UnmIn this blog post, I will guide you through the steps and share my experience on how to use Sensitivity Labels to configure limited web-only access for unmanaged devices.
If you’ve read my earlier blog post, you know that Conditional Access can also enforce web-only access for unmanaged devices. However, if you don’t want these restrictions to apply to all corporate data, and instead want to protect specific locations with sensitive or business-critical information, Sensitivity Labels could be the solution. Identifying which locations to protect maybe a challenge, but Sensitivity Labels can help make these access controls more user-friendly and targeted.
This blog will include the following sections;
Lets start off with some basic licensing requirements;
Most companies won’t have to worry about licensing as long as they have a Business Premium or M365 E3 subscription, as these subscriptions are sufficient to cover all the licensing requirements.
Then for some recommendations, I would like to ask you the following questions;
If you have any concerns about the above, I would recommend reading through at least some of my earlier blog. It includes more information on how to deal with these concerns and can provide you a better understanding of the topic.
To start off, we need to be able to apply Sensitivity Labels to containers such as Microsoft 365 groups, SharePoint sites and Microsoft team sites. After that we are going to synchronize the Sensitivity Labels with AzureAD. Firstly follow these steps to enable Sensitivity Label support for containers, if u haven’t already done so;
Install-Module AzureADPreview |
Important-Module AzureADPreview |
AzureADPreview\Connect-AzureAD |
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ) $Setting = $grpUnifiedSetting $grpUnifiedSetting.Values |
If you see an empty screen, it means that group settings have not been created for the tenant yet. You can follow these steps to create them.
If Sensitivity Label support for containers has been enabled previously, PowerShell will output: “EnableMIPLabels = True”.
$Setting[“EnableMIPLabels”] = “True” |
$Setting.Values |
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting |
Now we’ll synchronize the Sensitivity Labels to AzureAD, so we are able to use them with Microsoft 365 Groups from Azure Active Directory (or Microsoft Entra).
Execute-AzureAdLabelSync |
By turning on the feature, we are now ready to configure the Sensitivity Label.
Now on to the most important part of this blog which is configuring the Sensitivity Label. This label can be applied on specific SharePoint or team sites to enforce limited web-only access for unmanaged devices.
Follow these steps to configure the Sensitivity Label;
Optional: You can also choose to create a sub-label if you’re already using sensitivity labels.
Optional: Enter a Description for admins or Label color.
Do not apply the Sensitivity Label to SharePoint sites yet, we still need to perform some additional configuration.
Before we proceed further, lets verify the status of our tenant-wide SharePoint Online access control setting first. Download and connect to the SharePoint Online Management Shell and use the following cmdlet;
Get-SPOTenant | Select-Object -ExpandProperty ConditionalAccessPolicy |
When the output shows AllowLimitedAccess or BlockAccess, it means that the global setting for using app-enforced restrictions with conditional access policies has been configured to limit or deny access to unmanaged devices.
When the output shows AllowFullAccess, it means that our conditional access policies are not restricting access to SharePoint sites by default, unless we apply a Sensitivity Label to them. This is the expected output, unless the setting has been modified in the past.
Make sure that the global setting is set to be less restrictive then what u define in your Sensitivity Labels. Otherwise, the labels will not enforce more restrictive access controls.
To change the setting back to AllowFullAccess, use the following cmdlet;
Set-SPOTenant -ConditionalAccessPolicy AllowFullAccess |
Let me first explain the function of the Conditional Access policy we’re about to set up. This policy will apply to users that sign-in to SharePoint Online, but the restrictions will only take effect, if all of the following conditions are met;
If the restrictions take effect, users will not be able to download attachments, print or sync files, or access files through desktop apps such as Microsoft Office.
Now that you know what the policy does lets configure it by following these steps;
Name | Give the policy a name that fits your company’s naming convention. |
Users | Select a group of users to apply the policy to. |
Cloud apps or actions | Select the SharePoint Online cloud app. |
Conditions | {empty} |
Grant | {empty} |
Session | Select the Use app enforced restrictions setting. |
You can safely turn on the policy now because the app enforced restrictions will not take effect until we start applying Sensitivity Labels to SharePoint sites or Microsoft team sites.
Next, we are going to create a Sensitivity Label policy, this way we can decide who is able to label sites or teams.
Follow these steps to configure the Sensitivity Label policy;
Optional: If you already have existing label policies, you can also add your newly created label to one of them.
Note: If it’s part of your governance strategy to let users create sites and teams themselves, you are probably going to need to push these labels to all (or most) users. If only admins or key-users are allowed to create sites and teams then u can publish them to a specific group.
Optional: If you want, you have the option to set the newly created label as the default label or you can require users to apply a label to their groups or sites. These options are better used when dealing with multiple labels under a label policy, so i wouldn’t recommend using these if your goal is to label the sites yourself.
Optional: Enter a Description for your policy.
Now that policy has been created, users can apply labels when creating a site or team. Please note that it can up to 24 hours for labels to show up so you need to be patient.
If you as an admin want to label existing teams or sites, it is required for you to have one of the following roles or permissions assigned;
Follow these steps to apply the label by using the SharePoint Admin Center.
We can also use PowerShell to apply labels to multiple sites at once, which can be a more efficient method than applying labels to sites one by one.
If a user is assigned to the sensitivity label policy, they are able to apply labels. However, it is important to note that the creation of sites and the creation of teams must not be restricted for users, or they won’t be able to create sites or teams at all.
When creating a new team from Microsoft Teams, the user will be able to select the new Sensitivity Label.
When creating a new site from SharePoint, the user will be able to select the new Sensitivity Label.
If we take a look at the team site after applying the label, we will notice a yellow bar at the top of the page indicating that our site is now protected, and users are not able to download, print, or sync using unmanaged devices.
Users attempting to access the content from a desktop app, such as MS Word, on an unmanaged device will be unable to access these resources.
Your email address will not be published. Required fields are marked *
0 Comments