How to Find SharePoint Files with a Sensitivity Label

Posted on by Tony Redmond

Managed Properties Allow Users to Search SharePoint for Sensitivity Labels

Sensitivity labels are on a roll at present with new developments coming along at a fast rate. A small, but important, recent update is to the SharePoint Online schema to allow users to find files stored in SharePoint Online and OneDrive for Business that are assigned a specific sensitivity label.

Sensitivity labels are often used to protect documents containing confidential information. InformationProtectiondLabelId (Figure 1) is a managed property in the SharePoint schema that stores the GUID (identifier) for sensitivity labels applied to documents.

The InformationProtectionLabelId managed property in the SharePoint Online schema Search SharePoint with Sensitivity labels
Figure 1: The InformationProtectionLabelId managed property in the SharePoint Online schema

The presence of the managed property in the search schema means that you can search for documents stored in SharePoint Online and OneDrive for Business using the label identifier (GUID) of the sensitivity label assigned to documents. Figure 2 shows the result of a search using InformationProtectionLabelId:2fe7f66d-096a-469e-835f-595532b63560. The search results are trimmed so the user only sees documents they can access.

sing the InformationProtectionLabelId property to search for SharePoint documents Search SharePoint for sensitivity labels
Figure 2: Using the InformationProtectionLabelId property to search SharePoint for sensitivity labels

Although it’s absolutely the case that not everyone will know the GUID for a label (in this case, it’s the Public sensitivity label), I believe Microsoft is working on the ability to search by label name. For now, this facility is probably only useful to the curious who want to see what documents a label is applied to, or compliance administrators in Office 365 E3 tenants who can’t use the data classification content explorer in the Microsoft 365 compliance center.

Container Labels

Sensitivity labels can be applied to “containers”: Microsoft 365 Groups, Teams, and SharePoint Online sites. In this case, the labels don’t protect the data stored in the containers but are used for classification (visual marking) and to control the access type and guest access for the container. For example, applying the “Confidential” label to a container might change its access type to Private and restrict guess access.

You can also search SharePoint for labels assigned to sites. The trick here is to create a new managed property in the schema (I called it SiteSensitivityLabelId) that’s mapped to the crawled property ows_IpLabelId (Figure 3). The new property needs to be searchable, queryable, and retrievable.

Adding a new managed property to find labeled sites
Figure 3: Adding a new managed property to find labeled sites

After updating the schema, the search index will pick up the new property the next time the sites are processed by the crawler. To make sure this happens quickly, you can force SharePoint to reindex the site (under Search and Offline Availability in Site Settings). When reindexing completes, the site will turn up in search results (Figure 4).

Searching for sites with a sensitivity label
Figure 4: Searching for SharePoint Online sites managed with a sensitivity label

Again, this isn’t something that the average SharePoint user will probably do, but you never know when the feature might be useful to administrators who don’t want to use PowerShell to search for sites assigned a specific label.

The detail makes all the difference in many spheres of operations, and understanding detail like this is what the Office 365 for IT Pros eBook is all about. Subscribe today!

One Reply to “How to Find SharePoint Files with a Sensitivity Label”

  1. Pingback: Blocking Access to Sensitive Documents with Office 365 DLP Policies - Office 365 for IT Pros

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.