Call4Cloud

The Fellowship Of Group Labelling

Labelling your data with sensitivity labels is the way to go. Confidential data within your organization needs to be labelled with a proper sensitivity label. You can do this manually or automatically.

But there is more, labelling your teams/Microsoft 365 groups itself is the next best thing. There are 3 options you can define when setting up your Sensitivity group labels.

  1. Setting your team privacy
  2. Allowing external users
  3. Non-compliant settings: You shall not pass(block access), full access and limited access)

You can create multiple labels with group settings. Each with its own settings. Go create a new team! You’ll notice you have the option to choose a sensitivity label. That’s nice because it’ll create a new team with all the predefined settings.

The PowerShell method!

First, we have to enable the possibility to define the label group settings:

##enable azure mip labels##
Import-Module AzureADPreview
Connect-AzureAD
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

Let’s fire up PowerShell again to create 6 types of team/group labels.

#Teams/Groep labels aanmaken
new-label -displayname "Teams_Label_Highly_Confidential" -name "Teams_Label_Option1" -comment "With this label, you will create a new Private Team. You can not add external users and there will be no access from non compliant devices." -tooltip "Private`nGuest access: Disabled`nNon compliant Access: Disabled" 
set-label -identity "Teams_Label_option1" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"private"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"false"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option1" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"false"},{"Key":"blockaccess","Value":"true"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_Confidential" -name "Teams_Label_Option2" -comment "With this label, you will create a new Private Team. You can not add external users and there will be limited access from non compliant devices." -tooltip "Private`nGuest access: Disabled`nNon compliant Access: Limited" 
set-label -identity "Teams_Label_option2" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"private"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"false"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option2" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"true"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_Low_Confidential" -name "Teams_Label_Option3" -comment "With this label, you will create a new Private Team. You can add external users and there will be limited access from non compliant devices." -tooltip "Private`nGuest access: Enabled`nNon compliant Access: Limited"  
set-label -identity "Teams_Label_option3" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"private"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"true"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option3" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"True"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_General_Confidential" -name "Teams_Label_Option4" -comment "With this label, you will create a new Public Team. You can not add external users and there will be limited access from non compliant devices." -tooltip "Public`nGuest access: Disabled`nNon compliant Access: Limited" 
set-label -identity "Teams_Label_option4" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"public"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"false"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option4" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"true"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_General" -name "Teams_Label_option5" -comment "With this label, you will create a new Public Team. You can add external users and there will be limited access from non compliant devices." -tooltip "Public`nGuest access: Enabled`nNon compliant Access: Limited" 
set-label -identity "Teams_Label_option5" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"public"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"true"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option5" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"true"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_Public" -name "Teams_Label_Option6" -comment "With this label, you will create a new Public Team. You can add external users and users have access from non compliant devices." -tooltip "Public`nGuest access: Enabled`nNon compliant Access: Full Access"
set-label -identity "Teams_Label_option6" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"public"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"true"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option6" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"true"},{"Key":"allowlimitedaccess","Value":"false"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

Did you examine the JSON’s? You have got an option to enable: allowaccesstoguestusers. It’s off by default. I did not find this option in the GUI. When enabling it, you will notice a summary when you edit the label.

Conclusion:

Using sensitivity labels to protect your confidential data is the best practice. With the possibility to label your teams, it creates a new protection barrier. And with these 6 labels, it’ll save you some time when you are creating a new team. Please beware, it does not label the data itself just the overarching Team or group.

Leave a Reply

Your email address will not be published. Required fields are marked *

7  +  2  =