration is to enable guest access in Microsoft 365. This way, you have complete control of managing and monitoring external communications and collaboration.
However, just enabling guest access in Microsoft 365 introduces the risk of data overexposure because when guest access is enabled, it is enabled for all Teams, Groups, and SharePoint team sites by default. Therefore, there is a risk that Team owners add guests to Groups and Teams with confidential and sensitive data that external people should not be able to access.
The way to mitigate this risk is to implement container sensitivity labels that allow or block guest access at the individual Group, Team, and Site level rather than at the tenant level.
What are Sensitivity labels for containers?
In addition to using sensitivity labels to protect Office files and emails, you can use sensitivity labels to protect containers: Microsoft Teams sites, Microsoft 365 Groups and SharePoint sites. Note that files stored in those containers do not inherit the labels. Container labels are complimentary to item labels.
Sensitivity labels for containers provide the following configuration settings:
- Privacy (public or private) access
- External user access
- External sharing from SharePoint sites
- Access from unmanaged devices
- Authentication contexts
- A default sharing link for a SharePoint site (PowerShell-only configuration)
- Site sharing settings (PowerShell-only configuration)
The sensitivity label is displayed at the top of each Group, Team or Site. For example, the screenshot shows a sensitivity label indication on a Team.
These container sensitivity labels complement the sensitivity labels used to protect the content. The table below shows different use cases.
| Functionality | Container label | Item label |
|---|---|---|
| Used with | Teams, Microsoft 365 Groups and SharePoint Sites | Office files, emails and Power BI items |
| Visual indicator | Yes | Yes |
| Default label | Yes | Yes |
| Target labels to group of users | Yes | Yes |
| Headers, footers & watermarks | No | Yes |
| Encrypt items | No | Yes |
| Automatically apply label | No | Yes |
| Container privacy | Yes | No |
| External sharing | Yes | No |
| External guest access | Yes | No |
| Access from unmanaged devices | Yes | No |
| Default sharing scope & link | Yes | No |
| Authentication context | Yes | No |
How can you control access to Groups, Teams and Sites?
Privacy
- Private
- Public
- User selects
External access
- Internal only (block guests)
- Allow guests
SharePoint site sharing settings
- Internal only
- Existing guests
- Existing & new guests
- Anyone
Access from unmanaged devices
- All
- Web-only
- Block
Default sharing scope for a SharePoint site
- Organisation
- Specific people
- Anyone
Default sharing link for a SharePoint site
- Edit
- View
Site sharing settings
- Site owners and members can share files, folders, and the site. People with Edit permissions can share files and folders.
- Site owners, members, and people with Edit permissions can share files and folders, but only site owners can share the site.
- Only site owners can share files, folders, and the site
Considerations for using Sensitivity labels to control access to Groups, Teams and Sites
- Update existing sensitivity labels for containers to apply external sharing controls.
- These labels do not apply to Yammer-created groups.
- Requires Azure AD Premium licencing.
- Example sensitivity labels for Teams.
- Once applied, only the owner of the Team can remove or change the sensitivity label.
- If you have parent/child sensitivity labels, then only the parent labels is displayed on the Team.
- Multiple display languages are not supported.
- A default sensitivity label can be applied to all Teams
For more information, watch my Empowering Cloud video on sSensitivity Labels for Groups, Teams and Sites.
Enable Sensitivity labels to control access to Groups, Teams and Sites (Container labels)
Before creating your container labels, they must be enabled by your Global Administrator. This is a one-time action using MSGraph PowerShell to enable the container sensitivity labels and Exchange Online Protection PowerShell to synchronize labels to Purview.
Read the following Microsoft article for instructions. Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites | Microsoft Learn
Once enabled, the Groups and Sites option becomes available.
You can now create sensitivity labels with privacy and access control settings for Teams, SharePoint sites, and Microsoft 365 Groups.
Create sensitivity labels to control access to Groups, Teams and Sites
This is an overview of how to create sensitivity labels for groups, teams and sites.
| Sensitivity label | Privacy | Guests | SharePoint sharing | Unmanaged devices | Authentication context |
| Public | Public | No | Internal | Yes | None |
| Internal | Private | No | Internal | Yes | None |
| External | Private | Yes | New & Existing guests | Web-only | Guests’ Terms of Use |
| Highly Confidential | Private | No | Internal | Block | Enforce MFA |
From the Microsoft Purview Admin center https://compliance.microsoft.com
- Select Information Protection
- Select labels
- Create a label
- Add the name tooltip tip for your label
Define the scope of this label
Sensitivity Labels are used for both items and Groups & Sites.
- Items = Configure protection settings for labelled emails, Office files, and Power BI items.
- Groups and site = Configure privacy, access control, and other settings to protect labelled Teams, Microsoft 365 Groups, and SharePoint sites.
Important. If the Groups and sites option is still greyed out, then the Sensitivity labels for Groups, Teams and Sites have not been enabled.
Define the protection settings for groups and sites
The privacy and external user access settings
both boxes to control both the external sharing settings and external guest access.
Define privacy and external user access settings
Privacy settings
- Public = Anyone can join. Users can search for and join public Teams, Groups or Sites.
- Private = Only the owners or admin can add members. Non-members cannot see Team, Group and Site names.
- None = The user selects Private or Public at the point of creation.
External user access
- Leave unticked if you want to stop guests from joining the Team, Group or Site.
- Tick to allow guests to join the Team, Group or Site.
Define external sharing and conditional access settings
Decide who can access the SharePoint Content
- Only people in your organisation = You cannot share content with external users or guests.
- Existing Guests = You can share content with guests who already have an Azure AD B2B account.
- New and existing guests = You can invite guests and share content with them.
- Anyone = You can share content with external users who are not guests in Teams.
Decide whether users can access labelled sites from unmanaged devices.
PowerShell only controls
The following controls can only be applied using PowerShell.
- Settings for the default sharing link and scope
- Site sharing permissions
Create your labels first and then update them via PowerShell using the Set-Label command. The -Identity is the unique id for the sensitivity label. For example
Set the default sharing link type to Specific People:
Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultSharingScope="SpecificPeople"}Set the default sharing link type permissions to Edit:
Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultShareLinkPermission="Edit"}Set the Site sharing permissions to Only site owners can share files, folders, and the site:
Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{MembersCanShare="MemberShareNone"}Summary of why you need to use sensitivity labels control access to Groups, Teams and Sites
The tenant defaults apply to all groups, teams and sites. These controls are either too permissive which increases the risk of data over-exposure, or too restrictive which increases the risk of the use of shadow IT. Productivity versus Security does not have to be one or the other. Use Microsoft Purviw sensitivity labels to apply appropriate access to Groups, Teams and Sites based on the business need.
For a more detailed walk-through, watch my Enabling and creating sensitivity labels for Microsoft Teams, SharePoint and Microsoft 365 Groups on Empowering.Cloud.
Microsoft References
Assign sensitivity labels to groups – Azure AD – Microsoft Entra | Microsoft Learn