Sensitivity Labels for Microsoft Teams and SharePoint: Site and Group Classification at Scale
As collaboration expands across cloud-based environments, controlling access and applying consistent governance to Microsoft Teams and SharePoint Online has become a key aspect of enterprise security. With the rise of remote and hybrid work, it is no longer sufficient to rely solely on user discipline or manual settings.
Microsoft Purview Sensitivity Labels now allow you to enforce governance policies directly at the container level—including Microsoft Teams, Microsoft 365 Groups, and SharePoint Sites. This capability lets you classify and protect collaborative spaces at creation time, making it easier to scale compliance and data protection.
Why Container-Level Labeling Matters
Traditional sensitivity labeling focused on documents and emails. However, in modern cloud environments, the container itself (e.g., a Team, Group, or Site) can expose data if not governed properly. For example:
- An open Team may allow guest access to sensitive project data.
- A public Microsoft 365 Group might unintentionally expose internal content.
- A SharePoint site could be indexed by search engines if not configured securely.
By applying sensitivity labels to containers, organizations can:
- Control privacy settings (Public/Private)
- Enforce or block external sharing
- Define access control policies
- Apply default label inheritance to documents
- Ensure compliance metadata tagging at the container level
Key Capabilities of Container Sensitivity Labels
| Capability | Description |
|---|---|
| Privacy configuration | Auto-set Teams and Groups as Public or Private |
| External user access control | Allow or block guest users |
| Conditional Access policies | Integrate with Azure AD for label-based CA enforcement |
| Default document labels | Automatically apply sensitivity labels to files within a container |
| Site classification metadata | Apply classification for search, retention, and compliance filtering |
How to Configure Sensitivity Labels for Teams, Groups, and SharePoint Sites
Step 1: Enable Label Support for Containers
In PowerShell, enable support for labeling containers:
Connect-AipService
Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $true
Also, ensure the Unified Labeling platform is active across your tenant.
Step 2: Create Sensitivity Labels for Containers
- Go to the Microsoft Purview compliance portal
https://compliance.microsoft.com/informationprotection - Create a new sensitivity label.
- In the configuration steps, select:
- Apply label to Groups and Sites
- Define:
- Privacy (Public or Private)
- External user access (Allowed or Blocked)
- Default label for documents created in the site
- Authentication context (for Conditional Access enforcement)
- Publish the label using a label policy, targeting the appropriate users/groups.
Step 3: Assign Labels at Team or Site Creation
When a user creates a Microsoft Team or SharePoint Site, they are prompted to select a sensitivity label (if multiple labels are available to them). Based on the selected label:
- The group/site will inherit governance settings
- Documents inside the site can inherit default protection
- Guest access will be allowed or blocked automatically
Step 4: Enforce with Conditional Access (Optional)
You can enhance protection by linking Azure AD Conditional Access (CA) policies to labels. For example:
- Require MFA for sites labeled “Confidential”
- Block access from unmanaged devices to sites labeled “Highly Confidential”
This is done via Authentication Contexts, which are mapped to labels in Microsoft Purview and referenced in CA policies.
Step 5: Monitor Label Usage and Access
Use tools such as:
- Microsoft Purview Activity Explorer
- Microsoft Teams Admin Center
- SharePoint Admin Center
- Audit Logs
These dashboards allow you to track label adoption, external access activity, and compliance posture across containers.
Practical Use Cases
| Label | Privacy | Guest Access | Use Case |
|---|---|---|---|
| Public – Collaboration | Public | Allowed | External-facing project Teams |
| Internal Only | Private | Blocked | Internal HR site |
| Confidential – Finance | Private | Allowed (domain-limited) | Vendor collaboration with encrypted documents |
| Highly Confidential – Legal | Private | Blocked | Boardroom-level collaboration with enforced MFA |
Limitations and Considerations
- A label applied to a container does not retroactively change privacy or guest settings if the label is updated later.
- Site admins can still override some settings manually unless additional governance is applied.
- Label inheritance for documents only works with Microsoft 365 apps (Word, Excel, PowerPoint) and not custom apps or third-party tools.
Summary Table
| Feature | Description |
|---|---|
| Platform | Microsoft Purview Sensitivity Labels |
| Target Scope | Microsoft Teams, SharePoint Online, Microsoft 365 Groups |
| Functions | Privacy, guest access control, default file labels, authentication context |
| Access Control | Public/Private, external users, domain-based restrictions |
| Integration | Azure AD Conditional Access, Microsoft Teams/SharePoint Admin Centers |
| Use Cases | Compliance, insider risk reduction, guest governance |
| Best Practices | Apply at creation time, use with CA, monitor via Purview tools |
| Reference | Microsoft Teams Security – Wikipedia |
edvaldo b. guimarães filho 