

Wondering how to stay on top of Microsoft Teams security? To answer that, we compare sensitivity labels in the Microsoft 365 compliance center with ShareGate Apricot’s group sensitivity labels.
Keeping organizational data secure is a top priority for IT admins today. And, according to Microsoft MVP Joanne Klein, one of the best ways to approach data security at scale is from the perspective of container governance: security and compliance policies applied at the level of Microsoft teams and Microsoft 365 groups.
Our engineers did a ton of research into container-level data protection while developing our latest ShareGate Apricot release. And a large part of that process included looking at unified sensitivity labeling in the Microsoft 365 compliance center to understand the capabilities and limitations of that feature.
To help you assess whether Microsoft Information Protection (MIP) sensitivity labels are the right fit for your organization, we decided to share what we learned and highlight some key differences between MIP sensitivity labels and ShareGate Apricot’s “Group sensitivity” feature.
Sensitivity labels in Microsoft 365 have been around for a while, with their evolution tracing back to Information Rights Management within Office 365, then Azure Information Protection (AIP) in the Azure portal, and finally, unified labeling through the Microsoft 365 compliance center.
Built-in sensitivity labels from the Microsoft Information Protection (MIP) framework are managed through a single portal—the Microsoft 365 compliance center—which unifies labeling and protection policy management across AIP, Microsoft 365, and Windows.
Sensitivity labels from the MIP solution let you classify and protect your organization’s data while making sure that user productivity and their ability to collaborate isn’t hindered.
You can use sensitivity labels from the MIP framework to:
Up until recently, it was only possible to apply sensitivity labels to emails or documents. Last year, Microsoft introduced the ability to use sensitivity labeling to classify and protect containers.
Now, in addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labeling to protect content in the following containers:
When you apply a sensitivity label to a supported container, the label automatically applies the classification and configured protection settings to the site or group.
For this container-level classification and protection, you can use the following label settings:
For example, you can create a sensitivity label for confidential information (maybe called “Confidential”) that, when applied during site or group creation, only allows users to create a site/group with a specific privacy setting—in this case, you’d probably want it to be private. Additionally, you might want to prevent external user access so that owners are prevented from adding people outside your organization.
Good to know:
Sensitivity labels applied at the container level serve a different purpose than sensitivity labeling for documents and emails—despite sharing a name and the ability to include settings for both scopes (“Files & emails” and “Groups & sites”) in the same sensitivity label.
Essentially, what makes them different is the level at which you apply them (defining the scope) and the additional licensing requirements to enable labeling at the group and site level. The fact is, the two scopes of sensitivity labelling are complementary; to really ensure your organizational data stays secure, it’s a good idea to use a combination of tactics.
As you’re probably aware by now, Microsoft Teams is closely tied to Microsoft 365 Groups and SharePoint Online team sites. So, if you’ve published sensitivity labels that have site and group settings enabled, those labels can also be applied to a team in Microsoft Teams.
Sensitivity labels function the same way in Teams as they do in SharePoint and Microsoft 365 Groups: depending on the label settings you’ve defined, a label will automatically apply changes to the team’s privacy, guest access, and access from unmanaged devices (the ability to control external sharing from SharePoint sites is currently in preview).
Once you’ve published sensitivity labels with “Groups & sites” settings enabled, users will be able to select from a list of those sensitivity labels when creating a new team in Microsoft Teams.
In the example below, the user chose the “Confidential” label we discussed above—which automatically eliminates the option to make this team public:
Source: https://docs.microsoft.com/en-us/microsoftteams/sensitivity-labels
By default, users are not required to select a sensitivity label. If users are creating tons of new teams in a hurry, they might choose to skip this step, in which case you’ll need to manually check for teams missing labels and follow up with those owners later.
Note: When publishing your sensitivity labels, you can choose to configure the corresponding label policy so that users are required to apply a sensitivity label when creating new groups or sites (and by extension, creating new teams). Head to the official Microsoft documentation to find more information on what label policies can do.
Once the team is created, the chosen sensitivity label then appears in the upper-right corner of all the team’s channels:
Source: https://docs.microsoft.com/en-us/microsoftteams/sensitivity-labels
The service automatically applies the same sensitivity label to the associated Microsoft 365 group and the connected SharePoint team site, as well.
Because the “Confidential” label settings don’t allow guest access, this team will only be available to users in your organization. People outside your organization can’t be added to the team.
Owners can change (or remove, depending on how your label policy is configured) the sensitivity label of their team at any time within the Microsoft Teams interface. In this example, if the owner later removed the “Confidential” label, the privacy settings of the team could then be changed to public and guest users could be invited to join the team. As an IT admin, you can also set or edit team sensitivity labels in the Microsoft Teams admin center.
When applying a more restrictive sensitivity label to an existing team, it’s important to note that existing guests will not automatically be removed as team members when a label setting is changed to disallow guest access—the setting will only apply to new guest access moving forward. If you’re starting to apply sensitivity labels to teams with existing guests, this is something to watch out for.
Good to know:
Using sensitivity labels with Teams enables IT admins to regulate access to sensitive organization content created during collaboration within teams and also allows you to set different security settings based on each team’s level of sensitivity. It’s a great feature for organizations with Azure AD premium licensing that are just moving into Microsoft Teams.
However, if your organization has been using Teams or Microsoft 365 Groups for a while, then you might find yourself frustrated with the amount of manual work involved in assigning labels to all your existing groups and teams—especially if you’re not a fan of PowerShell.
Not only that, but as an IT admin, you’re probably not the best person to determine the sensitivity level of every single team—you’re going to have to reach out to each team’s owner and either ask them to assign a label to their team in the Teams app or relay that information back to you. And if you ask them to assign a label themselves, what are the chances that everyone will actually follow through?
What if you want to apply custom security settings to each of your teams without having to jump through all those hoops?
ShareGate Apricot, our automated governance platform for Microsoft Teams, recently released a “Group sensitivity” feature that enables you to automatically apply custom security settings to your teams and Microsoft 365 groups depending on each one’s level of sensitivity.
You can now manage a Microsoft 365 group or team’s individual security settings directly in-app, giving you more granular control over each team’s security settings—and without the need for an Azure AD Premium license.
Edit security settings at the group/team level.
ShareGate Apricot enables you to manage the following security settings at the team level:
To make things easier and apply the correct security settings automatically, you can create your own group sensitivity labels in ShareGate Apricot with customized privacy status, external sharing, and guest access settings.
To help you get started, you can choose from the following default group sensitivity labels, which you can modify or even delete:
Create and edit group sensitivity labels in-app.
If you choose to create your own custom group sensitivity labels, be sure to also include a detailed description that clearly defines the corresponding group sensitivity level for users creating a new team (more on that in a minute!).
Add a description to help owners select the correct security settings.
Once you’ve defined your group sensitivity labels, you can manually add labels to a team or overwrite a selection made earlier by an owner.
Sounds great! But how is our group sensitivity labeling feature different from Microsoft’s container-level security labeling?
If your organization already has a ton of existing teams, then micromanaging the security settings of each team can still be a lot of time-consuming work for IT—especially if you’re not in a position to know the sensitivity level of every single team.
Never fear! ShareGate Apricot’s chatbot for Microsoft Teams is here!
In combination with “Group purpose“—our feature that helps you understand why owners create their teams—our conversational chatbot collects this information from owners directly in their flow of work in Microsoft Teams.
Shortly after an owner creates a new Microsoft 365 group—whether they do so by creating a new team in Microsoft Teams or via any of the other 19 ways to create a Microsoft 365 group—our chatbot will reach out to ask them for the group’s reason of creation and level of sensitivity.
The bot will present them with the options you’ve pre-populated as well as each one’s description, making it easy for owners to make an educated decision.
Owners pick the purpose and group sensitivity label that best fits their team.
You’ll now also be able to assess how much of a security risk that team poses to your business. But more importantly, once the owner has selected a group sensitivity label, the corresponding security settings will automatically be applied to their group/team.
That way, you can rest easy knowing that the appropriate controls have been applied from the moment the team is created.
Remember when we told you that owners can change a Microsoft 365 sensitivity label after it’s been applied to a site, group, or team? This can pose a security risk to your organizational data if you don’t catch a potentially harmful change in time.
ShareGate Apricot helps mitigate this risk by flagging sensitivity mismatches for you!
See potential security flaws so you can manually correct them.
Unlike sensitivity labels in Teams, owners can’t change a group sensitivity label once it’s been set. So, if an owner proceeds to change any of their team’s security settings after the group sensitivity label’s corresponding settings have been automatically applied—i.e., they labeled their team as “Confidential” and later changed the privacy status from private to public—ShareGate Apricot identifies the mismatch for you.
And unlike container-level sensitivity labels in Microsoft 365, when you change a team’s guest access settings in ShareGate Apricot to be more restrictive, all existing guests are automatically removed from the team.
Changes to a team’s group sensitivity label or security settings in ShareGate Apricot are applied right away—you don’t need to wait 24 hours for changes to take effect. So, you can spot potential security flaws in your environment and quickly correct the situation to avoid having your data fall into the wrong hands.
If your organization uses MIP sensitivity labels for documents and emails (with settings defined at the “Files & emails” scope in the sensitivity labeling wizard, you can use those capabilities in tandem with ShareGate Apricot’s group sensitivity label feature. As we mentioned for MIP container-level sensitivity labels above, the two scopes of labeling are complementary; depending on the needs of your organization, you may want to use ShareGate Apricot’s group sensitivity labels and MIP sensitivity labels for documents and emails together for maximum data protection.
Before you go, we know there’s a lot of information to parse through in the article above. We created this handy table to help you visualize the different functionalities that are available in the context of container-level sensitivity labeling.
Supported… | MIP sensitivity labels for groups & sites | ShareGate Apricot group sensitivity labels |
---|---|---|
CONTAINERS | ||
Microsoft Teams | ✔ | ✔ |
Microsoft 365 Groups | ✔ | ✔ |
SharePoint team sites | ✔ | ✔ |
SECURITY SETTINGS | ||
Privacy status | ✔ | ✔ |
Guest access | ✔ | ✔ |
External sharing | In preview | ✔ |
*CREATION LOCATION | ||
Microsoft Teams | ✔ | ✔ |
SharePoint Online | ✔ | ✔ |
Outlook | (Web client only) | ✔ |
Planner | ✔ | |
Power BI | ✔ | |
Stream | ✔ | |
Yammer | ✔ | |
LABEL MANAGEMENT | ||
**View applied labels | -SharePoint admin center (labels applied to sites) -Azure AD Portal (labels applied to groups) -Teams admin center (labels applied to teams) | In one centralized location in ShareGate Apricot |
**View changes to sensitivity label/settings | Flagged sensitivity mismatches appear in ShareGate Apricot’s dashboard. Groups with mismatches are also flagged in your full list of groups and when you look at an individual group’s details. | |
Change or remove an applied label | Team owners can change (or remove, depending on how your label policy is configured) their team’s sensitivity label at any time within the Teams interface | Only IT admins with access to ShareGate Apricot can change or remove a group sensitivity label once it has been applied to a team |
Time to apply changes | Up to 24 hours | Right away |
LICENSING | ||
At least one active Azure Premium P1 license | Included for free with your ShareGate Desktop license | |
INTEGRATION | ||
MIP sensitivity labeling for documents & emails | ✔ | ✔ |
ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.
If you’re a ShareGate Desktop customer, then we have great news! Your subscription gives you full access to ShareGate Apricot at no extra charge! Activate your ShareGate Apricot account by signing in here. Make sure to have your ShareGate Desktop license key handy—you’ll need it complete your activation.
From SharePoint migration and content management to ongoing Microsoft Teams governance, ShareGate gives you everything you need to achieve successful Microsoft 365 deployment and adoption. Learn what’s included and how to get more from a ShareGate Productivity subscription.
If you’re ready start categorizing your groups and teams according to business purpose, take a look at our documentation to learn how to set it up!
Take a look at our support documentation to learn how to set up ShareGate Apricot!