The ability to apply Sensitivity Labels  to documents and emails has been part of Microsoft 365 for a while, with the purpose of allowing end-users to apply a level of protection to data that they are going to share internally and externally. This allows the users to apply labels to content that restricts what consumers of that content, internally and externally, can do with the data.

Up until recently, however, it was only possible to apply sensitivity labels to emails or documents. Microsoft has now introduced the ability to use sensitivity labelling at a ‘container level’, which means that you can apply for labels’ protection at a higher level than the document or email. In Microsoft 365, when we refer to containers, this currently relates to the following three features or services.

  • SharePoint Online Sites
  • Microsoft Teams
  • Microsoft 365 Groups

In this walk-through, we will look at how to create, deploy and apply these labels, as well as the end-user experience for using the labels.

Let’s get started by going to the Microsoft 365 Compliance Portal

1. Login to the Microsoft 365 Compliance Portal with either a Global Admin, Compliance Data Admin, Compliance Admin, or Security Admin role

2. Go to Catalog


3. Click on Information Protection


4. Then let’s open the solution

You will see that we already have some labels created for other demos, so for this one I want to create a new one

6. Click on Create a label. Now give your label a Name, Display Name, User Description tooltip.

7. In Scope, we are going to select only Groups & Sites

8. Under Groups & Sites select both options, “Privacy and external user access settings” and “External Sharing and Conditional Access Settings”

9. We now set the Privacy setting to be Private

10. We also leave the External User Access option unticked

11. Under “External Sharing and Device Access” we are going to select that Unmanaged Devices are only allowed “Limited, web-only access”. We also ticked the the option to prevent External Sharing of this sites contents with anyone outside our organisation

We will also need to create the corresponding Conditional Access Policy, this is useful for preventing internal and external users from accessing sensitive data from devices that might not meet the corporate device usage policy, such as Hybrid Azure AD Joined, or enrolled in Intune and marked as compliant.

12. The label can now be created and you can see a summary of the settings you created here


Applying sensitivity labels to SharePoint sites

Now that we have a configured label for use with sites and groups, we can apply that label to an existing SharePoint site within our M365 tenant, or whilst creating a new site.  In the following example, I will choose to create a new Team Site to demonstrate how this can be done.

1. Logon to the SharePoint Admin Center and navigate to Sites > Active Sites

2. Click on Create

3. Choose to create a new Team Site and completed the Name, Email Address, Site Address, and Owner.

4. Under Advanced Settings I then get to apply Sensitvity to the site, and chose the label previously created

5. Click Next, add any additional owners you need, and then the site will be created

The final piece in this configuration is to create an Azure AD Conditional Access Policy to enforce the app restriction policy

1. Login to Azure AD > Security > Conditional Access

2. Click on New Policy

3. Give your policy a Name, Select All Users, and select SharePoint Online as the Cloud App

4. Under Session select Use app enforced restriction

5. Create the policy, ensuring that you click On under the Enable Policy field.

End User Experience

To see the label in action, I can browse the the SharePoint Site, and instantly visible in the top right-hand view it lets the users know that a Sensitivity label is applied

This label has been configured to enforce the following restrictions;

  1. Stop external sharing
  2. Stop external users being added to the site as a Guest
  3. Only allowing web-view on unmanaged devices

In this first scenario the user is trying to share a file on the SharePoint site with someone outside of the organisation, and it is blocked


Secondly, the user tried to add an external user to the SharePoint site as a Member, both within the SPO site and also through the Group in OWA












And then finally, the user accessed the SharePoint Site from an unmanaged device, and the Conditional Access Policy was invoked


In the next part of this series, I will talk you through the process of applying Sensitivity Labels to Teams