In June this year I wrote an article about: Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions, the article explains how you can use Azure AD Conditional Access to restrict downloading and printing within SharePoint Online/OneDrive and Outlook Web Access (OWA). Within that article we used a global setting, where the App Enforced Restrictions are applicable to all SharePoint and OneDrive sites.

But what if you want more granularity and want to decide on a per SharePoint site basis whether or not these App Enforced Restrictions should be applicable?

Luckily there are options, this article will explain the options possible.

 

This option is explained in the following article: Control access from unmanaged devices, the article explains that by using PowerShell you can limit access by using the Set-SPOSite commandlet.

Set-SPOSite -Identity https://<SPO URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess

When using this option, you must remove the global setting, since setting another setting on a subsite only works when its less restrictive. If you would for example set the global policy to “Allow limited, web-only access” and use the Set-SPOSite commandlet to set the Conditional Access Policy for a specific site to “Allow full access from desktop apps, mobile apps, and the web” using the AllowFullAccess parameter, the access will still be limited. If however you would set the Conditional Access Policy for a specific site to “Block Access” using the BlockAccess parameter, the access to the site will be blocked.

Access denied

Using this method, has major disadvantages, since you have to execute the necessary PowerShell command for each SharePoint and OneDrive after its created. This can easily be forgotten and can lead to inconsistency

There is far more to tell when it comes to Sensitivity labels then explained in this blogpost. For this blogpost we are going to make use of Sensitivity labels for contains, which can be used to define certain settings when creating a Teams or SharePoint environment.

By using sensitivity labels for containers we can control the following settings:

  • Privacy and external user access settings
    • Use the label to determine whether the site privacy is set to Public, Private or None
    • Define whether Microsoft 365 Group owners can add Guest users to the group
  • Device access and external sharing settings
    • You can determine if external sharing settings already on the site will be replaced or respected
    • You can determine the access from unmanaged devices (same options as on global level – Full, Limited and Block)

So by defining Sensitivity labels for contains we can actually determine the access from unmanaged devices setting that will be used when the Conditional Access policy which enforces the App Enforced Restrictions will be hit.

The settings of this policy is explained in my article: “Conditional Access demystified: My recommended default set of policies“, the name of the policy providing this functionality is called: “CAD006-O365: Session block download on unmanaged device when All users when Browser-v1.0”

CAD006-0365: Session block download on unmanaged device when All users when Browser-vl .0 Users All Users Except AAD AA AAD AA Assignments Cloud Apps Office 365 Conditions Client Apps: Browser Device state: All except Device marked as Compliant Grant Access Controls Session forced strictions ConAcc-BreakgIass CAD006-ExcIude

Conditional Access policy for App Enforced Restrictions

After creating the sensitivity labels you can use them for each new Teams/SharePoint site created, and based on the defined Sensitivity label the correct access from unmanaged devices setting will be applied.

This is not a perfect solution, since it will not solve the issue for all SharePoint sites already created, and you still have to build a solution for OneDrive sites which are created automatically and do not have the option to define a “default” sensitivity label at creation.

Let’s go a little bit more into detail in how to build this from scratch, let’s walk through the steps.

Step 1: Enable sensitivity labels for containers

By default, support for sensitivity labels for containers is not enabled, you can easily determine this by creating a new sensitivity label or by trying to modify an existing one. If the option to select Group & sites is greyed out, you first have to execute some steps to enable this functionality.

Groups & Sites option greyed out

The following procedure is explained in the following article: How to enable sensitivity labels for containers and synchronize labels and one of the first steps is to enable the feature to apply sensitivity labels to groups as explained in this article: Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory

The first thing we need to do, is to import the AzureADPreview module using the import-module AzureADPreview and connect using the Connect-AzureAD commandlet. Make sure that you use the Connect-AzureAD commandlet from the Azure AD Preview module by putting AzureADPreview in front of it. Once connected verify if group settings have been set for the Azure AD organization. If no group settings are applied, you’ll get the same error as in the picture below.

Administrator: Windows PowerSheII PS C: import - module AzureADPrevieea PS C: AzureADPreviewConnect-AzureAD c count admin@M365xIß2715.onmicrosoft . com ps Ssetting = -Value "Group.unified" - EQ).id Get - rectory-setting Cannot dint argument to parameter . Setting -Id (Get rectory-setting -Property Environment Tenant Id Azurecloud 126de6ea-ffb9-445e- Get -Az ureADDi rectorySett i ng TenantDomain Account T ype a91f-2d49eaf15ßde M365xIø2715.onmicrosoft . com User Id (Get-AzureADDirectorySetting I where Displa - Property 'It' it is null. + Categorylnfo + FullyQuaIifiedErrorId rectory-setting . In;.'slitüsts: (:) [Get-AzureADDi rectory-setting], PsrsmeterSintingVsIitstionExce;tion . ,microsoft . D;en . MSC-rs;hSets .C-et

Connect using the Azure AD Preview module

If this is the case you first have to create the settings, as explained in the following article: Azure Active Directory cmdlets for configuring group settings

ps C: Administrator: Windows PowerSheII 8d542b9-ø71f-4e16-94bø-74abb372e3d9 18ße-4586 Get-AzureADDirectorySettingTempIate Description Settings for a specific Unified Group bc7f74ß_ 898f1161-d651 8ß661d51- be2f aad39ß7d-1d1a 5cf42378-d67d 62375ab9- 6552 ffd5d46 -495d - adb6 - 38b2e9ß24e6b -4d46 -9713 -98a2fcaec5bc -448b - b3ef-7bf7f63db63b -4+36 - ba46 - e8b86229381d - 47 ed - 826b- -4ßa9 - 8e21-954ff55e198a ST emplateld = Di spl ayName Gnup. Unified . Guest Application Custom Policy Settings Prohibited Names Settings C: system32> Prohibited Names Restricted Settings . Password Rule Settings Group . Unified Consent Policy Settings (Get-AzureADDirectorySettingTempIate I where { S_.DispIayName -eq "Group Unified" ST ernplate = Get-AzureADDirectorySettingTempIate I where -Property Id -Value ST emplateld -EQ C: SSetting = ST emplate.CreateDirectorySetting() PS PS Ssettingc - "https://suideIine.insisht24 . nl " C: New-AzureADDirectorySetting -DirectorySetting SSetting DisplayName Templateld Values c7d92f4b-øø3f-45f7-b3bø- 531d5a5dfbab ps c: Ssetting.Va1ues 62375ab9-6b52-47ed-826b-58e47eøe3ß4b {class settingVa1ue f... Name EnableMIPLabeIs u stomaloc kedWordsList E n a a kedWords ClassificationDescriptions DefaultCIassification PrefixSuffixNami ngRequ i rement Al I owGu er Al IowGuestsToAccessGroups GuestlJsageGuideIineslJrI GroupCreationAI lowedGroupId Al I owTNddGu est s UsageGuideIineslJrI 'ClassificationList Enabl eGroupCreation Value False False False True True https://guideline.insight24.nl True

Create the Settings

After performing these steps, you can continue with enabling the Microsoft Information Protection labels functionality as shown in the figure below. You can see that the EnableMIPLabels value is set to True.

Administrator: Windows PowerSheII ps C: ssettins - Get-AzureADDirectorySetting Name -Value ps Ssetting.Va1ues (Get-AzureADDirectorySetting -DirectorySetting SSetting Khere Displa Name nabIeMIPLabeIs us orn oc e or s IS E n a bl a nda rd Bloc kedWords lassificationDescriptions efauItCIassification PrefixSuffixNami ngRequ i rement I owGu estsToaeGnupOwner IowGuestsToAccessGroups u estlJsageGuideIineslJrI roupCreationAI lowedGroupId Value False False False True True https://guideline.insight24.nl True I I owTNddGu est s sageGuideIineslJrI lassificationList Enabl eGroupCreation Name nabIeMIPLabeIs us orn oc e or s IS SSetting[ " ] Set - Az u reADDi rectorySetti ng SSetting.VaIues Id SSetting.Id E n a bl a nda kedWords lassificationDescriptions efauItCIassification PrefixSuffixNami ngRequ i rement I owGu estsToaeGnupOwner IowGuestsToAccessGroups u estlJsageGuideIineslJrI roupCreationAI lowedGroupId I I owTNddGu est s sageGuideIineslJrI lassificationList Enabl eGroupCreation Val ue True False False True True https://guideline.insight24.nl True

Enable MIP Labels

After this is done, you must synchronize your sensitivity labels to Azure AD. You can do this by connecting to Security & Compliance PowerShell using the Connect-IPPSSession commandlet

Administrator: Windows PowerSheII PS C: connect-IPPSSession RNIUG: Your connection has been redirected to the following LIRI: https : / / . ps . compl i . ection . ssage=true; PSVersion=5 . I .19ß41 .61B' PS C: Execute-AzureAdLabeISync

Sync the labels

Once finished, the end result should be that you are able to specify the “Groups & Sites” option when modifying an existing Sensitivity label or creating a new one.

Edit sensitivity label Name & description Scope C) Files & emails C) Groups & sites C) Azure Purview assets (preview) C) Finish Define the scope for this label Labels can be applied directly to files, emails, containers like SharePoint sites and Teams, and more. Let us know where you want this label to be used so you can configure the applicable protection settings. Learn more about label scopes Files & emails Configure encryption and content marking settings to protect labeled emails and Office files. Also define auto-labeling conditions to automatically apply this label to sensitive content in Office, files in Azure, and more. Groups & sites Configure privacy, access control, and other settings to protect labeled Teams, Microsoft 365 Groups, and SharePoint sites. Azure Purview assets (preview) Apply label to assets in Azure Purview, including SQL columns, files in Azure 810b Storage, and more. O To apply this label to Azure Purview assets, you must first turn on labeling for Azure Purview. You can do this from the Labels page. Learn more about labeling for Azure Purview Back Next Cancel Need help? Give feedback

Option Groups & Sites available

Step 2: Create or Modify your Sensitivity Labels

So, now that we have the functionality available, we can define our settings. In this blogpost I used the following settings

Sensitivity label settings for Groups & Sites

Below is a slideshow of configuring the Groups & Sites setting of my Confidential label

So now that the labels have been created, you will have the Sensitivity label options available when creating SharePoint and Teams environments as detailed in the slideshow below.

Note: It can take a while before you are able to use the sensitivity labels.

So, now that we have configured the sensitivity labels, and can use them to create new Teams or SharePoint sites, how can we handle that our current Teams and SharePoint sites are labelled as well?

For this we need PowerShell, as explained in the following article: Use PowerShell to apply a sensitivity label to multiple sites

Make sure that you have connected to SharePoint Online and to the Security & Compliance Center PowerShell environments by using the Connect-SPOService and Connect-IPPSSession commandlets. Retrieve the GUID of the label that you want to apply to all your existing sites using the Get-Label |ft Name, Guid command. Make sure to put the ID in a variable and enumerate the SharePoint sites by using a generic string representing your tenant. In my case this is “M365x102715”

Administratar: Windows PowerSheII [GUIO] ( ps C: Sid PS Ssites = Get-sposite PS C: write-output Ssites -IncludePersonaISite Strue -Limit all -Fi Iter Own er "url -like https https https https https https https https https https https https https •https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https https : / /m36sx1e271S- my.sharepoint . christiec@m36SxIe271S.onmicroso... .sharepoint.com/sites/SharePointSite .sharepoint.com/sites/contosoteam .sharepoint.com/sites/GIobaIMarketing .sharepoint.com/sites/SalesAndMarketing -my.sharepoint.com/personal/admin_m36Sx18271S . sharepoint . com/sites/Communications . sharepoint . com/sites/Contoso -my.sharepoint.com/ -my.sharepoint.com/personal/alexw_m36SxIe271S .sharepoint.com/sites/GIobaISaIes .sharepoint.com/sites/Ieadership- connection .sharepoint.com/sites/operations .sharepoint.com/sites/salesbestpractices onmi c rosoft onmi c rosoft com com admin@m36sx1e2715 admin@m3ssx1e271S admin@m3ssx1e271S alexw@m36sx1e271S admin@m3ssx1e271S . onmi crosoft . com . onmi crosoft . com . onmi c m)soft . com . onmi crosoft . com . onmi c m)soft.com . onmi c m)soft . com .sharepoint.com/portals/hub . sharepoint . com/sites/askhr .sharepoint.com/ . sharepoi nt . com/sites/parentscfcontoso .sharepoint.com/sites/ReviewCenterForRetention .sharepoint.com/sites/ThePerspective .sharepoint.com/portals/Community .sharepoint.com/sites'CommerciaILending .sharepoint.com/sites/newemployeeonboarding .sharepoint.com/sites/benefits .sharepoint.com/sites/ceoconnection .sharepoint.com/sites/Contos03rand .sharepoint.com/sites/SOCTeam .sharepoint.com/sites/Ieadership .sharepoint.com/sites/contosolife .sharepoint.com/sites/ContosoWorks .sharepoint.com/sites/ContosoNews . sharepoi nt . com/sites/FlySafeConference .sharepoint.com/search .sharepoint.com/sites/safety .sharepoint.com/sites/Mark8ProiectTeam .sharepoint.com/sites/Salesplanning .sharepoint.com/sites/lJSSaIes - my . s h a repoi nt . com/persona I/ iohannaI_m36Sx1827 IS_onmi c rosoft.com .sharepoint.com/sites/give . sharepoint . com/sites/Retail . sharepoi nt . com/sites/droneproducttraining com .sharepoint.com/sites/RetaiIOperations .sharepoint.com/sites/pm)ductsupport .sharepoint.com/sites'Office36Sadoption .sharepoint.com/sites'DigitalInitiativePubIicReIations Iynner@m36Sx18271S.onmicrosoft . com diegos@m36SxIe271S.onmicm3soft . com admin@m36Sx18271S . onmi c m)soft . com adelev@m36SxIe271S.onmicrosoft . com pradeepg@m36SxIg271S . onmi admin@m36Sx18271S . onmi c m)soft . com irvins@m36SxIe271S.onmicrosoft.com debrab@m36SxIg271S . onmi c m)soft.com admin@m36SxIg271S . onmi c m)soft . com ionis@m36SxIg271S . onmi c m)soft.com alland@m36SxIg271S . onmi c m)soft.com pattif@m36SxIg271S . onmicm)soft.com nestorv@m36Sx18271S.onmicrosoft.. meganb@m36SxIe271S.onmicrosoft . com miriamg@m36SxIg271S . onmi cm)soft admin@m36SxIg271S . onmi c m)soft.com admin@m36SxIg271S . onmi c m)soft.com Ieeg@m36SxIg271S . onmi c m)soft . com admin@m36Sx1827 IS . onmi crosoft . com Iidiah@m36SxIe271S.onmicrosoft . com gradya@m36Sx18271S.onmicrosoft . com iohannaI@m36SxIe271S.onmicrosof... admin@m36Sx18271S . onmi c m)soft . com admin@m36Sx18271S.onmicrosoft . com isaiahI@m36SxIg271S.onmicrosoft... admin@m36SxIg271S . onmi c m)soft.com admin@m36Sx18271S . onmi c m)soft . com

Enumerate your SharePoint sites

Now that we have enumerated all SharePoint sites (including OneDrive sites) we can apply the label we want, In my case I have chosen to use the Confidential label, so that by default I provide limited access and can use the GUI to make exceptions.

Administratar: Windows PowerSheII ForEach-Object {Set- SPC'Tenant ps ssites . The + Ssites I ForEech-Object {Set-SPOTenent S_.url -SensitivityLEbeI S Id} Cetegorylnfo + FullyQuEIifiedErrorId PS C: : NotSpecified: (:) [Set -SPOT enant], ServerException . nicrosoft: .Sh±rePoint: . Client , nicrosoft:

Set the Sensitivity label

Apparently, you cannot set a sensitivity label on the MySite host, which is the https://m365x102715-my.sharepoint.com/ URL in my case. But this can be ignored.

The end result is that all the SharePoint sites, and OneDrive sites will have the Confidential sensitivity label applied on the container level

SharePoint sites overview

Keep in mind though that you have to create a procedure from now on to make sure that the Sensitivity label gets applied to newly created OneDrive sites. Unfortunately I haven’t found a way yet to set a default Sensitivity label for newly created OneDrive sites.

By using Sensitivity labels, we can provide more granularity when it comes to restricting access to SharePoint sites when leveraging the App Enforced Restrictions Conditional Access policy.

It’s pity though that we cannot set a default sensitivity label for newly created OneDrive sites, hopefully this features will show up somewhere in the future. I created a Uservoice item for this which can be found here: https://sharepoint.uservoice.com/forums/330318-sharepoint-administration/suggestions/42121057-provide-option-to-define-default-sensitivity-label

Control access from unmanaged devices – https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites – https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide#enable-this-preview-and-synchronize-labels

Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory – https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-labels

Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites – https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide

 

Previous articleAzure Logic App Api call save a file to Blob Storage
Next articleShareGate – 3 recommended updates: New file sharing experience in Microsoft Teams
avatar
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.