New Sensitivity Labels Setting Controls SharePoint Site Sharing Permissions

Advanced Setting Manipulated by PowerShell

For the last year, Microsoft has steadily added to the ability of sensitivity labels to manage different aspects of SharePoint Online sites. Possibly because of a desire not to clutter up sensitivity label settings in the GUI, the developers chose to manage the settings via PowerShell. Adding to the ability to manage the external sharing capability and default link settings, administrators can now control site sharing permissions (a preview feature) via a new advanced sensitivity label setting.

In the SharePoint Online browser interface, this option is available through Site Permissions – Site Sharing (Figure 1).

Site sharing permissions for a SharePoint Online site

Sensitivity label setting
Figure 1: Site sharing permissions for a SharePoint Online site

It’s possible to set site sharing permissions to block all but site owners with PowerShell by running the Set-SPOSite cmdlet with the DisableSharingForNonOwners switch. For example

Set-SPOSite -Identity -DisableSharingForNonOwners

However, the Set-SPOSite cmdlet doesn’t allow administrators to enable site sharing for non-owners. It’s a very simple off switch that cannot go back or set site sharing permissions to the option where only site owners can share the site. The new capability for sensitivity labels delivers a way to address these shortcomings, but only for sites assigned sensitivity labels with the advanced setting defined.

Available Site Sharing Permissions

Three site sharing permissions settings are available (the descriptions are from the GUI shown in Figure 1):

  • MemberShareAll: Site owners and members can share files, folders, and the site. People with edit permissions can share files and folders. This is usually the default setting assigned to new sites.
  • MemberShareFileAndFolder: Site owners and members, and people with edit permissions, can share files and folders, but only the site owners can share the site.
  • MemberShareNone: Only site owners can share files, folders, and the site.

Updating the Site Sharing Permission

To assign a new site sharing permission, connect to the compliance endpoint by first connecting to Exchange Online (Connect-ExchangeOnline cmdlet) and then running the Connect-IPPSSession cmdlet. You then have access to the compliance cmdlets and can run the Set-Label cmdlet to update the MembersCanShare advanced setting. For example:

Set-Label -Identity 'General Access' -AdvancedSettings @{MembersCanShare= 'MemberShareFileAndFolder'}

To ensure that the update worked, run the Get-Label cmdlet:

Get-Label -Identity "General Access" | Select-Object -ExpandProperty Settings

[contenttype, Site, UnifiedGroup]
[tooltip, General access to information in a team, group, or site that's available to anyone in the organization plus guest members.]
[displayname, General Access]
[memberscanshare, MemberShareFileAndFolder]

Note that the Get-Label cmdlet only lists advanced settings that apply to a sensitivity label. For instance, the external sharing capability setting doesn’t appear here because it is not set for the General Access label.

Wait and Verify

The new label setting must propagate to SharePoint Online before it applies to the sites assigned the sensitivity label. The synchronization process usually takes about 24 hours, but it can take longer. After waiting for a day or so, to verify that the change worked, select a site with the sensitivity label you updated and check its site sharing permissions. Because we selected ‘MemberShareFileAndFolder’ as the value for the setting, you should see permissions as shown in Figure 2.

Site sharing permission set by a sensitivity label
Figure 2: Site sharing permission set by a sensitivity label

If the permission doesn’t show up as expected, check that the label settings are correct and wait another day before checking again. If nothing budges after a week, it’s time to seek assistance from Microsoft Support.

GUI Updates Take Time

Some will ask why Microsoft doesn’t expose advanced sensitivity label settings in the (now renamed) Microsoft Purview compliance portal. After all, many settings are managed through sensitivity labels in the GUI, including external sharing capability (Figure 3). This setting was originally only settable through PowerShell.

Configuring site external sharing capability as a sensitivity label setting
Figure 3: Configuring site external sharing capability as a sensitivity label setting

Although I don’t know for sure, I suspect that the answer is “development time.” In other words, after a new sensitivity label setting becomes generally available, extra development effort is necessary to update the GUI and make sure that everything works as it should. Patience is a virtue…

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

3 Replies to “New Sensitivity Labels Setting Controls SharePoint Site Sharing Permissions”

  1. I wonder if this feature has changed since you wrote this article? By looking at the picture under Wait and verify, it appears as if memberscanshare-setting sets a default value which can be changed afterwards. When I tested now, the Site Sharing setting becomes tied to the Label, options are grayed out with message “Sharing permissions are managed by your organization.”.
    I´d rather have it set a default value which Owners may change, and from an Admin perspective I would use this feature to change default from being MemberShareAll

    1. It’s entirely possible that Microsoft changed the details of the implementation since I wrote about it. I’ll try and get some time to look into this more deeply, but probably not until next week.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.