Microsoft Teams security: Comparing Microsoft Information Protection unified labeling and ShareGate Apricot’s ‘Group sensitivity’ feature

Wondering how to stay on top of Microsoft Teams security? To answer that, we compare sensitivity labels in the Microsoft 365 compliance center with ShareGate Apricot’s group sensitivity labels.

Keeping organizational data secure is a top priority for IT admins today. And, according to Microsoft MVP Joanne Klein, one of the best ways to approach data security at scale is from the perspective of container governance: security and compliance policies applied at the level of Microsoft teams and Microsoft 365 groups. 

Our engineers did a ton of research into container-level data protection while developing our latest ShareGate Apricot release. And a large part of that process included looking at unified sensitivity labeling in the Microsoft 365 compliance center to understand the capabilities and limitations of that feature.

To help you assess whether Microsoft Information Protection (MIP) sensitivity labels are the right fit for your organization, we decided to share what we learned and highlight some key differences between MIP sensitivity labels and ShareGate Apricot’s “Group sensitivity” feature.

Try ShareGate Apricot in your tenant for free.

Get started

Sensitivity labels in the Microsoft 365 compliance center

Sensitivity labels in Microsoft 365 have been around for a while, with their evolution tracing back to Information Rights Management within Office 365, then Azure Information Protection (AIP) in the Azure portal, and finally, unified labeling through the Microsoft 365 compliance center.

Built-in sensitivity labels from the Microsoft Information Protection (MIP) framework are managed through a single portal—the Microsoft 365 compliance center—which unifies labeling and protection policy management across AIP, Microsoft 365, and Windows.

You can use sensitivity labels from the MIP framework to:

• Enforce protection settings like encryption or watermarks on labelled content
• Protect Office 365 content across platforms and devices
• Extend sensitivity labels to protect content in third-party apps and services
• Protect containers that include Teams, Microsoft 365 groups, and SharePoint sites (requires an Azure AD Premium P1 license)

Up until recently, it was only possible to apply sensitivity labels to emails or documents. Last year, Microsoft introduced the ability to use sensitivity labeling to classify and protect containers.

Using sensitivity labels to protect sensitive content in Microsoft Teams sites, Microsoft 365 groups, and SharePoint sites

Now, in addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labeling to protect content in the following containers:

• Microsoft Teams sites
• Microsoft 365 groups
• SharePoint Online sites

When you apply a sensitivity label to a supported container, the label automatically applies the classification and configured protection settings to the site or group.

For this container-level classification and protection, you can use the following label settings:

• Privacy (public or private) of team sites and Microsoft 365 groups
• External user access
• Access from unmanaged devices
• External sharing from SharePoint sites (in preview)

For example, you can create a sensitivity label for confidential information (maybe called “Confidential”) that, when applied during site or group creation, only allows users to create a site/group with a specific privacy setting—in this case, you’d probably want it to be private. Additionally, you might want to prevent external user access so that owners are prevented from adding people outside your organization.

Good to know:

• Content in these containers do not inherit the labels for the classification or settings for files and emails, such as visual markings and encryption. You need to make sure you’ve enabled sensitivity labels for Office files in SharePoint and OneDrive if you want users to be able to label their individual documents in SharePoint sites or team sites.
• Because this feature uses Azure AD functionality, your organization needs to have at least one active Azure Active Directory Premium P1 license. You can read more about Information Protection licensing requirements in the official Microsoft documentation.
• You need to enable sensitivity labels for containers (it’s turned off by default) and synchronize your sensitivity labels to Azure AD by connecting to Security & Compliance Center PowerShell.
• Once you’ve published your sensitivity labels, users will have the option to set a sensitivity label when creating a new group, team, or site. Note that users are only given the option to add a sensitivity label when creating a Microsoft 365 group via specific supported workloads—namely, SharePoint, Microsoft Teams, Outlook (on the web and for Windows, macOS, iOS, and Android), Forms, Stream, and Planner.
• Microsoft recommends not changing the site and group settings for a sensitivity label after the label has been applied to teams, groups, or sites. If you do, remember that it will take 24 hours for the changes to be applied to all containers that have the label.

Sensitivity labels applied at the container level serve a different purpose than sensitivity labeling for documents and emails—despite sharing a name and the ability to include settings for both scopes (“Files & emails” and “Groups & sites”) in the same sensitivity label.

Essentially, what makes them different is the level at which you apply them (defining the scope) and the additional licensing requirements to enable labeling at the group and site level. The fact is, the two scopes of sensitivity labelling are complementary; to really ensure your organizational data stays secure, it’s a good idea to use a combination of tactics.

Sensitivity labels in Microsoft Teams

As you’re probably aware by now, Microsoft Teams is closely tied to Microsoft 365 Groups and SharePoint Online team sites. So, if you’ve published sensitivity labels that have site and group settings enabled, those labels can also be applied to a team in Microsoft Teams.

Sensitivity labels function the same way in Teams as they do in SharePoint and Microsoft 365 Groups: depending on the label settings you’ve defined, a label will automatically apply changes to the team’s privacy, guest access, and access from unmanaged devices (the ability to control external sharing from SharePoint sites is currently in preview).

Once you’ve published sensitivity labels with “Groups & sites” settings enabled, users will be able to select from a list of those sensitivity labels when creating a new team in Microsoft Teams.

In the example below, the user chose the “Confidential” label we discussed above—which automatically eliminates the option to make this team public:

Source: https://docs.microsoft.com/en-us/microsoftteams/sensitivity-labels

By default, users are not required to select a sensitivity label. If users are creating tons of new teams in a hurry, they might choose to skip this step, in which case you’ll need to manually check for teams missing labels and follow up with those owners later.

Once the team is created, the chosen sensitivity label then appears in the upper-right corner of all the team’s channels:

Source: https://docs.microsoft.com/en-us/microsoftteams/sensitivity-labels

The service automatically applies the same sensitivity label to the associated Microsoft 365 group and the connected SharePoint team site, as well.

Because the “Confidential” label settings don’t allow guest access, this team will only be available to users in your organization. People outside your organization can’t be added to the team.

Owners can change (or remove, depending on how your label policy is configured) the sensitivity label of their team at any time within the Microsoft Teams interface. In this example, if the owner later removed the “Confidential” label, the privacy settings of the team could then be changed to public and guest users could be invited to join the team. As an IT admin, you can also set or edit team sensitivity labels in the Microsoft Teams admin center.

When applying a more restrictive sensitivity label to an existing team, it’s important to note that existing guests will not automatically be removed as team members when a label setting is changed to disallow guest access—the setting will only apply to new guest access moving forward. If you’re starting to apply sensitivity labels to teams with existing guests, this is something to watch out for.

Good to know:

• Currently, users are not able to apply sensitivity labels on teams created directly through Graph APIs, PowerShell cmdlets, and templates.
• Changes made to sensitivity labels outside the Teams app (i.e., by an IT admin) can take up to 24 hours to reflect in the Teams app. Additionally, any changes to a label made directly to a team’s associated group or SharePoint site collection can take up to 24 hours to propagate to the Teams app.

Using sensitivity labels with Teams enables IT admins to regulate access to sensitive organization content created during collaboration within teams and also allows you to set different security settings based on each team’s level of sensitivity. It’s a great feature for organizations with Azure AD premium licensing that are just moving into Microsoft Teams.

However, if your organization has been using Teams or Microsoft 365 Groups for a while, then you might find yourself frustrated with the amount of manual work involved in assigning labels to all your existing groups and teams—especially if you’re not a fan of PowerShell.

Not only that, but as an IT admin, you’re probably not the best person to determine the sensitivity level of every single team—you’re going to have to reach out to each team’s owner and either ask them to assign a label to their team in the Teams app or relay that information back to you. And if you ask them to assign a label themselves, what are the chances that everyone will actually follow through?

Secure Microsoft Teams with ShareGate Apricot’s “Group sensitivity” feature

What if you want to apply custom security settings to each of your teams without having to jump through all those hoops?

ShareGate Apricot, our automated governance platform for Microsoft Teams, recently released a “Group sensitivity” feature that enables you to automatically apply custom security settings to your teams and Microsoft 365 groups depending on each one’s level of sensitivity.

You can now manage a Microsoft 365 group or team’s individual security settings directly in-app, giving you more granular control over each team’s security settings—and without the need for an Azure AD Premium license.

Edit security settings at the group/team level.

ShareGate Apricot enables you to manage the following security settings at the team level:

Ensure external users have access to the right things in Teams.

Learn more

• Privacy status: Set to “Public” or “Private”
• External sharing: Set to “Anyone”, “New and existing guest”, “Existing guests”, or “Only people in your organization”
• Guest access: Set to “Guests allowed” or “Guests not allowed”

To make things easier and apply the correct security settings automatically, you can create your own group sensitivity labels in ShareGate Apricot with customized privacy status, external sharing, and guest access settings.

To help you get started, you can choose from the following default group sensitivity labels, which you can modify or even delete:

• General: Sets the group/team to public, allows external sharing with anyone, and enables guest access
• Confidential: Sets the group/team to private, only allows external sharing with new and existing guests, and disables guest access
• Highly confidential: Sets the group/team to private and disables external sharing and guest access

Create and edit group sensitivity labels in-app.

If you choose to create your own custom group sensitivity labels, be sure to also include a detailed description that clearly defines the corresponding group sensitivity level for users creating a new team (more on that in a minute!).

Add a description to help owners select the correct security settings.

Once you’ve defined your group sensitivity labels, you can manually add labels to a team or overwrite a selection made earlier by an owner.

Sounds great! But how is our group sensitivity labeling feature different from Microsoft’s container-level security labeling?

Apply group sensitivity labels to automatically control security settings at the team level

If your organization already has a ton of existing teams, then micromanaging the security settings of each team can still be a lot of time-consuming work for IT—especially if you’re not in a position to know the sensitivity level of every single team.

Never fear! ShareGate Apricot’s chatbot for Microsoft Teams is here!

In combination with “Group purpose“—our feature that helps you understand why owners create their teams—our conversational chatbot collects this information from owners directly in their flow of work in Microsoft Teams.

Shortly after an owner creates a new Microsoft 365 group—whether they do so by creating a new team in Microsoft Teams or via any of the other 19 ways to create a Microsoft 365 group—our chatbot will reach out to ask them for the group’s reason of creation and level of sensitivity.

The bot will present them with the options you’ve pre-populated as well as each one’s description, making it easy for owners to make an educated decision.

Owners pick the purpose and group sensitivity label that best fits their team.

You’ll now also be able to assess how much of a security risk that team poses to your business. But more importantly, once the owner has selected a group sensitivity label, the corresponding security settings will automatically be applied to their group/team.

That way, you can rest easy knowing that the appropriate controls have been applied from the moment the team is created.

Detect and correct sensitivity mismatches to enforce your security settings

Remember when we told you that owners can change a Microsoft 365 sensitivity label after it’s been applied to a site, group, or team? This can pose a security risk to your organizational data if you don’t catch a potentially harmful change in time.

ShareGate Apricot helps mitigate this risk by flagging sensitivity mismatches for you!

See potential security flaws so you can manually correct them.

Unlike sensitivity labels in Teams, owners can’t change a group sensitivity label once it’s been set. So, if an owner proceeds to change any of their team’s security settings after the group sensitivity label’s corresponding settings have been automatically applied—i.e., they labeled their team as “Confidential” and later changed the privacy status from private to public—ShareGate Apricot identifies the mismatch for you.

And unlike container-level sensitivity labels in Microsoft 365, when you change a team’s guest access settings in ShareGate Apricot to be more restrictive, all existing guests are automatically removed from the team.

Changes to a team’s group sensitivity label or security settings in ShareGate Apricot are applied right away—you don’t need to wait 24 hours for changes to take effect. So, you can spot potential security flaws in your environment and quickly correct the situation to avoid having your data fall into the wrong hands.

If your organization uses MIP sensitivity labels for documents and emails (with settings defined at the “Files & emails” scope in the sensitivity labeling wizard, you can use those capabilities in tandem with ShareGate Apricot’s group sensitivity label feature. As we mentioned for MIP container-level sensitivity labels above, the two scopes of labeling are complementary; depending on the needs of your organization, you may want to use ShareGate Apricot’s group sensitivity labels and MIP sensitivity labels for documents and emails together for maximum data protection.

MIP sensitivity labels and ShareGate Apricot group sensitivity labels: Feature comparison table

Before you go, we know there’s a lot of information to parse through in the article above. We created this handy table to help you visualize the different functionalities that are available in the context of container-level sensitivity labeling.

ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.

If you’re a ShareGate Desktop customer, then we have great news! Your subscription gives you full access to ShareGate Apricot at no extra charge! Activate your ShareGate Apricot account by signing in here. Make sure to have your ShareGate Desktop license key handy—you’ll need it complete your activation.

From SharePoint migration and content management to ongoing Microsoft Teams governance, ShareGate gives you everything you need to achieve successful Microsoft 365 deployment and adoption. Learn what’s included and how to get more from a ShareGate Productivity subscription.

If you’re ready start categorizing your groups and teams according to business purpose, take a look at our documentation to learn how to set it up!

Want more details on how to get started?

Take a look at our support documentation to learn how to set up ShareGate Apricot!

Learn more