Find Out Where Users Get Sensitivity Labels From

Analyze Sensitivity Label Policies to See Who Gets What Labels

A question in the Microsoft Technical Community asked about the best method to find which sensitivity label policies are assigned to specific users. Vasil Michev weighed in to recommend using the information recorded by Exchange Online about inplace holds in user mailboxes and the organization configuration. The information includes entries for the policies which publish retention labels and sensitivity labels to users. Exchange Online and its clients use this data to figure out the precise set of labels available to users.

Checking In-Place Holds for Sensitivity Label Policies

As an example, these commands retrieve the in-place hold information applicable to all users from the organization configuration and the identifiers and display names for sensitivity label publishing policies. A match exists for policy 19200b9a-f084-4252-9be0-70dae2fd54d3, so we can say that all users receive the labels published by the General sensitivity policy.

Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds


Get-LabelPolicy | Format-Table Name, Guid

Name                        Guid
----                        ----
Eyes Only Policy            5de1c9f6-ca28-402a-81b7-89177755897b
Black Matter Policy         4f8ff12c-5665-4e45-b7bc-3e9fc1bbc91c
Container Management Labels fac260a8-1bc4-44bd-9735-7ab0072bcfc4
General sensitivity policy  19200b9a-f084-4252-9be0-70dae2fd54d3

However, that’s not the whole story because publishing policies can include per-user exclusions that block those users from being able to use labels published by policies targeted at all users.

Scripting a Solution to Reveal Policies that Publish Labels

Anyway, looking at lists of GUIDs is not a user-friendly way to figure out information about how users gain access to sensitivity labels. A different approach is to analyze the sensitivity label publishing policies to find what labels each policy publishes and the target users to figure out where the labels available to a specific user come from. The code below:

  • Defines the user to check.
  • Connects to Exchange Online and the compliance endpoint.
  • Fetches details of the sensitivity labels defined in the tenant and store them in a hash table to allow the script to resolve the label identifiers stored in policies to label names.
  • Fetches details of the sensitivity label publishing policies and sorts them so that the policy with highest priority is processed first.
  • For each policy, check if the user is targeted individually (as a named location) or because the policy covers all users.
  • Check if the policy excludes the user. Exclusion means that even if the policy covers all users, the specified user cannot see and use the sensitivity labels contained in the policy.
  • If the user is within the scope of a policy, the script fetches details of the sensitivity labels published by the policy and resolves the identifiers to display names.
  • Outputs the results.

Here’s the code:

If ($Null -eq (Get-ConnectionInformation)) {
$User = ""

Write-Host "Finding details of sensitivity labels and policies…"
Write-Host ""
# Get set of sensitivity labels in tenant
[array]$Labels = Get-Label
$LabelsHash = @{}
ForEach ($L in $Labels) { $LabelsHash.add([string]$L.ImmutableId,[string]$L.DisplayName) }

# Get policies in order of importance
[array]$Policies = Get-LabelPolicy | Where-Object {$_.Type -eq 'PublishedSensitivityLabel'} | Sort-Object Priority -Ascending

Clear-Host; Write-Host (“Checking {0} against sensitivity label policies…” -f $User)
Write-Host ""

ForEach ($Policy in $Policies) {
   $UserFound = $False
   [array]$LabelNames = $Null
   If ($User -in $Policy.ExchangeLocation.Name) {
      $UserFound = $True
   If ($Policy.ExchangeLocation.Name -eq "All") {
      $UserFound = $True
   If ($User -in $Policy.ExchangeLocationException.Name) {
       $UserFound = $False
       Write-Host ("User {0} blocked from labels published in policy {1}" -f $User, $Policy.Name) -foregroundcolor Red
   If ($UserFound) {
      ForEach ($Label in $Policy.ScopedLabels.Guid) {
         $LabelName = $LabelsHash[$Label]
         $LabelNames += $LabelName
           Write-Host ("Policy {0} (Priority {1}) gives {2} access to the labels {3}" -f $Policy.Name, $Policy.Priority, $User, ($LabelNames -join ", "), $Policy.Name) -Foregroundcolor Yellow
} # End ForEach Policy

Figure 1 shows the output. It’s a little more human-friendly than looking through lists of GUIDs.

The origin of Sensitivity labels reported for a user
Figure 1: The origin of Sensitivity labels reported for a user

PowerShell Knowledge Key

This discussion proves once again that there’s usually multiple ways to solve a problem in Microsoft 365. It also reinforces the worth of knowing how to use PowerShell to interact with system data. All in a day’s work…

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.