Table of Contents
Use the Microsoft Graph PowerShell SDK to Find and Remove Labels from Files
A recent LinkedIn post by MVP Zak Hepler caught my attention because it raised the question about how to remove sensitivity labels from files after the labels had been applied in error. This is an easy task to handle manually if only a few files are involved: it’s a lot harder (and more boring) once the number of files increase, such as when an incorrect label is chosen to be the default label for a document library.
The suggested remedy is to use the OneDrive sync client to synchronize the affected files from SharePoint Online to local copies on the PC. Once local copies are available, the Azure Information Protection (AIP) PowerShell module can be used to make an account a super-user (full control over all labelled files) and use that account to remove the labels. The OneDrive sync client then copies the updated files back to SharePoint Online and all is well.
The SharePoint Unlock-SPOSensitivityEncryptedFile Cmdlet
I don’t like the idea of granting super-user powers to a user account. At one point, it was the only remedy for dealing with encrypted files in scenarios like tenant-to-tenant migrations. If we were still in 2020, I’d use the AIP option.
The Unlock-SPOSensitivityLabelEncryptedFile cmdlet removed the need to work against local copies by decrypting files stored in SharePoint Online. Powerful utilities can be created by combining the cmdlet with Microsoft Graph APIs to navigate sites to find files to process.
Full Graph Access
Microsoft was slow to create Graph APIs to interact with sensitivity labels. The APIs eventually emerged in 2023. Extracting sensitivity label information from a file is free, but assigning sensitivity labels to files is a metered API, which means that you pay a small amount via an Azure subscription for requests made to update sensitivity labels to SharePoint Online and OneDrive for Business files. My theory is that Microsoft made the API metered to stop people from writing automated processes to label files at scale because this would remove a reason for tenants to buy Microsoft 365 E5 files.
In any case, I describe how to use the metered API in this article and how to do the same job with the Set-MgDriveItemSensitivityLabel cmdlet from the Microsoft Graph PowerShell SDK in this article. I published a script at the time to show how to use the cmdlet but never included a facility to remove sensitivity labels from files.
As it happens, it’s easy to remove a sensitivity label with the Set-MgDriveItemSensitivityLabel cmdlet because all that’s necessary is to pass an empty string in place of the sensitivity label identifier normally used to assign a label.
I’ve updated the script in the Office 365 for IT Pros GitHub repository to include the ability to remove labels. Instead of entering the name of a sensitivity label as the new label to apply to target files, use “Remove.” The Graph will do the rest. The code works against both SharePoint Online and OneDrive for Business.
Some issues will always have to be dealt with no matter what tool you use. For instance, files protected by sensitivity labels with user-defined permissions cannot be processed by the Graph APIs (Figure 1). Even though Microsoft recently added the ability for sensitivity labels with user-defined permissions to be the default for document libraries, they remain a rarity.
Reasons for Using the Graph
Some might ask why the Graph option is preferable. After all, using a metered API costs money ($0.00185 US per API call), but this is not usually a big problem unless the number of files to process is very large. In any case, if it’s a case of needing a tool to reverse a problem caused by incorrect labeling, spending a few dollars isn’t a big deal. I prefer using the Graph APIs because the actions taken are logged in the Microsoft 365 audit log as FileSensitivityLabelApplied and FileSensitivityLabelRemoved operations.
Using super-user privilege to remove sensitivity labels from synchronized local copies of files will work, and it’s cheaper than having to use a metered API, but will your compliance people be happy?
Need help to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.