Azure AD Premium Licenses Needed to Manage SharePoint Sites with Sensitivity Labels
Very Useful Sensitivity Labels
Microsoft has steadily been building out the ability of sensitivity labels to manage different aspects of containers (teams, groups, and sites), with the ability to control the external sharing capability for SharePoint Online team sites the latest addition (Figure 1).
Although it is great to see sensitivity labels become a more useful and powerful management tool, what’s not so good is Microsoft’s decision to require AD Premium P1 licenses when sensitivity labels are used for management of SharePoint Online sites.
Leaking the News
Microsoft said precisely zero about licensing while they developed the initial container management capabilities covering aspects like guest access and privacy. The penny dropped when they included some text in MC225614 (Figure 2), the Office 365 notification covering labels and external sharing capability. An easily-missed and unhighlighted sentence brings the news that: “Capability to apply sensitivity labels to a team and SharePoint site is included with Microsoft 365 E3 and Office 365 E3 plus Azure Active Directory (Azure AD) Premium P1 and above.”
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
In other words, the accounts of administrators who apply sensitivity labels with container settings to group-based SharePoint Online team sites must have Azure AD Premium P1 licenses. Licenses are not needed to apply sensitivity labels to other types of SharePoint sites like hub and communication because the container management settings in the labels can’t apply to those sites as they aren’t linked to Microsoft 365 groups.
This was the first public assertion by Microsoft that container management with sensitivity labels creates the need for additional licenses. The point isn’t covered in Microsoft’s online documentation covering sensitivity labels and container management.
Example of Poor Customer Communications
Including news about a new licensing requirement in a sentence buried in an Office 365 notification is hardly a great example of good customer communications. Even the most dedicated tenant administrator is likely to overlook details in the middle of one of the flood of change notifications posted to tenants weekly, especially when the text doesn’t make it absolutely clear that an extra license might be needed.
The additional information link takes you to the documentation about using sensitivity labels for container management, which includes a link to Microsoft 365 licensing guidance for security and compliance. There’s no mention in that page about licenses needed for container management. Diving into the uber-PDF eye chart for Microsoft 365 compliance licensing, we find a tiny footnote (number 7) saying that Azure AD Premium P1 is required to “apply sensitivity labels manually for SharePoint sites, Teams, and Microsoft 365 Groups.” As ever, Microsoft compliance licensing tends to confuse rather than clarify.
The Logic for Premium Licensing
Microsoft is perfectly at liberty to charge what the market will bear for its software. No doubt, they will argue that:
- Sensitivity labels with container management settings automate the application of controls to sites and therefore make it easier for an organization to protect its most sensitive documents.
- Sensitivity labels replace the old text-based classifications, which also attract Azure AD Premium P1 licenses if a default classification is applied to Microsoft 365 Groups. The decision to demand premium licensing to apply a simple text-based visual marking to groups was odd when Microsoft set the rule in 2016. It makes no more sense today. In any case, we’re not discussing a default classification because multiple sensitivity labels can be used to manage sites.
- Other automation capabilities (such as auto-label policies) across the Microsoft 365 compliance suite imply premium licenses.
To avoid the need for premium licenses, organizations can automate the assignment of the same controls imposed by sensitivity labels by managing site settings through custom PowerShell code. This isn’t hard to do, but it’s much more convenient when sensitivity labels are used.
Sensitivity Labels Still Recommended
Flawed communications mean that Microsoft’s decision to charge for site management through sensitivity labels comes across as sneaking through an extra charge to impose on tenants. Even so, this takes away nothing from the value of sensitivity labels in helping organizations control their most important information. The decision will probably make little difference to most tenants who use sensitivity labels because they likely already have the necessary licenses for administrator accounts through Microsoft 365 or Enterprise Mobility and Security subscriptions which include Azure AD Premium P1.
The situation would be easier to understand had Microsoft communicated the rationale behind their call. Given all the problems Microsoft had in communicating the need for Azure AD Premium licenses for Microsoft 365 Groups, it’s a pity to see the same mistakes happen.