How Sensitivity Labels Control the External Sharing Capability of SharePoint Online Sites

Two Notifications Mark a Special Update

A feature so good that it requires two identical message center notifications must be worthwhile. Such is the case for the ability of sensitivity labels container management to control the external sharing capability of SharePoint Online team sites, as announced in MC244217 and MC244216 on March 12. Both point to Roadmap item 70735.

Information Protection and Container Management

Sensitivity labels can include settings for information protection and container management. Information protection usually means that the assignment of a label to an Office document, Azure Purview data (preview), Power BI objects, or other files will encrypt the target content using Microsoft Information Protection (rights management). Container management means that labels impose settings on a Microsoft 365 group, including the team or SharePoint team site belonging to the group. A single label can include both information protection and container management settings and is therefore applicable to both files and containers, or the scope of the label can be one or the other use. I favor a restricted label scope because I think it makes labels easier to manage.

Container Management Settings

When Microsoft first introduced the ability of sensitivity labels to control container settings, a limited number of controls were available. You can configure a label to:

  • Control access to the container to Azure B2B Collaboration guest accounts. Previously, this control over containers could only be set by updating the properties of the group with PowerShell. The options are to allow or block guest access.
  • Set the access to be public or private. If a label is not present, the group owner can decide whether the group is public (available to any tenant user) or private (restricted to the group membership).
  • Limit access to documents in a SharePoint when using unmanaged devices.

The set of available controls is useful and sensitivity labels are much better than the alternative (like text-based classifications), but Microsoft’s intention always was to expand the number of controls to make sensitivity labels a much more powerful policy-driven management method for containers. Adding control over the sharing capability for SharePoint sites is further evidence of their intent.

Controlling External Access to SharePoint Online Sites

Organizations often store confidential or sensitive documents in SharePoint sites. SharePoint Online supports four values for site sharing capability to control the degree of external sharing permitted for documents in a site:

  • Disabled – allow no external sharing outside the organization.
  • ExistingExternalUserSharingOnly – allow sharing only with the guest users already in your organization’s directory.
  • ExternalUserSharingOnly – allow users to share documents with new external users, who must accept the sharing invitations and go through an authentication process to create a guest account.
  • ExternalUserAndGuestSharing – allow sharing with all external users, and by using anonymous access links (Anyone links).

SharePoint Online administrators and site owners can set the sharing capability through:

  • The SharePoint Online admin center.
  • PowerShell, using the Set-SPOSite cmdlet to update the SharingCapability setting.
  • And now, by assigning a sensitivity label which has the external sharing control configured.

Remember that SharePoint Online won’t allow you to assign a less restrictive access to a site than allowed by the tenant sharing setting. In other words, if the tenant explicitly blocks anyone access for all sites, assigning anyone access through a label will have no effect.

Setting External Sharing Capability in a Sensitivity Label

When editing a sensitivity label, administrators can define what sharing capability is set when an owner or administrator assigns the label to a site (Figure 1).

Configuring SharePoint site sharing capability for a sensitivity label

Sensitivity labels container management
Figure 1: Configuring SharePoint site sharing capability for a sensitivity label

The Site Owner View

Not every site owner knows about admin tools, and a major benefit of controlling sharing capability with sensitivity labels is that it makes it easier for site owners to assign the appropriate level of sharing based on their knowledge of the content within the site. At least, that’s the theory, and a lot depends on the clarity of the names chosen for sensitivity labels. Ideally, the names should convey how sensitive the information stored in the site is (Figure 2).

Choosing a sensitivity label for a SharePoint Online site
Figure 2: Choosing a sensitivity label for a SharePoint Online site

Applying a sensitivity label to a group or team also applies it to the site and selecting a new sensitivity label for a site also applies it to the associated group and team.

PowerShell Support for Container Management

The PowerShell cmdlets to interact with sensitivity labels are available after connecting a session to the compliance endpoint. The easiest way to do this is to run the Connect-IPPSSession cmdlet from the Exchange Online management module.

Once connected, we can use the Get-Label cmdlet to find details of sensitivity labels and the Set-Label cmdlet to update their settings. For example, not all sensitivity labels are configured for container management, so to find the set of labels scoped for container management, run this code:

$Labels = Get-Label
ForEach ($Label in $Labels) {
   If ($Label.ContentType -match "Site, UnifiedGroup") {
   Write-Host "Label" $Label.DisplayName "has container actions" }

Label Non-business use has container actions
Label General Access has container actions
Label Guest Access has container actions
Label Limited Access has container actions
Label Confidential Access has container actions

As an example of how to use Set-Label, here are two examples of updating labels to set different sharing capabilities.

Set-Label -Identity Confidential -AdvancedSettings @{sharingcapability="ExistingExternalUserSharingOnly"}
Set-Label -Identity Secret -AdvancedSettings @{sharingcapability="Disabled"}

After applying a label with a sharing capability setting configured to a site, SharePoint updates its sharing capability. You can check that the settings have changed with the Get-SPOSite cmdlet:

Get-SPOSite -Identity "" | Select SharingCapability, SensitivityLabel

SharingCapability SensitivityLabel
----------------- ----------------
         Disabled 27451a5b-5823-4853-bcd4-2204d03ab477

Checking that Everything Works

Of course, it’s a good idea to check that the sharing capability set in a sensitivity label works after assigning the label to a site. Let’s assume that you assign a label which disables external sharing. The easy test is to see if sharing works. As Figure 3 shows, it is not allowed and you see one of SharePoint’s famous OSE errors.

Figure 3: SharePoint Online blocks an attempt to share a file with an external user

Being able to control external sharing for SharePoint sites is just the latest control for sensitivity labels. Microsoft plans more in the future. With this in mind, if you haven’t already started using sensitivity labels, perhaps now is a good time to make a start?

10 Replies to “How Sensitivity Labels Control the External Sharing Capability of SharePoint Online Sites”

  1. Hi Tony, do you know if it would be possible to set an automatic approval workflow, if a person of my company wants to change the sensitivity label? In the moment all documents are set to “only internal” per default. But our employees can change this manually, if they want to work with external persons. The management wishes to get informed and approve these changes.
    Do you have any idea if this is possible?
    Kind regards, Sophie

    1. Anything is possible with code. You can detect changes in sensitivity labels assigned to documents by monitoring events captured in the audit log and then generate email based on the audit events to management to advise them of the change. If the management disapprove of the change, you could run some code to revert the label to its original value.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.