Labels for Groups, Teams, SharePoint, and Planner
Microsoft announced at the Ignite 2019 conference that they were bringing Office 365 sensitivity labels to Office 365 Groups. The update will affect apps depending on groups like Teams, SharePoint Online, and Planner.
Today, sensitivity labels can apply visual markings and rights-management based encryption to documents and messages. Microsoft is expanding the set of properties managed for labels through the Security and Compliance Center to include a set specially for Groups. The new set includes the access type (private or public) for the group and if it supports guest users.
The Effect on Group Creation
Once published to users in a label policy, they can only create new groups based on the settings in the policy. If two or three labels are in the policy, users can select from those labels, and the settings for the selected label like access type are assigned to the new group.
It’s important to note that the classification property assigned to a group is unaffected by a sensitivity label. The classification for a group is a text-only visual marking to show the kind of content contained in the group. It has no affect on how the group works unless you write some PowerShell to apply settings based on the classification.
All the dependent apps, like Teams and SharePoint Online, are being updated to show when a sensitivity label is assigned to the underlying group. Teams already synchronizes the classification assigned to a group to any private channels and will also synchronize the sensitivity label to ensure that everything has the same label.
Labels Aren’t Stamped on Group Contents
Although Groups pick up settings from a sensitivity label, the data stored in a group are unaffected by the visual marking or protection settings in the label. In other words, if you create a new conversation in a group or add a new document to the SharePoint Online site belonging to the group, the sensitivity label is not assigned to the item, so it will not be marked with a header and/or footer or encrypted as defined in the label properties. That capability is likely to come in the future, but for now, sensitivity labels are being used as container markings rather than being applied to the individual items within the containers. Expect this to happen in the future.
No Retrospective Labels
It’s also the case that Office 365 only applies label settings to new groups. Microsoft says that they might provide some PowerShell scripts to retrospectively assign labels to old groups, but there’s no certainty on this point. Even if Microsoft doesn’t, the script is likely to be easily written as a call to Get-UnifiedGroup to find old groups (or, for better performance, to Get-Recipient) followed by running Set-UnifiedGroup to assign an available label to each group. Some care is needed in writing such a script to ensure that the right label is stamped on groups, but as they say, “it’s only a matter of programming.”
Public Preview Soon
The public preview of sensitivity labels for Office 365 Groups is likely to begin in about two weeks after the necessary updates roll out for Teams, Planner, SharePoint Online, and other affected apps. An update to the Exchange Online PowerShell module is also needed to allow labels to be manipulated for groups.
We’ll keep an eye on developments in this space and will report on what happens in due course.
For more information about the topics of Office 365 Groups and Sensitivity Labels, look no further than the comprehensive coverage in the Office 365 for IT Pros eBook. We really get this stuff!