How to Apply Sensitivity Labels to Microsoft Teams

Turning on sensitivity labels for teams gives organizations peace of mind when users create their teams to collaborate.

Published: Jan 21, 2025

Teams Logo Hero

SHARE ARTICLE

Microsoft launched Microsoft Teams in March 2016 as a real-time team collaboration tool. Since then, it has seen substantial adoption inside Microsoft and outside. According to a recent Microsoft announcement, Teams has 270 million monthly active users, and 3 million organisations use it. With Teams sensitivity labels, managing sensitive data has become easier for administrators.

That is a lot of sensitive data being used and added to Teams. This number will grow fast with additional features such as video calls, audio calls, chat, document sharing, etc.

Therefore, an administrator might want more control to help protect their corporate assets, and the easiest way to do this is through teams sensitivity labels.

What are sensitivity labels?

Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organisation’s data while ensuring that users can remain productive, and it does not hinder their ability to collaborate. You can provide protection settings with teams sensitivity labels, including encryption and content marking. Administrators can apply sensitivity labels to files, emails, groups, and sites.

Sensitivity labels encrypt the content by applying a “Highly Confidential” label to a document or email, and a watermark is applied. Several types of content markings, including headers, footers, and watermarks, and encryption can also limit what authorised people can do with the content.

Sensitivity label applied to a Word document
Figure 1: Sensitivity label applied to a Word document (Image Credit: Kat Beedim/Petri.com)

Sensitivity labels are part of Azure Information Protection Plan 1 and Plan 2. Manual labelling is available in Azure Information Protection Plan 1. Manual labelling requires a user to interact with and label sensitive content.

Plan 2 includes automatic labelling, which will automatically apply labels based on what sensitive info type is in the content. Check out Ru Campbell’s article Understanding Microsoft Information Protection for more information on sensitive info types.

Sensitivity labels for Microsoft Teams

Microsoft Teams admins can use sensitivity labels to protect and restrict access to sensitive organisational content created during collaboration within Teams. You can then apply these labels to teams in your organisation after configuring sensitivity labels and associated policies in the Microsoft Purview compliance portal.

When applied during team creation, a sensitivity label can be created and configured that allows users to create teams with specific privacy settings (public or private).

For example, you create and publish a sensitivity label named “Highly Confidential”, which has the privacy option. Therefore, teams with this label must be private.

You can also use sensitivity labels to control guest access to your teams. If you set a label not allowing guest access, only your organisation’s users can access teams created under this label. External users cannot join these teams.

Planning for sensitivity labels

You can configure sensitivity labels for your organisation in just a few steps using:

However, before configuring sensitivity labels, it is critical to plan to decide which labels your organisation needs and the protection policies you want to apply.

It is best to keep things simple when determining the initial rollout of sensitivity labels. It is important to remember that we protect based on a general audience while configuring sensitivity labels with permissions.

Before creating and deploying a label, we must know the users/groups and permission levels. You can create labels for the highest-level use cases we know the organisation will encounter to tailor more specific labels after users become comfortable with the fundamental concepts.

Ideally, group-based labelling is run separately for an initial rollout of sensitivity labels, again to ensure simplifying the rollout and minimising potentially disruptive change.

Once you have a strategy for sensitivity labels applied to files and emails, you can then look to apply labels to groups and sites.

How to create sensitivity labels for Microsoft Teams

Let’s create a sensitivity label for Teams.

Figure 2: Create a new Teams sensitivity label in Microsoft Teams Compliance portal
Figure 2: Create a new Teams sensitivity label in Microsoft Teams Compliance portal (Image Credit: Kat Bedim/Petri.com)

The sensitivity labels you create in your admin centre appear on the Labels page under the Sensitivity tab.

An essential aspect of this list is the order of the labels, as it indicates priority. You want the most restrictive sensitivity label, such as Highly Confidential, at the bottom of the list and the least restrictive one, such as Public, at the top.

Give your sensitivity label a simple name to help users understand what the label will do and how they should use it. Then define the scope for your label.

  • To apply sensitivity labels to Teams, make sure Groups & Sites are selected.
image 35
Figure 3: Define scope for new sensitivity label in Compliance admin centre

You can apply sensitivity labels to Files and Emails. If you have selected this option, you can configure the encryption and content marking policies. If your organisation is not already using sensitivity labels, you will need to assign sensitivity labels to Microsoft 365 groups in Entra ID.

In this article, we will focus on the policies for Groups and Sites. In the protection policies, you can control the level of access that internal and external users have to the labelled Team and the external sharing.

  • First, choose the privacy level, determining the level of access internal and external users have to the Team.
Figure 4: Defining protection policies in new sensitivity label
Figure 4: Defining protection policies in new sensitivity label (Image Credit: Kat Beedim/Petri.com)

When a user creates a team, and this label is applied, the settings you define in this policy will replace any existing settings for the team.

You can also limit the ability for external users to be added to a team with this label by unticking the External user access option.

Next, you need to define the external sharing access.

  • Here you can configure who can share SharePoint content with external collaborators and decide whether users can access any sites labelled from an unmanaged device.
Figure 5: Define sharing settings in new sensitivity label
Figure 5: Define sharing settings in new sensitivity label (Image Credit: Kat Beedim/Petri.com)

Applying the sensitivity label to groups means the label applies to Teams and SharePoint sites.

When users log into the site on an unmanaged device, they are only allowed limited web access. They cannot download or print any files from that site. In this scenario, you control the level of access a user must protect SharePoint sites.

  • Once you create the label, it needs to be published. Select the label and click publish label.
image 38
Figure 6: List of sensitivity labels in Compliance centre

You can publish labels to all users or a specific group of users. You can also configure some settings, requiring a justification if a user wants to remove a label or lower its classification.

Figure 7: Policy settings when publishing sensitivity label
Figure 7: Policy settings when publishing sensitivity label (Image Credit: Kat Beedim/Petri.com)

You can then choose the default label for sites and groups or turn on mandatory labels meaning a user will be required to apply a label to their newly created team.

Labels can take up to 24 hours to publish.

The result – what happens after you have configured sensitivity labels for Microsoft Teams

Once you have configured sensitivity labels for Teams, when a user creates a new team and selects the Confidential label, the only privacy option available to the user is Private. Other privacy options, such as Public and Org-wide, are not available for the user to select.

Figure 8: Sensitivity label applied to a new team
Figure 8: Sensitivity label applied to a new team (Image Credit: Kat Beedim/Petri.com)

Once labelled, the Team will only be accessible to the owner and members.

After the user creates the team, the label is visible in the top-right hand corner as shown below.

Figure 9: Label on upper-corner of new team
Figure 9: Label on upper-corner of new team (Image Credit: Kat Beedim/Petri.com)

A team owner can edit the sensitivity label by editing the team, but if you have decided to require a justification, they will be required to fill in a comment box with why they are changing the label.

Turning on sensitivity labels for teams gives organizations peace of mind when users create their teams to collaborate. Any sensitive information in a labelled team can only be accessed by those who should access it.

Because we have configured protection settings on unmanaged devices, when users access the labelled SharePoint site on an unmanaged device, they cannot print or download the files. A SharePoint policy tip notifies the user to inform them they cannot print or download.

Figure 10: Limited access to SharePoint site for user on unmanaged device
Figure 10: Limited access to SharePoint site for user on unmanaged device (Image Credit: Kat Beedim/Petri.com)

Limitations of sensitivity labels in Microsoft Teams

There are some limitations to sensitivity labels. Private channels inherit the sensitivity label of the team. The same label will automatically tag the SharePoint site collections with private channels.

However, if a user changes to a sensitivity label in a SharePoint site, the change is not reflected in the Teams client. As a result, users in private channels continue to see the original sensitivity label applied to the Team.

The Team and SharePoint site sensitivity label also does not label all the files it contains; it only controls the privacy level and external access.

Summary

Microsoft Teams admins can use sensitivity labels applied at the container level to protect and regulate the access to content created within their teams while collaborating. Additionally, since you can apply labels at the team level, blanket restrictions may not be necessary, which may negatively impact adoption and result in users going to other tools not approved by management.

Sensitivity labels are a simple, straightforward way for your organisation to ensure adherence to your security policies. To reduce your IT team’s workload, sensitivity labels can be created by your central IT team or offloaded to others within your company.

Many organisations already have the licensing to begin using sensitivity labels. Any organisation licensed with Enterprise Mobility + Security (EM+S) or Microsoft 365 Enterprise or Business Premium uses sensitivity labels to Teams and SharePoint sites. So, it’s worth making use of the investment whilst also ensuring your data is classified and protected.

SHARE ARTICLE