使用敏感度标签保护 Microsoft Teams、Microsoft 365 组和 SharePoint 网站中的内容Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites

Microsoft 365 安全性与合规性许可指南Microsoft 365 licensing guidance for security & compliance.

In addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labels to protect content in the following containers: Microsoft Teams sites, Microsoft 365 groups (formerly Office 365 groups), and SharePoint sites. For this container-level classification and protection, use the following label settings:In addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labels to protect content in the following containers: Microsoft Teams sites, Microsoft 365 groups (formerly Office 365 groups), and SharePoint sites. For this container-level classification and protection, use the following label settings:

  • 与 Microsoft 365 组连接的团队网站的隐私(公共或专用)Privacy (public or private) of teams sites and Microsoft 365 groups
  • 外部用户访问External user access
  • 非托管设备的访问Access from unmanaged devices

重要

The Access from unmanaged devices setting works in conjunction with the SharePoint feature to control access from unmanaged devices. You must configure this dependent SharePoint feature to use a sensitivity label that has this setting configured. Additional information is included in the instructions that follow.The Access from unmanaged devices setting works in conjunction with the SharePoint feature to control access from unmanaged devices. You must configure this dependent SharePoint feature to use a sensitivity label that has this setting configured. Additional information is included in the instructions that follow.

如果你将此敏感度标签应用于受支持的容器,此标签会自动向网站或组应用分类和配置保护设置。When you apply this sensitivity label to a supported container, the label automatically applies the classification and configured protection settings to the site or group.

Content in these containers however, do not inherit the labels for the classification or settings for files and emails, such as visual markings and encryption. So that users can label their documents in SharePoint sites or team sites, make sure you've enabled sensitivity labels for Office files in SharePoint and OneDrive.Content in these containers however, do not inherit the labels for the classification or settings for files and emails, such as visual markings and encryption. So that users can label their documents in SharePoint sites or team sites, make sure you've enabled sensitivity labels for Office files in SharePoint and OneDrive.

备注

Office 365 内容交付网络 (CDN) 不支持容器的敏感度标签。Sensitivity labels for containers aren't supported with Office 365 Content Delivery Networks (CDNs).

将敏感度标签用于 Microsoft Teams、Microsoft 365 组和 SharePoint 网站Using sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites

Before you enable sensitivity labels for containers and configure sensitivity labels for the new settings, users could see and apply sensitivity labels in their apps. For example, from Word:Before you enable sensitivity labels for containers and configure sensitivity labels for the new settings, users could see and apply sensitivity labels in their apps. For example, from Word:

Word 桌面应用中显示的敏感度标签

After you enable and configure sensitivity labels for containers, users can additionally see and apply sensitivity labels to Microsoft team sites, Microsoft 365 groups, and SharePoint sites. For example, when you create a new team site from SharePoint:After you enable and configure sensitivity labels for containers, users can additionally see and apply sensitivity labels to Microsoft team sites, Microsoft 365 groups, and SharePoint sites. For example, when you create a new team site from SharePoint:

从 SharePoint 中创建团队网站时使用的敏感度标签

如何为容器启用敏感度标签和同步标签How to enable sensitivity labels for containers and synchronize labels

  1. 由于此功能使用 Azure AD 功能,因此请按照以下 Azure AD 文档中的说明来启用敏感度标签支持:在 Azure Active Directory 中向 Microsoft 365 组分配敏感度标签Because this feature uses Azure AD functionality, follow the instructions from the Azure AD documentation to enable sensitivity label support: Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory.

  2. You now need to synchronize your sensitivity labels to Azure AD. First, connect to Security & Compliance Center PowerShell.You now need to synchronize your sensitivity labels to Azure AD. First, connect to Security & Compliance Center PowerShell.

    例如,在以管理员身份运行的 PowerShell 会话中,使用全局管理员帐户登录。For example, in a PowerShell session that you run as administrator, sign in with a global administrator account.

  3. 然后运行以下命令,以确保可将敏感度标签与 Microsoft 365 组配合使用:Then run the following command to ensure your sensitivity labels can be used with Microsoft 365 groups:

    Execute-AzureAdLabelSync
    

如何配置组和网站设置How to configure groups and site settings

Enabling sensitivity labels for containers means that you can now configure protection settings for groups and sites in the sensitivity labeling wizard. Until you enable this support, the settings are visible in the wizard but you can't configure them.Enabling sensitivity labels for containers means that you can now configure protection settings for groups and sites in the sensitivity labeling wizard. Until you enable this support, the settings are visible in the wizard but you can't configure them.

  1. 请遵循一般说明来创建或编辑敏感度标签,并确保为标签的作用域选择“组和网站”:Follow the general instructions to create or edit a sensitivity label and make sure you select Groups & sites for the label's scope:

    文件和电子邮件的敏感度标签范围选项

    When only this scope is selected for the label, the label won't be displayed in Office apps that support sensitivity labels and can't be applied to files and emails. Having this separation of labels can be helpful for both users and administrators, but can also add to the complexity of your label deployment.When only this scope is selected for the label, the label won't be displayed in Office apps that support sensitivity labels and can't be applied to files and emails. Having this separation of labels can be helpful for both users and administrators, but can also add to the complexity of your label deployment.

    For example, you need to carefully review your label ordering because SharePoint detects when a labeled document is uploaded to a labeled site. In this sceanrio, an audit event and email is automatically generated when the document has a higher priority sensitivity label than the site's label. For more information, see the Auditing sensitivity label activities section on this page.For example, you need to carefully review your label ordering because SharePoint detects when a labeled document is uploaded to a labeled site. In this sceanrio, an audit event and email is automatically generated when the document has a higher priority sensitivity label than the site's label. For more information, see the Auditing sensitivity label activities section on this page.

  2. 然后,在定义组和网站的保护设置页面上,选择一个或两个可用选项:Then, on the Define protection settings for groups and sites page, select one or both of the available options:

    • 隐私和外部用户访问设置”用于配置隐私外部用户访问设置。Privacy and external user access settings to configure the Privacy and External users access settings.
    • 设备访问和外部共享设置”用于配置“非托管设备的访问”设置。Device access and external sharing settings to configure the Access from unmanaged devices setting.
  3. 如果你选择了“隐私和外部用户访问设置”,现在请配置以下设置:If you selected Privacy and external user access settings, now configure the following settings:

    • 隐私:如果要使组织中的每个人都可访问应用此标签的团队网站或组,请保留“公用”的默认设置。Privacy: Keep the default of Public if you want anyone in your organization to access the team site or group where this label is applied.

      如果要将访问权限限制为仅允许组织中的已批准成员,请选择“专用”。Select Private if you want access to be restricted to only approved members in your organization.

      如果要使用敏感度标签保护容器中的内容,但仍允许用户自行配置隐私设置,请选择“”。Select None when you want to protect content in the container by using the sensitivity label, but still let users configure the privacy setting themselves.

      The settings of Public or Private set and lock the privacy setting when you apply this label to the container. Your chosen setting replaces any previous privacy setting that might be configured for the team or group, and locks the privacy value so it can be changed only by first removing the sensitivity label from the container. After you remove the sensitivity label, the privacy setting from the label remains and users can now change it again.The settings of Public or Private set and lock the privacy setting when you apply this label to the container. Your chosen setting replaces any previous privacy setting that might be configured for the team or group, and locks the privacy value so it can be changed only by first removing the sensitivity label from the container. After you remove the sensitivity label, the privacy setting from the label remains and users can now change it again.

    • 外部用户访问:控制组所有者是否可以向组添加来宾External user access: Control whether the group owner can add guests to the group.

  4. 如果你选择了“设备访问和外部共享设置”,现在请配置以下设置:If you selected Device access and external sharing setting, now configure the following setting:

重要

Only these site and group settings take effect when you apply the label to a team, group, or site. If the label's scope includes files and emails, other label settings such as encryption and content marking aren't applied to the content within the team, group, or site.Only these site and group settings take effect when you apply the label to a team, group, or site. If the label's scope includes files and emails, other label settings such as encryption and content marking aren't applied to the content within the team, group, or site.

If your sensitivity label isn't already published, now publish it by adding it to a sensitivity label policy. The users who are assigned a sensitivity label policy that includes this label will be able to select it for sites and groups.If your sensitivity label isn't already published, now publish it by adding it to a sensitivity label policy. The users who are assigned a sensitivity label policy that includes this label will be able to select it for sites and groups.

有关非托管设备选项依赖项的详细信息More information about the dependencies for the unmanaged devices option

If you don't configure the dependent conditional access policy for SharePoint as documented in Use app-enforced restrictions, the option you specify here will have no effect. Additionally, it will have no effect if it's less restrictive than a configured setting at the tenant level. If you have configured an organization-wide setting for unmanaged devices, choose a label setting that's either the same or more restrictiveIf you don't configure the dependent conditional access policy for SharePoint as documented in Use app-enforced restrictions, the option you specify here will have no effect. Additionally, it will have no effect if it's less restrictive than a configured setting at the tenant level. If you have configured an organization-wide setting for unmanaged devices, choose a label setting that's either the same or more restrictive

For example, if your tenant is configured for Allow limited, web-only access, the label setting that allows full access will have no effect because it's less restrictive. For this tenant-level setting, choose the label setting to block access (more restrictive) or the label setting for limited access (the same as the tenant setting).For example, if your tenant is configured for Allow limited, web-only access, the label setting that allows full access will have no effect because it's less restrictive. For this tenant-level setting, choose the label setting to block access (more restrictive) or the label setting for limited access (the same as the tenant setting).

Because you can configure the SharePoint settings separately from the label configuration, there's no check in the sensitivity label wizard that the dependencies are in place. These dependencies can be configured after the label is created and published, and even after the label is applied. However, if the label is already applied, the label setting won't take effect until after the user next authenticates.Because you can configure the SharePoint settings separately from the label configuration, there's no check in the sensitivity label wizard that the dependencies are in place. These dependencies can be configured after the label is created and published, and even after the label is applied. However, if the label is already applied, the label setting won't take effect until after the user next authenticates.

敏感度标签管理Sensitivity label management

在创建、修改或删除为网站和组配置的敏感度标签时,请使用以下指南。Use the following guidance for when you create, modify, or delete sensitivity labels that are configured for sites and groups.

创建和发布为网站和组配置的标签Creating and publishing labels that are configured for sites and groups

When a new sensitivity label is created and published, it's visible for users in teams, groups, and sites within one hour. However, if you modify an existing label, allow up to 24 hours. Use the following guidance to publish a label for your users when that label is configured for site and group settings:When a new sensitivity label is created and published, it's visible for users in teams, groups, and sites within one hour. However, if you modify an existing label, allow up to 24 hours. Use the following guidance to publish a label for your users when that label is configured for site and group settings:

  1. 创建并配置敏感度标签后,将此标签添加到仅应用于少数测试用户的标签策略。After you create and configure the sensitivity label, add this label to a label policy that applies to just a few test users.

  2. 等待更改复制:Wait for the change to replicate:

    • 新标签:等待一小时。New label: Wait for one hour.
    • 现有标签:等待 24 小时。Existing label: Wait for 24 hours.
  3. 在此等待期之后,使用测试用户帐户之一,创建具有在步骤 1 中创建的标签的团队、Microsoft 365 组或 SharePoint 网站。After this wait period, use one of the test user accounts to create a team, Microsoft 365 group, or SharePoint site with the label that you created in step 1.

  4. 如果在此创建操作过程中没有错误,表示可以安全地为租户中的所有用户发布标签。If there are no errors during this creation operation, you know it's safe to publish the label to all users in your tenant.

修改为网站和组配置的已发布标签Modifying published labels that are configured for sites and groups

As a best practice, don't change the site and group settings for a sensitivity label after the label has been applied to teams, groups, or sites. If you do, remember to wait for 24 hours for the changes to replicate to all containers that have the label applied.As a best practice, don't change the site and group settings for a sensitivity label after the label has been applied to teams, groups, or sites. If you do, remember to wait for 24 hours for the changes to replicate to all containers that have the label applied.

此外,如果所做的更改包括外部用户访问设置:In addition, if your changes include the External users access setting:

  • The new setting applies to new users but not to existing users. For example, if this setting was previously selected and as a result, guest users accessed the site, these guest users can still access the site after this setting is cleared in the label configuration.The new setting applies to new users but not to existing users. For example, if this setting was previously selected and as a result, guest users accessed the site, these guest users can still access the site after this setting is cleared in the label configuration.

  • 组属性 hiddenMembership 和 roleEnabled 的隐私设置不会更新。The privacy settings for the group properties hiddenMembership and roleEnabled aren't updated.

删除为网站和组配置的已发布标签Deleting published labels that are configured for sites and groups

If you delete a sensitivity label that has the site and group settings enabled, and that label is included in one or more label policies, this action can result in creation failures for new teams, groups, and sites. To avoid this situation, use the following guidance:If you delete a sensitivity label that has the site and group settings enabled, and that label is included in one or more label policies, this action can result in creation failures for new teams, groups, and sites. To avoid this situation, use the following guidance:

  1. 从包含敏感度标签的所有标签策略中删除该标签。Remove the sensitivity label from all label policies that include the label.

  2. 等待一小时。Wait for one hour.

  3. 在此等待期之后,尝试创建团队、组或网站,并确认标签不再可见。After this wait period, try creating a team, group, or site and confirm that the label is no longer visible.

  4. 如果敏感度标签不可见,则现在可以安全地删除该标签。If the sensitivity label isn't visible, you can now safely delete the label.

如何将敏感度标签应用于容器How to apply sensitivity labels to containers

现在可将一个或多个敏感度标签应用于以下容器:You're now ready to apply the sensitivity label or labels to the following containers:

如果需要将敏感度标签应用于多个网站,则可以使用 PowerShell。You can use PowerShell if you need to apply a sensitivity label to multiple sites.

将敏感度标签应用于 Microsoft 365 组Apply sensitivity labels to Microsoft 365 groups

You're now ready to apply the sensitivity label or labels to Microsoft 365 groups. Return to the Azure AD documentation for instructions:You're now ready to apply the sensitivity label or labels to Microsoft 365 groups. Return to the Azure AD documentation for instructions:

为新团队应用敏感度标签Apply a sensitivity label to a new team

Users can select sensitivity labels when they create new teams in Microsoft Teams. When they select the label from the Sensitivity dropdown, the privacy setting might change to reflect the label configuration. Depending on the external users access setting you selected for the label, users can or can't add people outside the organization to the team.Users can select sensitivity labels when they create new teams in Microsoft Teams. When they select the label from the Sensitivity dropdown, the privacy setting might change to reflect the label configuration. Depending on the external users access setting you selected for the label, users can or can't add people outside the organization to the team.

了解有关 Teams 的敏感度标签的详细信息Learn more about sensitivity labels for Teams

创建新团队时使用的隐私设置

创建团队后,敏感度标签将显示在所有频道的右上角。After you create the team, the sensitivity label appears in the upper-right corner of all channels.

敏感度标签将显示在团队上

该服务会自动将相同的敏感度标签应用于 Microsoft 365 组和连接的 SharePoint 团队网站。The service automatically applies the same sensitivity label to the Microsoft 365 group and the connected SharePoint team site.

应用敏感度标签至 Outlook 网页版的新组Apply a sensitivity label to a new group in Outlook on the web

在 Outlook 网页版中,创建新组时可选择或更改已发布的标签的“敏感度”选项:In Outlook on the web, when you create a new group, you can select or change the Sensitivity option for published labels:

创建组并选择“敏感度”下的选项

为新网站应用敏感度标签Apply a sensitivity label to a new site

管理员和最终用户可以在创建新式团队网站和通信网站时选择敏感度标签,并展开“高级设置”****:Admins and end users can select sensitivity labels when they create modern team sites and communication sites, and expand Advanced settings:

创建网站并在“敏感度”下选择一个选项

下拉列表框显示选择的标签名称,帮助图标显示所有标签名称及其工具提示,这可帮助用户确定要应用的正确标签。The dropdown box displays the label names for the selection, and the help icon displays all the label names with their tooltip, which can help users determine the correct label to apply.

When the label is applied, and users browse to the site, they see the name of the label and applied policies. For example, this site has been labeled as Confidential, and the privacy setting is set to Private:When the label is applied, and users browse to the site, they see the name of the label and applied policies. For example, this site has been labeled as Confidential, and the privacy setting is set to Private:

已应用敏感度标签的网站

使用 PowerShell 将敏感度标签应用于多个网站Use PowerShell to apply a sensitivity label to multiple sites

You can use the Set-SPOSite and Set-SPOTenant cmdlet with the SensitivityLabel parameter from the current SharePoint Online Management Shell to apply a sensitivity label to many sites. The sites can be any SharePoint site collection, or a OneDrive site.You can use the Set-SPOSite and Set-SPOTenant cmdlet with the SensitivityLabel parameter from the current SharePoint Online Management Shell to apply a sensitivity label to many sites. The sites can be any SharePoint site collection, or a OneDrive site.

请确保你拥有 SharePoint Online 命令行管理程序的 16.0.19418.12000 或更高版本。Make sure you have version 16.0.19418.12000 or later of the SharePoint Online Management Shell.

  1. 使用“以管理员身份运行”选项打开 PowerShell 会话。Open a PowerShell session with the Run as Administrator option.

  2. 如果你不知道标签 GUID:连接到安全与合规中心 PowerShell,获取敏感度标签及其 GUID 的列表。If you don't know your label GUID: Connect to Security & Compliance Center PowerShell and get the list of sensitivity labels and their GUIDs.

    Get-Label |ft Name, Guid
    
  3. Now connect to SharePoint Online PowerShell and store your label GUID as a variable. For example:Now connect to SharePoint Online PowerShell and store your label GUID as a variable. For example:

    $Id = [GUID]("e48058ea-98e8-4940-8db0-ba1310fd955e")
    
  4. Create a new variable that identifies multiple sites that have an identifying string in common in their URL. For example:Create a new variable that identifies multiple sites that have an identifying string in common in their URL. For example:

    $sites = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like 'documents"
    
  5. Run the following command to apply the label to these sites. Using our examples:Run the following command to apply the label to these sites. Using our examples:

    $sites | ForEach-Object {Set-SPOTenant $_.url -SensitivityLabel $Id}
    

若要为不同的网站应用不同的标签,请为每个网站重复以下命令:Set-SPOSite -Identity <URL> -SensitivityLabel "<labelguid>"To apply different labels to different sites, repeat the following command for each site: Set-SPOSite -Identity <URL> -SensitivityLabel "<labelguid>"

在 SharePoint 管理中心中查看和管理敏感度标签View and manage sensitivity labels in the SharePoint admin center

To view, sort, and search the applied sensitivity labels, use the Active sites page in the new SharePoint admin center. You might need to first add the Sensitivity column:To view, sort, and search the applied sensitivity labels, use the Active sites page in the new SharePoint admin center. You might need to first add the Sensitivity column:

“活动网站”页面上的“敏感度”列

有关从“活动网站”页面管理网站(包括如何添加列)的详细信息,请参阅管理新 SharePoint 管理中心中的网站For more information about managing sites from the Active sites page, including how to add a column, see Manage sites in the new SharePoint admin center.

你也可以从此页面更改和应用标签:You can also change and apply a label from this page:

  1. 单击网站名称以打开“详细信息”窗格。Select the site name to open the details pane.

  2. 选择“策略”选项卡,然后为“敏感度”设置选择“编辑”。Select the Policies tab, and then select Edit for the Sensitivity setting.

  3. 从“编辑敏感度设置”窗格中,选择要应用于该网站的敏感度标签,然后选择“保存”。From the Edit sensitivity setting pane, select the sensitivity label you want to apply to the site, and then select Save.

敏感度标签支持Support for sensitivity labels

以下应用和服务支持为网站和组设置配置的敏感度标签:The following apps and services support sensitivity labels configured for sites and group settings:

  • 管理中心:Admin centers:

    • SharePoint 管理中心SharePoint admin center
    • Azure Active Directory 高级版Azure Active Directory portal
    • Microsoft 365 合规中心、Microsoft 365 安全中心、安全与合规中心Microsoft 365 compliance center, Microsoft 365 security center, Security & Compliance Center
  • 用户应用和服务:User apps and services:

    • SharePointSharePoint
    • TeamsTeams
    • Outlook 网页版以及 Windows、MacOS、iOS 和 Android 版 OutlookOutlook on the web and for Windows, MacOS, iOS, and Android
    • FormsForms
    • StreamStream

以下应用和服务目前不支持为网站和组设置配置的敏感度标签:The following apps and services don't currently support sensitivity labels configured for sites and group settings:

  • 管理中心:Admin centers:

    • Microsoft 365 管理中心Microsoft 365 admin center
    • Teams 管理中心Teams admin center
    • Exchange 管理中心Exchange admin center
  • 用户应用和服务:User apps and services:

    • Dynamics 365Dynamics 365
    • YammerYammer
    • PlannerPlanner
    • ProjectProject
    • Power BIPower BI

经典 Azure AD 组分类Classic Azure AD group classification

Microsoft 365 no longer supports the old classifications for new Microsoft 365 groups and SharePoint sites after you enable sensitivity labels for containers. However, existing groups and sites that support sensitivity labels still display the old classification values until you convert them to use sensitivity labels.Microsoft 365 no longer supports the old classifications for new Microsoft 365 groups and SharePoint sites after you enable sensitivity labels for containers. However, existing groups and sites that support sensitivity labels still display the old classification values until you convert them to use sensitivity labels.

有关如何使用 SharePoint 的旧组分类的示例,请参阅 SharePoint “新式”网站分类As an example of how you might have used the old group classification for SharePoint, see SharePoint "modern" sites classification.

These classifications were configured by using Azure AD PowerShell or the PnP Core library and defining values for the ClassificationList setting. If your tenant has classification values defined, they are shown when you run the following command from the AzureADPreview PowerShell module:These classifications were configured by using Azure AD PowerShell or the PnP Core library and defining values for the ClassificationList setting. If your tenant has classification values defined, they are shown when you run the following command from the AzureADPreview PowerShell module:

($setting["ClassificationList"])

若要将旧分类转换为敏感度标签,请执行下列操作之一:To convert your old classifications to sensitivity labels, do one of the following:

  • 使用现有标签:通过编辑已发布的现有敏感度标签,指定你希望网站和组使用的标签设置。Use existing labels: Specify the label settings you want for sites and groups by editing existing sensitivity labels that are already published.

  • 创建新标签:通过创建和发布与你的现有分类名称相同的新的敏感度标签,指定你希望网站和组使用的标签设置。Create new labels: Specify the label settings you want for sites and groups by creating and publishing new sensitivity labels that have the same names as your existing classifications.

则:Then:

  1. Use PowerShell to apply the sensitivity labels to existing Microsoft 365 groups and SharePoint sites by using name mapping. See the next section for instructions.Use PowerShell to apply the sensitivity labels to existing Microsoft 365 groups and SharePoint sites by using name mapping. See the next section for instructions.

  2. 删除现有组和网站中的旧分类。Remove the old classifications from the existing groups and sites.

虽然无法阻止用户在尚不支持敏感度标签的应用和服务中创建新组,但可运行定期 PowerShell 标签来查看用户已使用旧分类创建的新组,并转换这些分类以使用敏感度标签。Although you can't prevent users from creating new groups in apps and services that don't yet support sensitivity labels, you can run a recurring PowerShell script to look for new groups that users have created with the old classifications, and convert these to use sensitivity labels.

为了帮助管理网站和组的敏感度标签与 Azure AD 分类的共存,请参阅适用于 Microsoft 365 组的 Azure Active Directory 分类和敏感度标签To help you manage the coexistence of sensitivity labels and Azure AD classifications for sites and groups, see Azure Active Directory classification and sensitivity labels for Microsoft 365 groups.

使用 PowerShell 将 Microsoft 365 组的分类转换为敏感度标签Use PowerShell to convert classifications for Microsoft 365 groups to sensitivity labels

  1. 首先,连接到安全与合规中心 PowerShellFirst, connect to Security & Compliance Center PowerShell.

    例如,在以管理员身份运行的 PowerShell 会话中,使用全局管理员帐户登录:For example, in a PowerShell session that you run as administrator, sign in with a global administrator account:

  2. 通过运行 Get-Label cmdlet 获取敏感度标签及 GUID 列表:Get the list of sensitivity labels and their GUIDs by using the Get-Label cmdlet:

    Get-Label |ft Name, Guid
    
  3. 记下你想要应用到 Microsoft 365 组的敏感度标签的 Guid。Make a note of the GUIDs for the sensitivity labels you want to apply to your Microsoft 365 groups.

  4. 现在,在单独的 Windows PowerShell 窗口中连接到 Exchange Online PowerShellNow connect to Exchange Online PowerShell in a separate Windows PowerShell window.

  5. 以下列命令为例,获取当前具有“常规”分类的组列表:Use the following command as an example to get the list of groups that currently have the classification of "General":

    $Groups= Get-UnifiedGroup | Where {$_.classification -eq "General"}
    
  6. For each group, add the new sensitivity label GUID. For example:For each group, add the new sensitivity label GUID. For example:

    foreach ($g in $groups)
    {Set-UnifiedGroup -Identity $g.Identity -SensitivityLabelId "457fa763-7c59-461c-b402-ad1ac6b703cc"}
    
  7. 对剩下的组分类重复步骤 5 和 6。Repeat steps 5 and 6 for your remaining group classifications.

审核敏感度标签活动Auditing sensitivity label activities

重要

如果通过仅为保护容器的标签选择“组和网站”作用域来使用标签分离,则:由于本部分描述的检测到文档敏感度不匹配审核事件和电子邮件,请考虑在为标签设置“文件和电子邮件”作用域之前先对这些标签进行排序If you use label separation by selecting just the Groups & sites scope for labels that protect containers: Because of the Detected document sensitivity mismatch audit event and email described in this section, consider ordering these labels before labels that have a scope for Files & emails.

If somebody uploads a document to a site that's protected with a sensitivity label and their document has a higher priority sensitivity label than the sensitivity label applied to the site, this action isn't blocked. For example, you've applied the General label to a SharePoint site, and somebody uploads to this site a document labeled Confidential. Because a sensitivity label with a higher priority identifies content that is more sensitivity than content that has a lower priority order, this situation could be a security concern.If somebody uploads a document to a site that's protected with a sensitivity label and their document has a higher priority sensitivity label than the sensitivity label applied to the site, this action isn't blocked. For example, you've applied the General label to a SharePoint site, and somebody uploads to this site a document labeled Confidential. Because a sensitivity label with a higher priority identifies content that is more sensitivity than content that has a lower priority order, this situation could be a security concern.

Although the action isn't blocked, it is audited and automatically generates an email to the person who uploaded the document and the site administrator. As a result, both the user and administrators can identify documents that have this misalignment of label priority and take action if needed. For example, delete or move the uploaded document from the site.Although the action isn't blocked, it is audited and automatically generates an email to the person who uploaded the document and the site administrator. As a result, both the user and administrators can identify documents that have this misalignment of label priority and take action if needed. For example, delete or move the uploaded document from the site.

It wouldn't be a security concern if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential. In this scenario, an auditing event and email aren't generated.It wouldn't be a security concern if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential. In this scenario, an auditing event and email aren't generated.

要搜索此事件的审核日志,请从“文件和页面活动”类别中查找“检测到文档敏感度不匹配”。To search the audit log for this event, look for Detected document sensitivity mismatch from the File and page activities category.

The automatically generated email has the subject Incompatible sensitivity label detected and the email message explains the labeling mismatch with a link to the uploaded document and site. It also contains a documentation link that explains how users can change the sensitivity label. Currently, these automated emails cannot be disabled or customized.The automatically generated email has the subject Incompatible sensitivity label detected and the email message explains the labeling mismatch with a link to the uploaded document and site. It also contains a documentation link that explains how users can change the sensitivity label. Currently, these automated emails cannot be disabled or customized.

当有人向网站或组添加敏感度标签或从中删除敏感度标签时,也会审核这些活动,但不会自动生成电子邮件。When somebody adds or removes a sensitivity label to or from a site or group, these activities are also audited but without automatically generating an email.

All these auditing events can be found in the Sensitivity label activities category. For instructions to search the audit log, see Search the audit log in the Security & Compliance Center.All these auditing events can be found in the Sensitivity label activities category. For instructions to search the audit log, see Search the audit log in the Security & Compliance Center.

如何禁用容器的敏感度标签How to disable sensitivity labels for containers

You can turn off sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites by using the same instructions from Enable sensitivity label support in PowerShell. However, to disable the feature, in step 5, specify $setting["EnableMIPLabels"] = "False".You can turn off sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites by using the same instructions from Enable sensitivity label support in PowerShell. However, to disable the feature, in step 5, specify $setting["EnableMIPLabels"] = "False".

In addition to making all the settings unavailable for groups and sites when you create or edit sensitivity labels, this action reverts which property the containers use for their configuration. Enabling sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites switches the property used from Classification (used for Azure AD group classification) to Sensitivity. When you disable sensitivity labels for containers, the containers ignore the Sensitivity property and use the Classification property again.In addition to making all the settings unavailable for groups and sites when you create or edit sensitivity labels, this action reverts which property the containers use for their configuration. Enabling sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites switches the property used from Classification (used for Azure AD group classification) to Sensitivity. When you disable sensitivity labels for containers, the containers ignore the Sensitivity property and use the Classification property again.

这意味着不会强制实施先前应用到容器的网站和组中的任何标签设置,并且容器不再显示标签。This means that any label settings from sites and groups previously applied to containers won't be enforced, and containers no longer display the labels.

If these containers have Azure AD classification values applied to them, the containers revert to using the classifications again. Be aware that any new sites or groups that were created after enabling the feature won't display a label or have a classification. For these containers, and any new containers, you can now apply classification values. For more information, see SharePoint "modern" sites classification and Create classifications for Office groups in your organization.If these containers have Azure AD classification values applied to them, the containers revert to using the classifications again. Be aware that any new sites or groups that were created after enabling the feature won't display a label or have a classification. For these containers, and any new containers, you can now apply classification values. For more information, see SharePoint "modern" sites classification and Create classifications for Office groups in your organization.

其他资源Additional resources

如需有关通过 Microsoft Teams、O365 组和 SharePoint Online 网站使用敏感度标签的信息,请参阅网络研讨会的记录和回答的问题。See the webinar recording and answered questions for Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites.

This webinar was recorded when the feature was still in preview, so you might notice some discrepancies in the UI. However, the information for this feature is still accurate, with any new capabilities documented on this page.This webinar was recorded when the feature was still in preview, so you might notice some discrepancies in the UI. However, the information for this feature is still accurate, with any new capabilities documented on this page.