The Fellowship Of Group Labeling

The Fellowship Of Group Labeling

Labelling your data with sensitivity labels is the way to go. Confidential data within your organization needs to be labelled with a proper sensitivity label. You can do this manually or automatically.

But there is more, labelling your teams/Microsoft 365 groups itself is the next best thing. There are 3 options you can define, when setting up your Sensivity group labels.

  1. Setting your team privacy
  2. Allowing external users
  3. Non-compliant settings: You shall not pass(block access), full access and limited access)

You can create multiple labels with group settings. Each with its own settings. Go create a new team! You’ll notice you have the option to choose a sensitivity label. That’s nice because it’ll create a new team with all the predefined settings.

The PowerShell method!

First, we have to enable the possibility to define the label group settings:

##enable azure mip labels##
Import-Module AzureADPreview
Connect-AzureAD
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

Let’s fire up PowerShell again to create 6 types of team/group labels.

#Teams/Groep labels aanmaken
new-label -displayname "Teams_Label_Highly_Confidential" -name "Teams_Label_Option1" -comment "With this label, you will create a new Private Team. You can not add external users and there will be no access from non compliant devices." -tooltip "Private`nGuest access: Disabled`nNon compliant Access: Disabled" 
set-label -identity "Teams_Label_option1" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"private"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"false"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option1" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"false"},{"Key":"blockaccess","Value":"true"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_Confidential" -name "Teams_Label_Option2" -comment "With this label, you will create a new Private Team. You can not add external users and there will be limited access from non compliant devices." -tooltip "Private`nGuest access: Disabled`nNon compliant Access: Limited" 
set-label -identity "Teams_Label_option2" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"private"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"false"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option2" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"true"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_Low_Confidential" -name "Teams_Label_Option3" -comment "With this label, you will create a new Private Team. You can add external users and there will be limited access from non compliant devices." -tooltip "Private`nGuest access: Enabled`nNon compliant Access: Limited"  
set-label -identity "Teams_Label_option3" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"private"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"true"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option3" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"True"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_General_Confidential" -name "Teams_Label_Option4" -comment "With this label, you will create a new Public Team. You can not add external users and there will be limited access from non compliant devices." -tooltip "Public`nGuest access: Disabled`nNon compliant Access: Limited" 
set-label -identity "Teams_Label_option4" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"public"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"false"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option4" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"true"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_General" -name "Teams_Label_option5" -comment "With this label, you will create a new Public Team. You can add external users and there will be limited access from non compliant devices." -tooltip "Public`nGuest access: Enabled`nNon compliant Access: Limited" 
set-label -identity "Teams_Label_option5" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"public"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"true"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option5" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"false"},{"Key":"allowlimitedaccess","Value":"true"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

new-label -displayname "Teams_Label_Public" -name "Teams_Label_Option6" -comment "With this label, you will create a new Public Team. You can add external users and users have access from non compliant devices." -tooltip "Public`nGuest access: Enabled`nNon compliant Access: Full Access"
set-label -identity "Teams_Label_option6" -labelactions '{"Type":"protectgroup","Settings":[{"Key":"privacy","Value":"public"},{"Key":"allowemailfromguestusers","Value":"false"},{"Key":"allowaccesstoguestusers","Value":"true"},{"Key":"disabled","Value":"false"}]}'
set-label -identity "Teams_Label_option6" -labelactions '{"Type":"protectsite","SubType":null,"Settings":[{"Key":"allowfullaccess","Value":"true"},{"Key":"allowlimitedaccess","Value":"false"},{"Key":"blockaccess","Value":"false"},{"Key":"disabled","Value":"false"}]}'

Did you examine the JSON’s? You have got an option to enable: allowaccesstoguestusers. It’s off by default. I did not find this option in the GUI. When enabling it, you will notice a summary when you edit the label.

Conclusion:

Using sensitivity labels to protect your confidential data is best practice. With the possibility to label your teams, it creates a new protection barrier. And with these 6 labels, it’ll save you some time when you are creating a new team. Please beware, it does not label the data itself just the overarching Team or group.

Leave a Reply

Your email address will not be published. Required fields are marked *