Prepare for Sensitivity Labels on SharePoint Document Libraries

Posted on Updated on by antoniomaioCategories:Document Libraries, Information Protection, Security, Sensitivity Labels, Uncategorized

To apply a Sensitivity Label as a default to SharePoint document libraries, you must perform a few initial preparatory steps and be aware of some of the details. Lets take a look at what those are.

Note: a lot of this detail can be found here Configure a Default Sensitivity Label for a SharePoint Document Library, but I’ve added some commentary along the way based on my experience enabling this.

  1. Login to the Microsoft Purview Compliance Portal as a global administrator

  1. Navigate in the left hand menu to Information Protection

  1. If you see a message asking to you to turn on the ability to process content in Office Online files with encrypting sensitivity labels, click Turn On Now.

Notes:

  • If you don’t see this banner, then the feature is very likely already turned on and you don’t need to do steps 1 to 3.
  • You can also enable this feature using the following SharePoint Online PowerShell cmdlet: Set-SPOTenant -EnableAIPIntegration $True.
  • If you are using Multi-Geo and you want to enable this feature for each Geo, you must PowerShell to enable it and use the -URL parameter on the previous cmdlet.

  1. You must create Sensitivity Labels that are scoped for Items in order for them to appear default label option for Document Libraries. Only labels that are scoped for Items will appear in the list of Sensitivity Label defaults for libraries.

  1. The labels must be published to the users that will be creating a Document Library or selecting a label for a Document Library. This affects how you configure the Sensitivity Label Policy and who you publish the labels to. You must publish the labels to users that will be selecting them.

  1. Users that will select or modify a Sensitivity label on a Document Library must have the site admin permissions (site collection admin). By default, Site Owners for M365 Group connected sites are also site admins, therefore Site Owners can also typically select or modify a library’s default sensitivity label.

  1. The libraries in which a default Sensitivity Label is applied do NOT have the SharePoint Information Rights Management (IRM) feature enabled.

Be Patient – When I first configured labels to use as Document Library defaults, it took over 24 hours for them to replicate to SharePoint Online so that I could then select them on new or existing libraries. When I modified the labels I wanted to use, it took about 1 hr for them to replicate for use on new Microsoft Teams.

Select a Default Sensitivity Label for a Document Library

After waiting patiently, you can then create a new library or modify a library’s settings as you normally would in a SharePoint Online modern site, and select the necessary sensitivity label from the Create a Document Library page or the Library Settings page.

Details and Limitations

Overriding a File’s Existing Label – An existing sensitivity label on a file will only be overridden by a default library label if:

  • The file’s existing label was not manually applied by a user
  • The file’s existing label is not a higher priority label

In both cases, if a label was manually applied by a user (regardless of its priority) or if an existing sensitivity label on a file is higher priority, then the default label is not applied to the file.

When is a Default label Applied – Understanding the timing of when a label is applied by a default library label is important to validating how this is working in your environment:

  • When a file is uploaded to a library – it can take a few minutes to apply. In my testing, I found it can take from 1 to 5 minutes before a label appears on a file after I upload it to a library. I usually test this very simply by displaying the built-in Sensitivity Label column on a library and waiting for it to be published (perhaps refreshing the library a few times).
  • Authoring a document in a Microsoft 365 App (Word, Excel, PowerPoint) – If I am authoring a document in Word, Excel or PowerPoint, then the default label is applied only after the app is closed… and this can take a few minutes.

Licensing – to utilize this feature, currently you must have one of the following user-based licenses:

  • Microsoft Syntex – SharePoint Advanced Management
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 E5/F5 Information Protection & Governance
  • Office 365 E5/A5/G5

Limitations – Although I think this feature is awesome, there are some key limitations to be aware:

  • A library’s default Sensitivity Label will not apply to documents that are already stored at rest in the library.
  • IMPORTANT: This feature only applies to Microsoft Office Files (Word, Excel, PowerPoint). It does not yet apply to PDF files. For a list of current supported file types, see Document Library Sensitivity Label Supported File Types.
  • Labels that are configured with the following features are not available to use as defaults on Document Libraries: User Defined Permissions (where a user selects who its encrypted for at the time of applying the label), Expiry, Double Key Encryption.

antoniomaio