

Wondering how to get started using sensitivity labels with Microsoft Teams? If you’re ready to start protecting your organization’s Teams content with unified labeling in Microsoft 365, follow these steps!
When it comes to keeping sensitive data secure in Microsoft Teams, Microsoft 365 now has a built-in feature that lets you classify and protect your data at the container-level: sensitivity labels through the Microsoft Information Protection (MIP) solution.
With sensitivity labels in Microsoft 365, you can classify data across your organization and enforce protection settings based on that classification. And when viewed by users, a sensitivity label appears as a tag in apps that they use—such as Microsoft Teams—and can be easily integrated into their existing workflows.
Sensitivity labels applied at the container level enable Microsoft Teams admins to protect and regulate access to sensitive organizational content created during collaboration within teams. And since they can be applied at the level of an individual team, there’s no need to apply unnecessary blanket restrictions that could negatively impact user adoption and result in people turning to other, un-approved tools.
If you’re ready to start protecting your organization’s Teams data with sensitivity labels in Microsoft 365, then follow the steps in this handy how-to guide to get started!
Follow these steps to get started using sensitivity labels with Microsoft Teams:
To apply published labels to groups (and, by extension, teams), you first need to enable the feature in Azure AD. You will also need to synchronize your sensitivity labels to Azure AD.
Once you’ve enabled sensitivity labels for containers, you can now configure protection settings for groups and sites in the Microsoft 365 compliance center.
To make a new sensitivity label visible for users in teams, groups, and sites, publish it by creating a label policy in the Microsoft 365 compliance center.
Collaborating with external users in Teams? Download our latest eBook, Sharing is caring: A ShareGate guide to creating a productive and secure guest sharing environment in Microsoft Teams.
Sensitivity labeling for containers (i.e., groups and sites) needs to be enabled before you can configure these settings in the sensitivity labeling wizard and requires at least one active Azure Active Directory Premium P1 license in your Azure AD organization.
Follow these steps to enable the feature in Azure AD:
1. Open a Windows PowerShell window on your computer. Note that you do not need to open it with elevated privileges.
2. Run the following commands to prepare to run the cmdlets:
Import-Module AzureADPreview
Connect-AzureAD
In the Sign in to your account page, enter your admin account and password to connect you to your service, then select Sign in.
3. Retrieve the current group settings for your Azure AD organization by running the following cmdlets:
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
Note: If no group settings have been created for your Azure AD organization, you will get an error that reads “Cannot bind argument to parameter ‘Id’ because it is null”. In this case, you’ll need to first create the settings. You can configure group settings using PowerShell—simply follow the steps in Microsoft’s Azure Active Directory cmdlets for configuring group settings documentation.
4. Next, run the following cmdlet to display the current group settings:
$Setting.Values
5. Then, enable the feature:
$Setting["EnableMIPLabels"] = "True"
6. Finally, save the changes and apply the settings:
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
You will also need to synchronize your sensitivity labels to Azure AD by following these instructions:
1. Connect to Security & Compliance PowerShell using the Exchange Online PowerShell V2 module.
Note: To use the older, less secure remote PowerShell connection instructions that will eventually be deprecated, see Microsoft’s Basic auth – Connect to Security & Compliance Center PowerShell documentation.
To use the older Exchange Online Remote PowerShell Module to connect to Security & Compliance Center PowerShell using MFA, see Microsoft’s V1 module – Connect to Security & Compliance Center PowerShell using MFA documentation. However, this older module will eventually be retired.
2. Next, run the following command to ensure your sensitivity labels can be used with Microsoft 365 groups:
Execute-AzureAdLabelSync
Once you’ve enabled sensitivity labels for containers, you can now configure protection settings for groups and sites in the sensitivity labeling wizard in the Microsoft 365 compliance center (Solutions > Information protection).
Until you enable this support, the settings are visible in the wizard, but you can’t configure them:
Once enabled, you can configure protection settings for “Groups & sites” and “Files & emails” within a single sensitivity label:
For example, if you want to have one label called “Confidential”, you can configure the “Files & emails” settings to apply content marking to any documents with that label and you can also configure the “Groups & sites” settings to restrict external access when that label is applied to a container.
You can also separate your labels by scope if you choose to. When only the “Groups & sites” scope is selected for a label, the label won’t be displayed in Office apps that support sensitivity labels and can’t be applied to files and emails.
According to Microsoft, the separation of labels can be helpful for both users and administrators but can also add to the complexity of your label deployment. It really depends what will work best for you!
For the purposes of this blog article, we’re going to focus on the “Groups & sites” settings for a sensitivity label.
1. In your labeling admin center, navigate to sensitivity labels.
Follow the instructions related to the admin center your organization currently uses:
2. On the Labels page, click on + Create a label to open the New sensitivity label wizard.
Note: You can also choose to configure “Groups & sites” protection settings for an existing sensitivity label. To edit an existing label, select it, and then select the Edit label button. You can then jump ahead to step 4.
3. On the Name and create a tooltip for your label page, clarify the purpose of your new sensitivity label by filling out the Name, Display name, and Description for users fields.
Pay special attention to the Display name and Descriptions for users fields, as this is what users will see in the apps where it’s published. Then, click Next.
4. On the Define the scope for this label page, the selected options determine the label’s scope for the settings that you can configure and where they will be visible when they are published.
Since we’re focusing on how to use sensitivity labels with Teams in this scenario, check the box next to Groups & sites. Then, click Next.
5. On the Define protection settings for groups and sites page, select one or both of the following options, then click Next.
Select:
6. If you selected Privacy and external user access settings, you will now be prompted to configure these settings:
Privacy settings:
The Public and Private settings set and lock the privacy setting when you apply this label to a container. Your chosen setting will automatically replace any previous privacy setting that might be configured for the team and locks the privacy value so that it can only be changed by first removing the sensitivity label.
If a label is removed, the privacy setting from the label remains, but the team owner has the power to change it again.
External user access settings:
When you’re finished, click Next.
7. If you selected Device access and external sharing setting, you will be prompted to configure these settings on the next page:
Control external sharing from labeled SharePoint sites setting:
Access from unmanaged devices setting:
Note: As you can see from the image above, you also need to configure the SharePoint feature that blocks or limits access to SharePoint files from unmanaged devices in order for this setting to work. You can find more information on how to control access from unmanaged devices in Microsoft’s official SharePoint documentation.
When you’re finished configuring settings on this page, click Next.
8. Follow the prompts in the labeling wizard until you get to the Review your settings and finish page. If everything is configured how you want it, click on Create label.
The final step is to publish the sensitivity labels you’ve created by adding them to a sensitivity label policy (also done in the Microsoft 365 compliance center > Solutions > Information protection).
The users who are assigned a sensitivity label policy that includes these labels will be able to select one of them for sites, groups—and, by extension, teams.
1. In your labeling admin center, navigate to sensitivity labels and select the Label policies tab, then click on Publish labels to start the Create policy wizard:
2. In the wizard, click on Choose sensitivity labels to publish. Select the labels that you want to make available in apps and to services—in this scenario, in Teams—and then click on Add.
3. Review the selected labels. Select Edit if you want to make any changes. Otherwise, click Next.
4. On the Publish to users and groups page, decide who you want to make your selected labels available to. If you want to publish them to all users and groups, then you can just click Next.
However, if you want to make the selected labels available to specific users, distribution groups, mail-enabled security groups, or Microsoft 365 groups, then select Choose users or groups and follow the prompts before continuing.
5. Follow the prompts to configure the policy settings, then click Next.
The policy settings that you see match the scope of the labels that you selected.
In this scenario, since our selected label only has the Groups & sites scope, you should see the following policy settings:
Check out the official Microsoft documentation for more details on what label policies can do.
6. Follow the prompts in the wizard to give your policy a name and review your settings. When you’re finished, click on Submit.
Completing the wizard automatically publishes the label policy. The users who are assigned this sensitivity label policy will now be able to see the included label and be able to select it for sites and groups—as well as teams in Microsoft Teams!
Configuring and publishing sensitivity labels so they can be used with Microsoft Teams enables you to classify and protect sensitive data at the container level—in this case, at the level of individual teams. By integrating the sensitivity labeling feature directly within users regular workflow in Teams, you can stay on top of security without standing in the way of end user productivity.
It’s a win-win situation—for end users, and for IT!
If you haven't tried our automated governance platform for Microsoft Teams and Microsoft 365 Groups, what are you waiting for? ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.
Guide users towards secure and productive collaboration in Microsoft Teams while keeping a close eye on what's going on—so you can easily course-correct as you scale. Get full visibility across each team’s lifecycle—from creation all the way through to sunset. And make sure the right users have access to the right things by applying custom-fit security settings based on each team's level of sensitivity and scheduling periodic reviews so team owners can validate external sharing links.
If you’re a ShareGate Desktop customer, then we have great news! Your subscription gives you full access to ShareGate Apricot at no extra charge! Activate your ShareGate Apricot account by signing in here. Make sure to have your ShareGate Desktop license key handy—you’ll need it complete your activation.
Make Teams everyone's favorite tool, with governance that scales with you. See for yourself with a free 30-day trial.