Use sensitivity labels with Microsoft Teams, Office 365 groups, and SharePoint sites (public preview)

When you create sensitivity labels in the Microsoft 365 compliance center, you can now apply them to Microsoft Teams, Office 365 groups, and SharePoint sites. You can associate policies with the labels to control:

  • Public/private settings
  • Guest access
  • Access from unmanaged devices

When you apply a label to a team or group, the label automatically applies to the connected SharePoint team site and the other way around.

You can now also enable sensitivity labels for Office files in SharePoint and OneDrive. For more information, see Enable sensitivity labels for Office files in SharePoint and OneDrive (public preview).

About the public preview for Microsoft Teams, Office 365 groups, and SharePoint sites

Sensitivity labels for Microsoft Teams, Office 365 groups, and SharePoint sites are gradually rolling out to tenants and might change before final release.

This public preview doesn't work with Office 365 Content Delivery Networks (CDNs).

Overview

When you publish sensitivity labels, users across Office 365 have access to the same list of labels.

These images show:

  • How the list appears when you create a new team site from SharePoint

  • When you view the list in Word

For example:

A sensitivity label when creating a team site from SharePoint

A sensitivity label displayed in the Word desktop app

Enable this preview

You must use the preview version of Azure Active Directory PowerShell for Graph (AzureAD) (module name AzureADPreview) to enable this preview of sensitivity labels with Microsoft Teams, Office 365 groups, and SharePoint sites:

  • If you haven't installed any version of the Azure AD PowerShell module before, see Installing the Azure AD Module and follow the instructions to install the public preview release.

  • If you have the 2.0 general availability version of the Azure AD PowerShell module (AzureAD) installed, you must uninstall it by running Uninstall-Module AzureAD in your PowerShell session, and then install the preview version by running Install-Module AzureADPreview.

  • If you have already installed the preview version, run Install-Module AzureADPreview to make sure it's the latest version of this module.

You're now ready to enable the preview of sensitivity labels with Microsoft Teams, Office 365 groups, and SharePoint sites:

  1. In a PowerShell session, using a work or school account that has global admin privileges, connect to Azure Active Directory. For example, run:

    Connect-AzureAD
    

    For full instructions, see Connect to Azure AD.

  2. Run the following commands:

    $setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
    if ($setting -eq $null)
    {
    $template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
    $setting = $template.CreateDirectorySetting()
    $setting["EnableMIPLabels"] = "True"
    New-AzureADDirectorySetting -DirectorySetting $setting
    }
    else
    {
    $setting["EnableMIPLabels"] = "True"
    Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
    }
    

    Note

    Office 365 no longer uses the old classifications for new groups and SharePoint sites when you enable this preview. If you used Azure AD site classification ($setting["ClassificationList"]), existing groups and sites still display the old classifications. To display the new classifications, convert them. For information about how to convert them, see If you used classic Azure AD site classification.

  3. In the same PowerShell session, now connect to the Security & Compliance Center by using a work or school account that has global admin privileges. For instructions, see Connect to Office 365 Security & Compliance Center PowerShell.

  4. Run the following commands to synchronize your labels to Azure AD, so that they can used with Office 365 groups:

    Set-ExecutionPolicy RemoteSigned
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session -DisableNameChecking
    Execute-AzureAdLabelSync
    

Set site and group settings when you create or edit sensitivity labels

After you enable the preview, use the following steps to create or edit sensitivity labels. You must complete these steps for the new sensitivity labels to work with sites and groups, even if you already have labels defined. Changes to these settings might take up to 24 hours to synchronize.

  1. In the Microsoft 365 compliance center, select Classification > Sensitivity labels.

  2. Select Create a label. If you already have a label, skip to the next step.

  3. Select the options you want, and then on the Site and group settings tab, choose:

    • Privacy (Public/Private): Private means that only approved members in your organization can see what's inside the group. Anyone else in your organization can't see what's in the group. Learn more
    • Guest access: You can control if guests can be added to a group. Learn about managing guest access in Office 365 Groups
    • Unmanaged devices: This setting lets you block or limit access to SharePoint content from devices that aren't hybrid AD joined or compliant in Intune. If you select Unmanaged devices, you must go to Azure AD to finish setting up the policy. For info, see Control access from unmanaged devices.

    The site and group settings tab

Important

Only the site and group settings take effect when you apply a label to a team, group, or site. Other settings, such as encryption and content marking, aren't applied to all content within the team, group, or site.

Similarly, if you create a label and don't turn on site and group settings, the label will still be available when users create teams, groups, and sites, but it will classify without applying any settings.

Learn more about publishing sensitivity labels

Sensitivity label management

Warning

Creating, modifying, and deleting sensitivity labels that you use for Microsoft Teams, Office 365 groups, and SharePoint sites requires careful coordination with publishing label policies to users.

Avoid creation errors for sites and groups that can affect all users by using the following guidance.

Creating and publishing labels:

After a sensitivity label is created and published, it can take up to 24 hours for the label to become visible for users in teams, groups, and sites. Use the following steps to publish a label for all users in the tenant:

  1. Create the sensitivity label and publish it for just a few user accounts in the tenant.

  2. Wait for 24 hours.

  3. After this 24 hours wait, use one of the user accounts you specified in step 1 to create a team, Office 365 group, or SharePoint site with the label that you created in step 1.

  4. If there are no errors during the creation operation for step 3, publish the label for all users in your tenant. If there are errors, contact Microsoft Support.

Modifying and deleting published labels:

If you modify or delete a sensitivity label that is included in one or more label policies, these actions can result in creation failures for all teams, groups, and sites. To avoid this situation, use the following guidance:

  1. Remove the sensitivity label from all label policies that include the label.

  2. Wait for 48 hours.

  3. After the 48 hours wait, try creating a team, group, or site and confirm that the label is no longer visible.

  4. If the sensitivity label isn't visible, you can now safely modify or delete the label. If the label is still visible, contact Microsoft Support.

Troubleshoot sensitivity label deployment

Labels not visible after publishing

If you experience issues when you create a team or Office 365 group after you enable these settings or modify a sensitivity label's description, save the label, wait a few hours, and then try to create the team or group again. For information, see Schedule roll-out after you create or change a sensitivity label.

If you are still not able to see the new sensitivity label from SharePoint Online, contact Microsoft Support.

Team, group, or SharePoint site creation errors

If you experience creation errors during the public preview, you have two options:

  • Ensure that sensitivity labels are not mandatory for any user.

  • You can turn off sensitivity labels for Microsoft Teams, Office 365 groups, and SharePoint sites by using the same instructions from the Enable this preview section on this page. However, to disable the preview, search for the line $setting["EnableMIPLabels"] = "True", and change the True value to False.

Apply a sensitivity label to a new team

Users can select sensitivity labels when they create new teams in Microsoft Teams. When they select the sensitivity level, the privacy setting changes as necessary. Depending on the guest access setting you selected for the label, users can or can't add people outside the organization to the team.

Learn more about sensitivity labels for Teams

The privacy setting when creating a new team

After you create the team, the sensitivity label appears in the upper-right corner of all channels.

The sensitivity label appears on the team

The service automatically applies the same sensitivity label to the Office 365 group and the connected SharePoint team site.

Apply a sensitivity label to a new group

In Outlook on the web, the new Sensitivity box contains published labels. If users want more info, they can click the help icon to read details about the available labels and associated policies.

Creating a group and selecting an option under Sensitivity

Apply a sensitivity label to a new site

Admins and end users can select sensitivity labels when they create modern team sites and communication sites.

Learn how to create a site in the new SharePoint admin center

When users create modern team and communication sites, a sensitivity label is already selected by default. Users can select the help icon to learn more about the labels.

Creating a site and selecting an option under Sensitivity

When users browse to the site, they can see the name of the label and applied policies.

A site that has a sensitivity label applied

Manage sensitivity labels in the SharePoint admin center

To view and edit the labels, use the Active sites page in the new SharePoint admin center.

The Sensitivity column on the Active sites page

Learn more about managing sites in the new SharePoint admin center.

Change site and group settings for a label

Whenever you make a change to site and group settings for a label, you must run the following PowerShell commands so that your teams, sites, and groups can use the new settings. As a best practice, don't the change site and group settings for a label after you've applied the label to several teams, groups, or sites.

  1. Run the following commands to connect to Office 365 Security & Compliance Center PowerShell and get the list of sensitivity labels and their GUIDs.

    Set-ExecutionPolicy RemoteSigned
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Authentication Basic -AllowRedirection -Credential $UserCredential
    Import-PSSession $Session
    Get-Label |ft Name, Guid
    
  2. Make a note of the GUID for the label or labels you have changed.

  3. Now connect to Exchange Online PowerShell and run the Get-UnifiedGroup cmdlet, specifying your label GUID in place of the example GUID of "e48058ea-98e8-4940-8db0-ba1310fd955e":

    Set-ExecutionPolicy RemoteSigned
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    $Groups= Get-UnifiedGroup | Where {$_.SensitivityLabel  -eq "e48058ea-98e8-4940-8db0-ba1310fd955e"}
    
  4. For each group, reapply the sensitivity label, specifying your label GUID in place of the example GUID of "e48058ea-98e8-4940-8db0-ba1310fd955e":

    foreach ($g in $groups)
    {Set-UnifiedGroup -Identity $g.Identity -SensitivityLabelId "e48058ea-98e8-4940-8db0-ba1310fd955e"}
    

Support for the new sensitivity labels

The following apps and services support the sensitivity labels in this preview:

  • Microsoft 365 compliance center
  • SharePoint
  • Outlook on the web
  • Teams
  • SharePoint admin center
  • Azure AD admin center

You can't use the following apps and services to create Office 365 groups with the new sensitivity labels:

  • Outlook for the Mac
  • Outlook mobile
  • Outlook desktop for Windows
  • Forms
  • Dynamics 365
  • Yammer
  • Stream
  • Planner
  • Project
  • PowerBI
  • Teams admin center
  • Microsoft 365 admin center
  • Exchange admin center

If you used classic Azure AD site classification

Office 365 no longer supports the old classifications for new groups and SharePoint sites when you enable this preview. However, existing groups and sites still display the old classifications unless you convert them. Old classifications include the "modern" sites classification you set up, possibly through Azure AD PowerShell or the PnP Core library, that defined values for the ClassificationList setting.

For example, in PowerShell:

   ($setting["ClassificationList"])

For more information about the old classification method, see SharePoint "modern" sites classification.

Based on your current deployment, you have two options to convert your old classifications to the new classifications.

If you never used sensitivity labels (unified Microsoft Information Protection labels) for files and email

We recommend that you:

  1. Create new sensitivity labels in the Microsoft 365 compliance center that have the same names as your existing classifications.
  2. Use PowerShell to apply the new labels to existing Office 365 groups and SharePoint sites using name mapping.
  3. Delete the old classifications.

Apps and services that support the new sensitivity labels will show them. You create new teams, groups, and sites with the new labels. Users can still create groups from apps and services that don't support the new labels. However, users can't apply a label to these groups. Use PowerShell to apply the new sensitivity labels to these groups.

You can keep your old classifications; however, we highly recommend using PowerShell to apply the new sensitivity labels to these groups.

Apps and services that support the new sensitivity labels will get created with the new labels. When users create groups from apps and services that don't support the new labels, they can select a classification.

If you use sensitivity labels (unified Microsoft Information Protection labels) for files and email

As soon as you enable this preview, go to each label in the Microsoft 365 compliance center and apply the policies you want for sites and groups. Users will start seeing your existing labels available for sites and groups.

Prepare the SharePoint Online Management Shell before you relabel Office 365 groups

Before you apply new labels, ensure that you're running the latest SharePoint Online Management Shell. If you already have the latest version, you can go ahead and Relabel Office 365 groups with new sensitivity labels.

To prepare the SharePoint Online Management Shell for the preview:

  1. If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall “SharePoint Online Management Shell”.

  2. In a web browser, go to the Download Center page and Download the latest SharePoint Online Management Shell.

  3. Select your language and then click Download.

  4. Choose between the x64 and x86 .msi file. Download the x64 file if you run the 64-bit version of Windows or the x86 file if you’re run the 32-bit version. If you don’t know, see Which version of Windows operating system am I running?.

  5. After you download the file, run the file and follow the steps in the Setup Wizard.

Relabel Office 365 groups with new sensitivity labels

  1. Ensure that you're using the latest version of the SharePoint Online Management Shell. For instructions, see Prepare the SharePoint Online Management Shell before you relabel Office 365 groups.

  2. Using a work or school account that has global administrator or SharePoint admin privileges in Office 365, connect to SharePoint Online Management Shell. To learn how, see Getting started with SharePoint Online Management Shell.

  3. Run the following command to get the list of sensitivity labels and their GUIDs.

    Set-ExecutionPolicy RemoteSigned
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Authentication Basic -AllowRedirection -Credential $UserCredential
    Import-PSSession $Session
    Get-Label |ft Name, Guid  
    
  4. Make a note of the GUID for the label you want to overwrite. For example, the "General" label.

  5. Use the following command to get the list of groups that have the “General” classification. When you run this command, you'll connect to Exchange Online PowerShell and run the Get-UnifiedGroup cmdlet.

    Set-ExecutionPolicy RemoteSigned
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    $Groups= Get-UnifiedGroup | Where {$_.classification -eq "General"}
    
  6. For each group, add the new sensitivity label GUID.

    foreach ($g in $groups)
    {Set-UnifiedGroup -Identity $g.Identity -SensitivityLabelId "457fa763-7c59-461c-b402-ad1ac6b703cc"}