SharePoint Administrators Can’t Update Sensitivity Labels for Document Libraries

Posted on by Tony Redmond

No Good Reason why SharePoint Limits Administrator Access to Document Libraries

A reader asked if a programmatic method exists to set the default sensitivity label for a SharePoint Online document library. The simple answer is “yes,” because the only way initially available to set a default sensitivity label when the feature was in preview was to use the SharePoint REST API. Microsoft subsequently updated the SharePoint browser GUI to allow site owners to set a default sensitivity label for a document library.

Using the REST API still works, but my reader wanted something like a nice simple PowerShell cmdlet. Something like this would be nice:

Set-SpoSite -Identity $SiteURL -DocumentLibrary "Documents" -DefaultSensitivityLabel c29e68f9-bc4f-413b-a741-6db8e38ad1c6

The command would be nicer if you could pass the name of a sensitivity label, but the display names for sensitivity labels can be translated into multiple languages, which might cause some issues in multilingual tenants.

In any case, the Set-SPOSite cmdlet doesn’t support the functionality today and I haven’t heard of any plans to change in this area.

Reasonable to Allow Administrator Access to Some SharePoint Online User Data

I think it’s perfectly reasonable for SharePoint Online administrators to be able to update the default sensitivity labels for document libraries, especially because assigning a default sensitivity label incurs the requirement for Syntex-SharePoint advanced management licenses. An unwitting site owner could decide to assign a default sensitivity label to a document library (Figure 1) without realizing that the organization is now on the hook for some licenses, and that’s not a good thing. SharePoint administrators should be able to review, assign, and remove default sensitivity labels.

Adding a default sensitivity label to a document library incurs licensing costs Document libraries
Figure 1: Adding a default sensitivity label to a document library incurs licensing costs

But this stance goes against the general approach Microsoft takes to SharePoint Online administration which holds that administrators can operate at the site level but cannot interact with objects within the site. Apparently, a site can have up to 255 document libraries, all of which are invisible to SharePoint administrators unless they’re a member of the site.

I understand the perspective that drives the approach. Administrators shouldn’t have access to user data. However, while Exchange Online administrators can see the folders inside user and shared mailboxes and Teams administrators can remove user data such as chat threads. It’s also possible for administrators to analyze and report the tasks in Planner plans. And sometimes even SharePoint Online administrators can take action with user data, like removing the sensitivity label for protected files using the Unlock-SPOSensitivityLabelEncryptedFile cmdlet. Inconsistency is rife across the Microsoft 365 workloads.

Greater Flexibility Required

I’m not advocating for SharePoint Online administrators to be able to open and examine documents and other files held in document libraries. The ability to report the contents of document libraries is already possible, albeit with some effort. What I would like to see is greater access to document library settings through PowerShell or a Graph API (which means that PowerShell support becomes available through the Microsoft Graph PowerShell SDK). For instance, why shouldn’t an administrator be able to do this to create a simple listing of all files found in the document libraries for a site:

$DocumentLibraries = Get-SpoSite -Identity $SiteUrl -DocumentLibraries
ForEach ($DL in $DocumentLibraries) {
   $Documents = Get-SPODocumentLibrary -Identity $DL 
   ForEach ($Doc in $Documents) {
    Write-Host (“Document found {0} in folder {1}” -f $Doc.Title, $Doc.Folder)
  }
}

SharePoint Online is not the center of its own universe as is the case with on-premises SharePoint Server. SharePoint Online is a highly capable document management service that’s consumed by other Microsoft 365 workloads. As such, its administrative capabilities should be on a par with other workloads, and that means greater flexibility and access to the settings for document libraries. Being able to report, configure, and remove the default sensitivity label for a document library is just the start.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.