Teams Real Simple with Pictures: Using Sensitivity Labels to regulate the privacy and guest access of a Team

This blog is part of a series on Teams. For more articles, check back often. 

Written: 10/12/2019 | Updated: N/A

We have previously explored the implementation of DLP and Supervision policies to the Team. We will now look at applying Sensitivity Labels – currently in Public Preview. By definition, Sensitively Labels allow Teams admins to regulate access to sensitive organizational content created during collaboration within teams. In other words, it can keep Teams private (removing the ability to be set as public), block Guests from being added and block the team being accessed from unmanaged devices. They can be set at a tenant level by the admin once the label has been created (via Azure) or easily applied when creating the Team by the owner. It gives administrators more control over their Teams in terms that users cannot simply join Teams and Owners cannot simply add guests which are not authorised to access it’s content. It’s another layer of protection which should be added in any Teams roll-out. It’s also an answer for blocking guest access on a Team by Team basis.

WHY WOULD WE DO IT?

  • For regulating access to sensitive content
  • For blocking guest access on a Team by Team basis

PREREQUISITES

Global administrator permissions to enable the preview, then a role (I.e. Security/Global Admin) which can create sensitivity labels in the Microsoft 365 Admin centre. Through prior testing it is also recommended that guest access is enabled in the Teams Admin Centre before attempting this. An Office/Microsoft 365 plan which contains Azure AD P1 licences are required.

HOW

This guide will assume that the Azure Powershell module is not installed and the preview has not been enabled. Also note this functionality is currently in public preview. If any bugs are experienced, please raise to Microsoft Support. To set expectations, once the sensitivity label has been published in a policy it could be 24 hours before teams with sensitivity labels are able to be created (in my case it was more like 36) – even after the sensitivity label appeared as an option when creating the Team.

1.) Run Windows Powershell as Administrator

APS1.png

2.) Install the Azure Powershell Module using command

Install-Module -Name Az -AllowClobber -Scope CurrentUser

APS2.png

3.) Select Yes (Y) or Yes to All (A). The PS Gallery will be installed

APS3.png

APS4.png

4.) Use Command Connect-AzAccount and connect with a Global Administrator account

AP5.png

APS6

5.) Run the following script (and sign in again) to enable the preview

Connect-AzureAD
$setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ)
if ($setting -eq $null)
{
    $template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
    $setting = $template.CreateDirectorySetting()
    $setting[“EnableMIPLabels”] = “True”
    New-AzureADDirectorySetting -DirectorySetting $setting
}

{
$setting[“EnableMIPLabels”] = “True”
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
}

APS7.png

APS8.png

6.) Successful execution will be confirmed

APS9.png

7.) Login to https://login.microsoftonline.com

TeamsMP1

8.) Select Admin

TeamsMP2

9.) Select Compliance from the left hand nav

APS10.PNG

10.) Select Information Protection from the left hand nav, then Create a Label

APS11.PNG

11.)  At this point, per supporting documentation, it’s important to note that only the site and group settings take effect when you apply a label to a team, group, or site. Other settings, such as encryption and content marking, aren’t applied to all content within the team, group, or site.  If a label is created and site and group settings are not turned on, the label will still be available but it won’t do anything when users apply it

Enter the Name of the Team, the Tooltip and Description and select Next

APS12.PNG

12.) Bypass Encryption, Content Marking and Endpoint DLP, selecting Next on each page

APS13.PNG

APS14.PNG

APS15.PNG

13.) On the Site and Group Settings page, turn on and set the privacy and uncheck that owners are allowed to add guests. The access policy for unmanaged devices can also be set.

  • Privacy (Public/Private): Private means only approved members in your organization can see what’s inside the group. Anyone else in your organization can’t see what’s in the group
  • Guest access: Control whether guests can be added to a group.
  • Unmanaged devices: Block or limit access to SharePoint content from devices that aren’t hybrid AD joined or compliant in Intune. If you select Unmanaged devices, you need to go to Azure AD to finish setting up the policy.

Select Next

APS16.PNG

14.) Bypass Auto-labeling and on the review of the settings select Submit. The label is now created

APS17.PNG

APS18.PNG

APS19.PNG

15.) Select the label, then Publish Labels

APS20.PNG

16.) Select Next

APS21.PNG

17.) Select the users or groups to publish to and select Next

APS22.PNG

18.) Skip the policy settings and select Next

APS23.PNG

19.) Set a name for the policy, recommend as the same as the label, then select Next

APS24.PNG

20.) Review and Submit. The label is now published with a label policy.

APS25.PNG

APS26.PNG

APS27.PNG

Our job here is done.

Once the propagation has completed (as said previously can take up to 24 hours and in my case more like 36) login as the user, select Join or Create a TeamCreate a Team then Build a Team from Scratch

APS36.PNG

APS28.PNG

APS29.PNG

Select the created Sensitivity Label. Only a Private Team can be created

APS32.PNG

APS30.PNG

TSL1

Once the Team is created, the label is visible on the Team

TSen1.PNG

Guest add’s are grayed out and does not search externally whether trying to add through Add Members or through the Team Settings

TSen2

All is showing as it should do in Azure AD

TSen3

Sensitivity can be edited via Azure AD above or by Editing the Team. Again, to reiterate I would expect 24 hours or more for the change. Changes and removal of the label should show in the top right hand corner of the Team. In the case of removal this should return to the Org default.

TSen7.PNG

TSen1

TSen8.PNG

AREAS OF DEVELOPMENT

As this is a public preview feature, it isn’t the finished article. Trying to anticipate what will probably be the biggest asks will be

  • Seeing the sensitivity in the Teams Admin Centre: Can only see classification so far, so would be good to see sensitivity here

TSen4.PNG

  • Being able to filter sensitivities in the Teams Admin Centre: In addition to being able to see sensitivities being able to filter them if there are multiple labels

TSen4.PNG

  • Being able to report on Sensitivities: In the analytics

TSen5.PNG

  • Default Sensitivity in Teams Policies: Ability to set a default sensitivity

TSen6