Handling Sensitivity Label Mismatches in SharePoint Online

Sensitivity Label Support for SharePoint Online and OneDrive for Business

Microsoft recently made support for sensitivity labels in SharePoint Online and OneDrive for Business generally available. This is an important step forward because it allows SharePoint to index protected content, which then makes that content available to Data Loss Prevention policies, content searches, and so on.

The integration of sensitivity labels with SharePoint Online is optional and must be enabled for a tenant on an opt-in basis, Afterwards, users can apply, remove, or change sensitivity labels to documents using the SharePoint Online and OneDrive for Business browser interface or through the Office Online apps.

Audit Events Captured

Events for these actions are captured by SharePoint Online and ingested along with other SharePoint events into the Office 365 audit log. These events are:

  • SensitivityLabelApplied: A label is applied to a SharePoint site.
  • FileSensitivityLabelApplied: An Office Online app applies a label to an Office document.
  • FileSensitivityLabelChanged: An Office Online app changed a label (upgrade or downgrade).
  • FileSensitivityLabelRemoved: An Office Online app removed a label from a file.
  • DocumentSensitivityMismatchDetected: A mismatch is detected because the sensitivity label applied to a document is higher than the level of sensitivity applied to the site where the document is stored. For instance, the site is labeled “Confidential” and a user uploads a document assigned the “Super Confidential” label to the site.

Currently, no events are captured when users apply sensitivity labels through other interfaces like Outlook or OWA.

Sensitivity Label Mismatch Notifications

When a mismatch occurs, SharePoint Online captures an audit record, and sends an Incompatible sensitivity label detected email notification to the person who uploaded the document. The notification contains details of the document which caused the problem and the label assigned to the document and to the site (Figure 1). It’s up to the person as to what action they take to resolve the issue. Given that they uploaded the document, they should know its true sensitivity.

SharePoint Online detects a sensitivity label mismatch
Figure 1: SharePoint Online detects a sensitivity label mismatch

It’s entirely possible that it’s OK to store a highly sensitive document in a site labelled with a lower level of sensitivity. Labels created to protect highly sensitive content usually restrict rights to interact with documents to a limited set of users, so some people with access to the site might not be able to access a document assigned with a highly sensitive label. It’s good practice to only store documents in sites that are accessible to all members of the site unless good reasons exist to restrict access to some documents to a subset of site members.

One slight problem is that if the site is group-enabled, the notification also goes to the email address of the Microsoft 365 group for delivery to the group mailbox. If the group is Yammer-enabled or Teams-enabled, this doesn’t do much good because the members of these groups are unlikely to ever see the message. In any case, the site owners should receive and deal with the notification.

Mastering the detail of what happens inside Office 365 is important for tenant administrators. Shouldn’t you subscribe to the Office 365 for IT Pros eBook?

One Reply to “Handling Sensitivity Label Mismatches in SharePoint Online”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.