Microsoft Teams security: Comparing Microsoft Information Protection unified labeling and ShareGate's sensitivity tags

Using sensitivity labels to protect sensitive content in Microsoft Teams sites, Microsoft 365 groups, and SharePoint sites

Now, in addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labeling to protect content in the following containers:

• Microsoft Teams sites
• Microsoft 365 groups
• SharePoint Online sites

When you apply a sensitivity label to a supported container, the label automatically applies the classification and configured protection settings to the site or group.

For this container-level classification and protection, you can use the following label settings:

• Privacy (public or private) of team sites and Microsoft 365 groups
• External user access
• Access from unmanaged devices
• External sharing from SharePoint sites (in preview)

For example, you can create a sensitivity label for confidential information (maybe called "Confidential") that, when applied during site or group creation, only allows users to create a site/group with a specific privacy setting—in this case, you'd probably want it to be private. Additionally, you might want to prevent external user access so that owners are prevented from adding people outside your organization.

Good to know:

• Content in these containers does not inherit the labels for the classification or settings for files and emails, such as visual markings and encryption. You need to make sure you've enabled sensitivity labels for Office files in SharePoint and OneDrive if you want users to be able to label their individual documents in SharePoint sites or team sites.
• Because this feature uses Azure AD functionality, your organization needs to have at least one active Azure Active Directory Premium P1 license. You can read more about Information Protection licensing requirements in the official Microsoft documentation.
• You need to enable sensitivity labels for containers (it's turned off by default) and synchronize your sensitivity labels to Azure AD by connecting to Security & Compliance Center PowerShell.
• Once you've published your sensitivity labels, users will have the option to set a sensitivity label when creating a new group, team, or site. Note that users are only given the option to add a sensitivity label when creating a Microsoft 365 group via specific supported workloads—namely, SharePoint, Microsoft Teams, Outlook (on the web and for Windows, macOS, iOS, and Android), Forms, Stream, and Planner.
• Microsoft recommends not changing the site and group settings for a sensitivity label after the label has been applied to teams, groups, or sites. If you do, remember that it will take 24 hours for the changes to be applied to all containers that have the label.

Sensitivity labels applied at the container level serve a different purpose than sensitivity labeling for documents and emails—despite sharing a name and the ability to include settings for both scopes ("Files & emails" and "Groups & sites") in the same sensitivity label.

Essentially, what makes them different is the level at which you apply them (defining the scope) and the additional licensing requirements to enable labeling at the group and site levels. The fact is, the two scopes of sensitivity labelling are complementary; to really ensure your organizational data stays secure, it's a good idea to use a combination of tactics.

Sensitivity labels in Microsoft Teams

As you're probably aware by now, Microsoft Teams is closely tied to Microsoft 365 Groups and SharePoint Online team sites. So, if you've published sensitivity labels that have site and group settings enabled, those labels can also be applied to a team in Microsoft Teams.

Sensitivity labels function the same way in Teams as they do in SharePoint and Microsoft 365 Groups: depending on the label settings you've defined, a label will automatically apply changes to the team's privacy, guest access, and access from unmanaged devices (the ability to control external sharing from SharePoint sites is currently in preview).

Once you've published sensitivity labels with "Groups & sites" settings enabled, users will be able to select from a list of those sensitivity labels when creating a new team in Microsoft Teams.

In the example below, the user chose the "Confidential" label we discussed above—which automatically eliminates the option to make this team public:

Source: https://docs.microsoft.com/en-us/microsoftteams/sensitivity-labels

By default, users are not required to select a sensitivity label. If users are creating tons of new teams in a hurry, they might choose to skip this step, in which case you'll need to manually check for teams missing labels and follow up with those owners later.

Note: When publishing your sensitivity labels, you can choose to configure the corresponding label policy so that users are required to apply a sensitivity label when creating new groups or sites (and by extension, creating new teams). Head to the official Microsoft documentation to find more information on what label policies can do.

Once the team is created, the chosen sensitivity label then appears in the upper-right corner of all the team's channels:

Source: https://docs.microsoft.com/en-us/microsoftteams/sensitivity-labels

The service automatically applies the same sensitivity label to the associated Microsoft 365 group and the connected SharePoint team site, as well.

Because the "Confidential" label settings don't allow guest access, this team will only be available to users in your organization. People outside your organization can't be added to the team.

Owners can change (or remove, depending on how your label policy is configured) the sensitivity label of their team at any time within the Microsoft Teams interface. In this example, if the owner later removed the "Confidential" label, the privacy settings of the team could then be changed to public and guest users could be invited to join the team. As an IT admin, you can also set or edit team sensitivity labels in the Microsoft Teams admin center.

When applying a more restrictive sensitivity label to an existing team, it's important to note that existing guests will not automatically be removed as team members when a label setting is changed to disallow guest access—the setting will only apply to new guest access moving forward. If you're starting to apply sensitivity labels to teams with existing guests, this is something to watch out for.

Good to know:

• Currently, users are not able to apply sensitivity labels on teams created directly through Graph APIs, PowerShell cmdlets, and templates.
• Changes made to sensitivity labels outside the Teams app (i.e., by an IT admin) can take up to 24 hours to reflect in the Teams app. Additionally, any changes to a label made directly to a team's associated group or SharePoint site collection can take up to 24 hours to propagate to the Teams app.

Using sensitivity labels with Teams enables IT admins to regulate access to sensitive organization content created during collaboration within teams and also allows you to set different security settings based on each team's level of sensitivity. It's a great feature for organizations with Azure AD premium licensing that are just moving into Microsoft Teams.

However, if your organization has been using Teams or Microsoft 365 Groups for a while, then you might find yourself frustrated with the amount of manual work involved in assigning labels to all your existing groups and teams—especially if you're not a fan of PowerShell.

Not only that, but as an IT admin, you're probably not the best person to determine the sensitivity level of every single team—you're going to have to reach out to each team's owner and either ask them to assign a label to their team in the Teams app or relay that information back to you. And if you ask them to assign a label themselves, what are the chances that everyone will actually follow through?

Apply sensitivity tags to automatically control security settings at the team level

If your organization already has a ton of existing teams, then micromanaging the security settings of each team can still be a lot of time-consuming work for IT—especially if you're not in a position to know the sensitivity level of every single team.

Never fear! ShareGate's chatbot for Microsoft Teams is here!

In combination with "Group purpose"—our feature that helps you understand why owners create their teams—our conversational chatbot collects this information from owners directly in their flow of work in Microsoft Teams.

Shortly after an owner creates a new Microsoft 365 group—whether they do so by creating a new team in Microsoft Teams or via any of the other 19 ways to create a Microsoft 365 group—our chatbot will reach out to ask them for the group’s reason of creation and level of sensitivity.

The bot will present them with the options you’ve pre-populated as well as each one’s description, making it easy for owners to make an educated decision.

Owners pick the purpose and group sensitivity label that best fits their team.

You’ll now also be able to assess how much of a security risk that team poses to your business. But more importantly, once the owner has selected a sensitivity tag, the corresponding security settings will automatically be applied to their group/team.

That way, you can rest easy knowing that the appropriate controls have been applied from the moment the team is created.

Want owners to only assign a purpose OR a sensitivity tag and not both? You can do that easily now that we’ve split up the policies. 

Simply go to Categorization in Policies and toggle on the automation for the policy you want. 

1. Purpose tag to identify the business purpose of a team/group 
2. Sensitivity tag to identify the sensitivity level of the team/group, and automatically apply the right security settings to it 

Detect and correct sensitivity mismatches to enforce your security settings

Remember when we told you that owners can change a Microsoft 365 sensitivity label after it's been applied to a site, group, or team? This can pose a security risk to your organizational data if you don't catch a potentially harmful change in time.

ShareGate helps mitigate this risk by flagging sensitivity mismatches for you!

See potential security flaws so you can manually correct them.

Unlike sensitivity labels in Teams, owners can't change a ShareGate sensitivity tag once it's been set. So, if an owner proceeds to change any of their team's security settings after the sensitivity tag's corresponding settings have been automatically applied—i.e., they labeled their team as "Confidential" and later changed the privacy status from private to public—ShareGate identifies the mismatch for you.

And unlike container-level sensitivity labels in Microsoft 365, when you change a team's guest access settings in ShareGate to be more restrictive, all existing guests are automatically removed from the team.

Changes to a team's sensitivity tag or security settings in ShareGate are applied right away—you don't need to wait 24 hours for changes to take effect. So, you can spot potential security flaws in your environment and quickly correct the situation to avoid having your data fall into the wrong hands.

If your organization uses MIP sensitivity labels for documents and emails (with settings defined at the "Files & emails" scope in the sensitivity labeling wizard), you can use those capabilities in tandem with ShareGate's sensitivity tag feature.

As we mentioned for MIP container-level sensitivity labels above, the two scopes of labeling are complementary; depending on the needs of your organization, you may want to use ShareGate's sensitivity tags at the container level and MIP sensitivity labels for documents and emails together for maximum data protection.