New in ShareGate Apricot: Automatically apply the right security settings to your Microsoft teams based on their sensitivity

Featured image group sensitivity apricot release Featured image group sensitivity apricot release

In this release, we’ve made it easy to automatically apply custom-fit security settings based on each team’s level of data sensitivity—so you can protect your organization’s data without hindering productivity or collaboration.

Users create teams in Microsoft Teams for all sorts of reasons; they’re a great way to collaborate with colleagues and people outside your organization on shared projects, whatever those projects may be.

Ideally, you want to give users the freedom to create new resources as they see fit, thereby leveraging the power of self-service features to drive productivity and adoption. But you don’t want that freedom to come at the cost of creating a security risk for your business. It’s probably not a big deal if John shares beer tasting notes with Sam from the ad agency. But Emma in Finance should definitely not be allowed to add external users to a team containing highly confidential company data.

So, how can you loosen security requirements for some teams while enforcing stricter rules for others?

Configuring a team’s security settings in Microsoft 365 according to its level of data sensitivity is not an easy feat. To apply settings at the team level, you need to either shut down self-service and put a complex provisioning process in place, or you need to have an Azure Active Directory Premium license.

What if you want to customize each team’s security settings without having to do either? That’s the problem we set out to tackle when developing the new features in this release.


Introducing ‘Group sensitivity’ in ShareGate Apricot

ShareGate Apricot now enables you to automatically apply custom security settings to your teams and Microsoft 365 groups depending on each one’s level of data sensitivity.

In combination with ‘Group purpose‘—our feature that helps you understand why owners create their teams—you’ll now also be able to assess how much of a security risk that team poses to your business. That way, you can apply the appropriate controls from the moment the team is created and ensure the right people have access to the right things.

ShareGate Apricot logo

Try ShareGate Apricot in your tenant for free.


Manage your teams’ security settings directly in ShareGate Apricot

You can now manage a Microsoft 365 group or team’s individual security settings directly in ShareGate Apricot! Not only is this an incredible time saver (no need to go to the Microsoft 365 admin center or write a new script), it’s also the foundation of our new ‘Group sensitivity’ capability.

ShareGate Apricot enables you to manage privacy status, external sharing, and guest access at the team level, giving you more granular control over each team’s security settings. This comes in handy, since some of these settings in Microsoft 365 can only be controlled at the organization level or with an Azure AD Premium license—which you won’t be needing here.

With ShareGate Apricot, you can turn on external sharing for your organization, but still restrict it for specific high-risk teams and groups.

screenshot of security settings in sharegate apricot.

Edit security settings at the group/team level.

Within the app, you can manually edit and overwrite the following security settings:

  • Privacy status: Set to ‘Private’ or ‘Public’
  • External sharing: Set to ‘Anyone’, ‘New and existing guest’, ‘Existing guests’, or ‘Only people in your organization’
  • Guest access: Set to ‘Guests allowed’ or ‘Guests not allowed’

Head to our support documentation for more details on how to manage the security settings of a Microsoft 365 group or team.


Set up sensitivity labels to automatically control your teams’ security settings

Ok, we know what you’re thinking: ‘Micromanaging the security settings of each team is convenient, but what if I have a ton of teams? Sounds time consuming!’

That’s why we’re launching a faster, easier way to manage team-level settings that automates part the process for you: group sensitivity labels. As part of this release, you can now assign a sensitivity label to each Microsoft 365 group (and by extension, its attached team) in ShareGate Apricot, which then applies the correct security settings to that group automatically.

For example, if you know that one of your teams contains highly sensitive data—say, the R&D team discussing the secret ingredients in your best-selling pizza sauce—you can label that team as ‘Highly confidential’. Once you’ve applied that sensitivity label, ShareGate Apricot automatically enforces stricter security settings by setting the team to private, turning off external sharing, and forbidding guest access.

How it works

You can create your own group sensitivity labels in ShareGate Apricot with customized privacy status, external sharing, and guest access settings.

To help get you started, we’ve created the following default sensitivity labels, which you can modify or even delete:

  • General: Sets the group/team to public, allows external sharing with anyone, and enables guest access
  • Confidential: Sets the group/team to private, only allows external sharing with new and existing guests, and disables guest access
  • Highly confidential: Sets the group/team to private and disables external sharing and guest access
Screen shot of manage categories settings.

Create and edit sensitivity labels in-app.

Each sensitivity label should also include a description. Make sure the description clearly defines the corresponding sensitivity level, as it will be presented to owners to help them make a choice on behalf of their team (more on that later).

Screenshot of 'Create a group sensitivity' settings in-app.

Add a description to help owners select the correct security settings.

Once you’ve established the different group sensitivity labels for your organization, you can manually add labels or overwrite a selection made earlier by an owner.

image of admin controls in-app.

Manually assign or change a team’s sensitivity label.

To help you get started, take a look at our group sensitivity labels support documentation.


Collect sensitivity information from owners with ShareGate Apricot’s chatbot for Microsoft Teams

So, how do you know the data sensitivity level of every single team?

ShareGate Apricot logo

Ensure external users have access to the right things in Teams.

Apricot security illustration

Figuring this out is far from easy for someone in IT. When end users create a new team in Microsoft Teams, they only have to set the privacy status and choose a name—neither of which provides any indication of the data sensitivity level.

If you want to know how confidential the data within a team is in order to apply the correct security settings, the team owner is the best person to help you out. After all, they know why they created their team as well as the kind of information that will be shared between its members.

A conversational chatbot is the perfect solution for collecting information from owners; they integrate seamlessly with users’ flow of work, reduce the need for context-switching, and automate workflows and tasks. And we believe the best way to collect information about a team’s business purpose and sensitivity is to ask owners directly in Microsoft Teams. You might recall that we launched a ShareGate Apricot chatbot for Microsoft Teams back in May to help you understand how owners intend to use new teams.

Now, we’re adding to this capability by collecting information about sensitivity at the same time. All you have to do is set up your sensitivity labels in ShareGate Apricot and activate our Teams chatbot.

How it works

Shortly after an owner creates a new Microsoft 365 group—whether they do so by creating a new team in Microsoft Teams or via any of the other 19 ways to create a Microsoft 365 group—our chatbot will reach out to ask them for the group’s reason of creation and level of data sensitivity.

The bot will present them with the options you’ve pre-populated as well as each one’s description, making it easy for owners to make an educated decision.

For more details on how to set up the bot, head to our support documentation on using the ShareGate Apricot Teams bot.

GIPH showing ShareGate Apricot Teams bot

Owners pick the purpose and sensitivity level that best fits their team.

Once the owner has answered the bot, the security settings that correspond to the sensitivity level they selected will automatically be applied to their group/team.

Our bot also relates that information back to you in ShareGate Apricot on your ‘Groups’ page, where the newly applied label will appear in the ‘Sensitivity’ column next to that team.

From there, you can filter and organize your groups by sensitivity level and see which groups haven’t responded to the bot yet—so you can follow up with owners or manually select a sensitivity label and purpose for those groups yourself.

screenshot of Apricot groups page.

See all of your groups categorized by purpose and sensitivity in ShareGate Apricot.


Correct sensitivity mismatches to enforce your security settings

We’ve also made it easy for you to spot potential security flaws in your environment by flagging sensitivity mismatches—i.e., security settings that don’t match the corresponding sensitivity label that’s been applied to a team. This gives you the chance to manually correct the situation and avoid having your data fall into the wrong hands.

Cursor selecting sensitivity for a group

See potential security flaws so you can manually correct them.

For example, let’s say an owner created a team and initially identified it as ‘Highly confidential’. On your end, you had previously established that teams labeled ‘Highly confidential’ should be made private.

At some point after ShareGate Apricot applied the corresponding security settings, the owner changed the privacy status from private to public. We’ll bring that discrepancy to your attention so you can manually revert the privacy status back to private.

Same goes for other security settings that have been changed after the sensitivity label was applied. If a team has been inviting guests to join when, according to its label, that shouldn’t be allowed, ShareGate Apricot identifies that mismatch. That way, you can change the team’s security setting back to ‘Guests not allowed’ (which will also automatically kick all existing guests out of the team).

You can read more about sensitivity mismatches in our support documentation.


Coming soon

We’re excited for what’s coming up on the product roadmap! Our next release will tie everything together and enable you to set custom governance policies based on a team’s purpose and data sensitivity.

For instance, you’ll be able to set custom inactivity thresholds that correspond to a team’s assigned purpose. So, you could set a policy that flags ‘Internal project’ teams as inactive after 180 days, whereas owners of teams with a group purpose of ‘External project’ will be asked to make a decision about archiving their team after only 90 days.

You’ll also be able to schedule external sharing reviews to occur at different frequencies depending on a team’s level of sensitivity. For example, you could ask owners to review their team’s external sharing links more frequently if its assigned sensitivity label is ‘Confidential’ compared to if it’s labeled as ‘General’.

We can’t wait to see what custom policies you’ll put in place!


ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.

If you’re a ShareGate Desktop customer, then we have great news! Your subscription now gives you full access to ShareGate Apricot at no extra charge! Activate your ShareGate Apricot account by signing in here. Make sure to have your ShareGate Desktop license key handy—you’ll need it complete your activation.

If you’re ready start categorizing your groups and teams according to business purpose, take a look at our group sensitivity support documentation to learn how to set it up!

Recommended by our team

What did you think of this article?

Simplify Microsoft 365 adoption with your ShareGate subscription Watch our on-demand webinar.