Guide: How to use / apply sensitivity labels with Microsoft Teams

Wondering how to get started using sensitivity labels with Microsoft Teams? If you’re ready to start protecting your organization’s Teams content with unified labeling in Microsoft 365, follow these steps!

When it comes to keeping sensitive data secure in Microsoft Teams, Microsoft 365 now has a built-in feature that lets you classify and protect your data at the container-level: sensitivity labels through the Microsoft Information Protection (MIP) solution.

Related reading: Secure collaboration & governance best practices for Microsoft Teams

With sensitivity labels in Microsoft 365, you can classify data across your organization and enforce protection settings based on that classification. And when viewed by users, a sensitivity label appears as a tag in apps that they use—such as Microsoft Teams—and can be easily integrated into their existing workflows.

Sensitivity labels applied at the container level enable Microsoft Teams admins to protect and regulate access to sensitive organizational content created during collaboration within teams. And since they can be applied at the level of an individual team, there’s no need to apply unnecessary blanket restrictions that could negatively impact user adoption and result in people turning to other, un-approved tools.

If you’re ready to start protecting your organization’s Teams data with sensitivity labels in Microsoft 365, then follow the steps in this handy how-to guide to get started!

1. Enable sensitivity labels for containers and synchronize labels

Sensitivity labeling for containers (i.e., groups and sites) needs to be enabled before you can configure these settings in the sensitivity labeling wizard and requires at least one active Azure Active Directory Premium P1 license in your Azure AD organization.

Enable sensitivity labels for containers in Azure Active Directory

Follow these steps to enable the feature in Azure AD:

1. Open a Windows PowerShell window on your computer. Note that you do not need to open it with elevated privileges.

2. Run the following commands to prepare to run the cmdlets:

Import-Module AzureADPreview
Connect-AzureAD

In the Sign in to your account page, enter your admin account and password to connect you to your service, then select Sign in.

3. Retrieve the current group settings for your Azure AD organization by running the following cmdlets:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

4. Next, run the following cmdlet to display the current group settings:

$Setting.Values

5. Then, enable the feature:

$Setting["EnableMIPLabels"] = "True"

6. Finally, save the changes and apply the settings:

Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

Synchronize your sensitivity labels to Azure Active Directory

You will also need to synchronize your sensitivity labels to Azure AD by following these instructions:

1. Connect to Security & Compliance PowerShell using the Exchange Online PowerShell V2 module.

2. Next, run the following command to ensure your sensitivity labels can be used with Microsoft 365 groups:

Execute-AzureAdLabelSync

2. Configure “Groups & sites” settings in the sensitivity labeling wizard

Once you’ve enabled sensitivity labels for containers, you can now configure protection settings for groups and sites in the sensitivity labeling wizard in the Microsoft 365 compliance center (Solutions > Information protection).

Until you enable this support, the settings are visible in the wizard, but you can’t configure them:

Once enabled, you can configure protection settings for “Groups & sites” and “Files & emails” within a single sensitivity label:

For example, if you want to have one label called “Confidential”, you can configure the “Files & emails” settings to apply content marking to any documents with that label and you can also configure the “Groups & sites” settings to restrict external access when that label is applied to a container.

You can also separate your labels by scope if you choose to. When only the “Groups & sites” scope is selected for a label, the label won’t be displayed in Office apps that support sensitivity labels and can’t be applied to files and emails.

For the purposes of this blog article, we’re going to focus on the “Groups & sites” settings for a sensitivity label.

Follow these steps to configure “Groups & sites” settings for a sensitivity label:

1. In your labeling admin center, navigate to sensitivity labels.

Follow the instructions related to the admin center your organization currently uses:

• Microsoft 365 compliance center:
  • Solutions > Information protection (If you don’t immediately see this option, first select Show all)
• Microsoft 365 security center:
  • Classification > Sensitivity labels
• Security & Compliance Center:
  • Classification > Sensitivity labels

2. On the Labels page, click on + Create a label to open the New sensitivity label wizard.

3. On the Name and create a tooltip for your label page, clarify the purpose of your new sensitivity label by filling out the Name, Display name, and Description for users fields.

Pay special attention to the Display name and Descriptions for users fields, as this is what users will see in the apps where it’s published. Then, click Next.

4. On the Define the scope for this label page, the selected options determine the label’s scope for the settings that you can configure and where they will be visible when they are published.

• If Files & emails is selected, you can configure settings in this wizard that apply to apps that support sensitivity labels, such as Office Word and Outlook. If this option isn’t selected, the wizard will display the first page of these settings but you won’t be able to configure them and the labels won’t be available for users to select in these apps.
• If Groups & sites is selected, you configure settings in this wizard that apply to Microsoft 365 groups and sites for Teams and SharePoint. If this option isn’t selected, the wizard will display the first page of these settings but you won’t be able to configure them and the labels won’t be available for users to select for groups ad sites.

Since we’re focusing on how to use sensitivity labels with Teams in this scenario, check the box next to Groups & sites. Then, click Next.

5. On the Define protection settings for groups and sites page, select one or both of the following options, then click Next.

Select:

• Privacy and external user access settings to configure the Privacy and External users access settings.
• Device access and external sharing settings to configure the Control external sharing from labeled SharePoint sites and Access from unmanaged devices setting.

6. If you selected Privacy and external user access settings, you will now be prompted to configure these settings:

Privacy settings:

• Keep the default setting of Public if you want anyone in your organization to be able to access the team where this label is applied.
• Choose Private if you want access to be restricted to only approved members in your organization.
• Select None for situations where you want to protect content in the container by using the sensitivity label, but you still want to let users configure the privacy settings of the team themselves.

The Public and Private settings set and lock the privacy setting when you apply this label to a container. Your chosen setting will automatically replace any previous privacy setting that might be configured for the team and locks the privacy value so that it can only be changed by first removing the sensitivity label.

If a label is removed, the privacy setting from the label remains, but the team owner has the power to change it again.

External user access settings:

• Control whether or not the team owner will be allowed to add guests to the group. By default, this box is unchecked.

When you’re finished, click Next.

7. If you selected Device access and external sharing setting, you will be prompted to configure these settings on the next page:

Control external sharing from labeled SharePoint sites setting:

• Select this option to then select either:
  • External sharing for anyone
  • New and existing guests
  • Existing guests
  • Only people in your organization.
• This setting is currently in preview.

Access from unmanaged devices setting:

• This setting allows you to determine whether users can access SharePoint sites from unmanaged devices (devices that aren’t hybrid Azure AD joined or enrolled in Intune).
• Select either:
  • Allow full access from desktop apps, mobile apps, and the web
  • Allow limited, web-only access
  • Block access

When you’re finished configuring settings on this page, click Next.

8. Follow the prompts in the labeling wizard until you get to the Review your settings and finish page. If everything is configured how you want it, click on Create label.

3. Publish sensitivity labels that are configured for sites and groups

The final step is to publish the sensitivity labels you’ve created by adding them to a sensitivity label policy (also done in the Microsoft 365 compliance center > Solutions > Information protection).

The users who are assigned a sensitivity label policy that includes these labels will be able to select one of them for sites, groups—and, by extension, teams.

Follow these steps to publish sensitivity labels by creating a label policy:

1. In your labeling admin center, navigate to sensitivity labels and select the Label policies tab, then click on Publish labels to start the Create policy wizard:

2. In the wizard, click on Choose sensitivity labels to publish. Select the labels that you want to make available in apps and to services—in this scenario, in Teams—and then click on Add.

3. Review the selected labels. Select Edit if you want to make any changes. Otherwise, click Next.

4. On the Publish to users and groups page, decide who you want to make your selected labels available to. If you want to publish them to all users and groups, then you can just click Next.

However, if you want to make the selected labels available to specific users, distribution groups, mail-enabled security groups, or Microsoft 365 groups, then select Choose users or groups and follow the prompts before continuing.

5. Follow the prompts to configure the policy settings, then click Next.

The policy settings that you see match the scope of the labels that you selected.

In this scenario, since our selected label only has the Groups & sites scope, you should see the following policy settings:

• Apply this label by default to groups and sites
• Require users to apply a label to their groups and sites

Check out the official Microsoft documentation for more details on what label policies can do.

6. Follow the prompts in the wizard to give your policy a name and review your settings. When you’re finished, click on Submit.

Completing the wizard automatically publishes the label policy. The users who are assigned this sensitivity label policy will now be able to see the included label and be able to select it for sites and groups—as well as teams in Microsoft Teams!

Configuring and publishing sensitivity labels so they can be used with Microsoft Teams enables you to classify and protect sensitive data at the container level—in this case, at the level of individual teams. By integrating the sensitivity labeling feature directly within users regular workflow in Teams, you can stay on top of security without standing in the way of end user productivity.

It’s a win-win situation—for end users, and for IT!