Microsoft Purview March 7, 2023 0

How to use Sensitivity Labels to configure limited web-only access for unmanaged devices

UnmIn this blog post, I will guide you through the steps and share my experience on how to use Sensitivity Labels to configure limited web-only access for unmanaged devices.

If you’ve read my earlier blog post, you know that Conditional Access can also enforce web-only access for unmanaged devices. However, if you don’t want these restrictions to apply to all corporate data, and instead want to protect specific locations with sensitive or business-critical information, Sensitivity Labels could be the solution. Identifying which locations to protect maybe a challenge, but Sensitivity Labels can help make these access controls more user-friendly and targeted.

This blog will include the following sections;

  • Preparation
  • Enable Sensitivity Label Support for containers
  • Configure Sensitivity Label
  • Verify tenant access control setting
  • Configure Conditional Access Policy
  • Configure Sensitivity Label policy
  • Apply labels to sites (as an admin)
  • Apply labels to sites (as an user)
  • User Experience


Lets start off with some basic licensing requirements;

  • M365 E3/E5, O365 E3/E5, EMS E3/E5 or Business Premium subscription; for implementing Sensitivity Labels.
  • Azure Active Directory Plan 1 license; for implementing a Conditional Access policy.
  • Microsoft Intune license; for managing corporate devices.
  • SharePoint Online license; for users accessing the company data.

Most companies won’t have to worry about licensing as long as they have a Business Premium or M365 E3 subscription, as these subscriptions are sufficient to cover all the licensing requirements.

Then for some recommendations, I would like to ask you the following questions;

  • Are all users working from corporate devices, or are some of them using personal devices? If users are using unmanaged personal devices, be prepared for them to have web-only access while accessing data.
  • Are users primarily using the Microsoft Edge browser, or have you implemented Single Sign On for alternative browsers like Google Chrome and Firefox? If not, users will have limited web-only access when using these browsers on managed devices.
  • Have you integrated Azure AD B2B with SharePoint and OneDrive to ensure that guests can be included or excluded from Conditional Access policies?

If you have any concerns about the above, I would recommend reading through at least some of my earlier blog. It includes more information on how to deal with these concerns and can provide you a better understanding of the topic.

Enable Sensitivity Label support for containers

To start off, we need to be able to apply Sensitivity Labels to containers such as Microsoft 365 groups, SharePoint sites and Microsoft team sites. After that we are going to synchronize the Sensitivity Labels with AzureAD. Firstly follow these steps to enable Sensitivity Label support for containers, if u haven’t already done so;

  1. Start the PowerShell or PowerShell ISE application.
  2. Use the following cmdlets to install, import and connect to the AzureADPreview module.
Install-Module AzureADPreview
Important-Module AzureADPreview
  1. Sign in to your admin account.
  2. Use the following cmdlet to display the current container settings.
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ)
$Setting = $grpUnifiedSetting

If you see an empty screen, it means that group settings have not been created for the tenant yet. You can follow these steps to create them.

If Sensitivity Label support for containers has been enabled previously, PowerShell will output: “EnableMIPLabels = True”.

  1. Use the following cmdlets to enable the feature, checking the value and saving the changes.
$Setting[“EnableMIPLabels”] = “True”
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting

Now we’ll synchronize the Sensitivity Labels to AzureAD, so we are able to use them with Microsoft 365 Groups from Azure Active Directory (or Microsoft Entra).

  1. Connect to the Security & Compliance PowerShell module.
  2. Use the following cmdlet to synchronize the Sensitivity Labels to AzureAD.

By turning on the feature, we are now ready to configure the Sensitivity Label.

Configure Sensitivity Label

Now on to the most important part of this blog which is configuring the Sensitivity Label. This label can be applied on specific SharePoint or team sites to enforce limited web-only access for unmanaged devices.

Follow these steps to configure the Sensitivity Label;

  1. Go to Microsoft Purview (former Compliance Admin Center) and navigate to Solutions > Information Protection.
  2. Go to the Labels page.
  3. Click on + Create a label, to create a new sensitivity label.

Optional: You can also choose to create a sub-label if you’re already using sensitivity labels.

  1. Enter a Name, Display name and a Description for users that fits your company’s labeling naming convention and strategy.

Optional: Enter a Description for admins or Label color.

  1. Click Next.
  1. Select Groups & sites. (The Groups & Sites option being greyed out indicates that container support for Sensitivity labels has not been enabled yet)
  2. Click Next twice. (skip the Items page)
  1. Select External sharing and Conditional Access settings.
  2. Click Next.
  1. Select Use Azure AD Conditional Access to protect labeled SharePoint sites.
  2. Select Allow limited, web-only access. (or Block access if that’s what you want to achieve)
  3. Click Next twice. (skip the Schematized data assets page)
  1. Review you’re settings and click on the Create Label button to finish.

Do not apply the Sensitivity Label to SharePoint sites yet, we still need to perform some additional configuration.

Verify tenant access control setting

Before we proceed further, lets verify the status of our tenant-wide SharePoint Online access control setting first. Download and connect to the SharePoint Online Management Shell and use the following cmdlet;

Get-SPOTenant | Select-Object -ExpandProperty ConditionalAccessPolicy

When the output shows AllowLimitedAccess or BlockAccess, it means that the global setting for using app-enforced restrictions with conditional access policies has been configured to limit or deny access to unmanaged devices.

When the output shows AllowFullAccess, it means that our conditional access policies are not restricting access to SharePoint sites by default, unless we apply a Sensitivity Label to them. This is the expected output, unless the setting has been modified in the past.

Make sure that the global setting is set to be less restrictive then what u define in your Sensitivity Labels. Otherwise, the labels will not enforce more restrictive access controls.

To change the setting back to AllowFullAccess, use the following cmdlet;

Set-SPOTenant -ConditionalAccessPolicy AllowFullAccess

Configure Conditional Access Policy

Let me first explain the function of the Conditional Access policy we’re about to set up. This policy will apply to users that sign-in to SharePoint Online, but the restrictions will only take effect, if all of the following conditions are met;

  • The user tries to access data from a specific SharePoint site.
  • The SharePoint site has a label with limited web-only access controls.
  • The user is working from an unmanaged device.

If the restrictions take effect, users will not be able to download attachments, print or sync files, or access files through desktop apps such as Microsoft Office.

Now that you know what the policy does lets configure it by following these steps;

  1. Go to Microsoft Entra admin center and navigate to Protect and Secure > Conditional Access
  2. Go to Policies.
  3. Click on the + New Policy, to create a new Conditional Access Policy.
  1. Configure the Conditional Access Policy as described in the table below.
Name Give the policy a name that fits your company’s naming convention.
Users Select a group of users to apply the policy to.
Cloud apps or actions Select the SharePoint Online cloud app.
Conditions {empty}
Grant {empty}
Session Select the Use app enforced restrictions setting.

You can safely turn on the policy now because the app enforced restrictions will not take effect until we start applying Sensitivity Labels to SharePoint sites or Microsoft team sites.

Configure Sensitivity Label policy

Next, we are going to create a Sensitivity Label policy, this way we can decide who is able to label sites or teams.

Follow these steps to configure the Sensitivity Label policy;

  1. Go to Microsoft Purview (former Compliance Admin Center) and navigate to Solutions > Information Protection.
  2. Go to the Labels policies page.
  3. Click on Publish label, to create a new label policy.

Optional: If you already have existing label policies, you can also add your newly created label to one of them.

  1. Click on Choose sensitivity labels to publish.
  2. Select your newly created sensitivity label. (My example: Limited web-only access for unmanaged devices)
  3. Click Add.
  4. Click Next twice. (Skip the Admin units page)
  1. Click on Choose user or group and select the desired users, or alternatively leave the setting on All to include all users.

Note: If it’s part of your governance strategy to let users create sites and teams themselves, you are probably going to need to push these labels to all (or most) users. If only admins or key-users are allowed to create sites and teams then u can publish them to a specific group.

  1. Click Next twice. (skip the Settings page)

Optional: If you want, you have the option to set the newly created label as the default label or you can require users to apply a label to their groups or sites. These options are better used when dealing with multiple labels under a label policy, so i wouldn’t recommend using these if your goal is to label the sites yourself.

  1. Click Next.
  1. Enter a Name for your policy.

Optional: Enter a Description for your policy.

  1. Click Next and Submit to create the Sensitivity Label policy.

Now that policy has been created, users can apply labels when creating a site or team. Please note that it can up to 24 hours for labels to show up so you need to be patient.

Apply label to sites (as an admin)

If you as an admin want to label existing teams or sites, it is required for you to have one of the following roles or permissions assigned;

  • SharePoint Administrator role; to be able to label sites from the SharePoint Admin Center.
  • Teams Administrator role; to be able to label teams from the Microsoft Teams Admin Center.
  • Site Admin permission; to be able to label an individual site from the SharePoint site information settings.

Follow these steps to apply the label by using the SharePoint Admin Center.

  1. Go to the SharePoint Admin Center and navigate to Sites > Active Sites.
  2. Select the Site.
  3. Click on Edit.
  1. Go to Settings.
  2. Select the newly created label.
  3. Click Save.

We can also use PowerShell to apply labels to multiple sites at once, which can be a more efficient method than applying labels to sites one by one.

Apply label to sites (as an user)

If a user is assigned to the sensitivity label policy, they are able to apply labels. However, it is important to note that the creation of sites and the creation of teams must not be restricted for users, or they won’t be able to create sites or teams at all.

When creating a new team from Microsoft Teams, the user will be able to select the new Sensitivity Label.

When creating a new site from SharePoint, the user will be able to select the new Sensitivity Label.

User Experience

If we take a look at the team site after applying the label, we will notice a yellow bar at the top of the page indicating that our site is now protected, and users are not able to download, print, or sync using unmanaged devices.

Users attempting to access the content from a desktop app, such as MS Word, on an unmanaged device will be unable to access these resources.

How to use Sensitivity Labels to configure limited web-only access for unmanaged devices

About the author

Myron Helgering:


Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply