Some might have noticed that although Microsoft Information Protection allows for a lot of auditing and activity tracking on documents and email, it kinda lacks on the container side. And where a user will need to justify the reason to downgrade a label, any Teams owner can do so at leisure.
That’s right. If you are a Teams owner and you are part of a label, then all container based labels in the policy can be selected. And you can therefor modify (or downgrade) these labels.
You could set-up a policy specifically aimed at Teams owners – put only one label in there and set this as the default, just to be sure. But this is cumbersome, cannot be used at scale or at-all. So you’re better of (for now) looking at the Azure AD audit-log, Microsoft 365 audit-log or Microsoft Cloud App Security activity logs.
The Azure AD audit-log contains a lot of information. This is great, as this will allow us to report on any changes to the labels. Select the Core Directory service and the Assign label to group activity. For example:
As you can see, I did some changing myself recently. However, the Azure AD log is normally not accessible to Microsoft 365 (Teams/SharePoint) admins. But you can also use the Office 365 audit-log.
However….. I dare you to find an activity named “label changed on site or Team”. That’s because it is not available. The way I see it, when a label is changed on a Teams environment or SharePoint site, it is removed and then applied or assigned again.
So in order to find any sites where the label was changed, you can simply look for any records of removed labels. Why not applied labels? Because then you would also see all newly added labels. I will admit that this is kinda weird – but it’s all we got at this moment 🙂
When using the audit-log you can also set-up alerts – although I still had to use the more classic Security & Compliance Center for this.
I hope this article make sense. I’m sure Microsoft will allow more auditing of container based labels in future. But until then, we will make the best of it 🙂