Thank you very much for this video. How do files with sensitivity labels applied to them behave when membership to the label is based on dynamic group? I have create a label and distributed it to a dynamic group. I have later tagged a word document with this label. At a later stage I also amended the dynamic group to include more users, however the new employees in the group never get access to the previous old word document. How does this work? I have waited a couple of days, still the behaviour is that new employees within the group still do not have access to old documents.
So you assigned the information rights management permissions on the file (like limiting printing) to a dynamic group? Then after adding a new user to that dynamic group, after a few days they are still unable to print or perform the actions assigned in IRM? I honestly haven't tried this yet, so I'm not 100%, but I haven't heard of any issues with this. I'll try to give it a try though and get back to you on that.
@@Ben_Stegink even if the dynamic group is used to give access to the complete file (co-owner), any new members of this dynamic group are not granted to past files with the same label. Same behaviour with static groups.
Hi team! Thanks for the great video. @Can you please tell me, I have already configured sensivity label the same as you. When I`am creating teams from scratch, the system automatically assign the sensivity label for private team. Is it ok? Is that mean, that now I can`t create Teams group without assigning the sensivity label?
Correct, once you set this up you will have to select a sensitivity label every time you create a Team. So if you don't want the one for the private team, you may also create a labels that is general, or something else for "non-private" Teams.
Hi, thanks for a good video. How does the labels apply on "Private Channels" created within the Team? -> Own SPO site different from the "mother" SPO site for Teams. Do we need to apply on SPO site afterwards or? Any tips around Private Channels and labels?
Niklas, Private channels actually inherit the sensitivity label from their parent team. It won't even allow you to go in and change the label in SharePoint for those site collections created via a private channel.
Excellent video Ben. Quick question I am unclear on. If I apply a sensitivity level to a brand new Team is that label also applied to the document library‘s that live there or do I need to apply those individually?
Jim, thanks for the question! They need to be applied individually to anything within the Team/SharePoint site...document libraries, documents, folders, etc. The labels applies at the container level only. Hoping maybe we get an update to would allow for that option. I think one could argue for the current implementation or an implementation where everything with a container gets the label by default. Both seem to have theirs pros/cons in my mind. ~Ben
Johnathan, absolutely. As file sharing within Teams itself is just file sharing from SharePoint, if you prevent file sharing in SharePoint with DLP (or any other means) it will also block file sharing within Teams as well.
Hello Ben. when i run the $setting = Get-AzureAADirectorySetting ... I get an error unrecognized cmdlet. Please advise. Also where can i find the links to these PS scripts. Thank you.
Sounds like you probably need to install the AzureADPreview PowerShell Module. It's the first step here - docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-labels As for the scripts, they are all available on docs.microsoft.com...forgot to include them int he original description. I'm updating that now with links to the various articles.
Alex, going well! How about you? Glad I could help out with the sensitivity labels in your tenant! :) Hope to see you around at a conference again one of these days!
Good video and well explained. Sensitivity labels are working. Question if we have uploaded say for example 1000 office documents in a SharePoint document library is it possible to auto attach one sensitivity label to all the 1000 documents?
Cliff, you can't go back and retroactively do it in bulk that I'm aware of that's general available. I haven't tried it, but it's possible you could write a PowerShell script to do it as well. If you have E5 licenses, you could also use the autolabel functionality there to do it. However, all that being said, there is also a preview feature rolling out now to configure a default sensitivity label for a document library. I haven't tried it yet, but based on the documentation this will apply a default library to all new content as well as content that doesn't have a label yet. So you wouldn't be able to pick documents and bulk apply them, but you could do it on a library by library basis. - docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label?view=o365-worldwide.
Hm...did it start working? The only time I've seen that is 1) a step was missed to enable something, or 2) there was a bit of a lag in getting everything enabled. Hoping it was maybe #2. If not, I might need a few more details to troubleshoot what might be missing :)
Gokul, absolutely. You can use them in web, desktop, and mobile versions of Office. Sensitivity labels actually came to the office apps first and only relatively recently to Sites, Groups, and Teams. You can find the documentation here on how to use them in Office Apps. There is also a link to the admin documentation for setting it up - support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9
There is a setting in your sensitivity labels can control users ability to lower a sensitivity and even some restrictions around it (like requiring justification to lower it). In this way you can audit when and why a user might lower the sensitivity, or even set up alerts for it in various ways. However, I'm not aware of being able to set it to only be lowered by peopler with specific permissions.
Thanks a lot for the video! we have a strange issue, the sensivity button does not appear on our office web apps (word online, excel online) but it does appears on the client apps, anyone knows something about that? many thanks gustavo
Jeff, thanks! Glad it helped and thanks for the compliment. As far as the import, that's just on whatever machine you happen to use for the initial configuration. No need to run it on every client.
@@Ben_Stegink Thanks Mate. After you Create and publish a label, do you have to republish the label again if you make a change to the watermark for example ?
@Jeff, nope, there shouldn't be any republishing needed. Just make the change (and maybe wait a little bit) and the change should go live automatically.
Hi guys, Great Vidéo! I get this error when trying to apply sensitivity label which encrypt files: "Sorry... we coudnt find right management templates" Can someone help me ? Thank you.
Hm...I haven't seen that one before. If I get a chance though I'll do a little digging and see if I can come up with anything. Were you trying to apply this sensitivity labels to a Site or a Team?
@@Ben_Stegink Thank you for your response, it' was when I applied on files. But it somehow disapeared after approximately 24h when I tryed on the production tenant... Lucky me. Maybe i should have just waited more on test tenant. Before deploying on production tenant i had found a plan B to solve the issue by installing AIP client for unified labeling. But its weird cause it should had worked with the built in client. Didnt had to deploy the AIP client in the end. I see two difference between my production tenant and the test one : - Production is on premise the other one on the cloud (Maybe it has something to do with my firewalls...) - On the test tenant I had enabled the feature for group and site but no one in the tenant had the right license (I didnt use the feature). In the end I just dont know what happened, I pray each time I apply a label ..
@@S0VER3IGN you must enforce the label with powershell to synchronise with the ARM templates 1-Connect-AipService 2-Get-AipServiceTemplate | FL name*, TemplateId : to get the ID of the label 3-Set-AipServiceTemplateProperty -TemplateID "Label's ID" -Status Published 4-Get-AipServiceTemplate | FL name*, TemplateId , Status : to verify the status of the label : must be in "published"
only video I have found which details the powershell prerequisites..so well done.
Thanks Chris!
Same here.. you saved my day!
The best video on AIP !!
This helped me, thank you
Pretty good. Thank you for this!
Great Video!
Thanks for this video, it has cleared lots of my concepts.
Could you also plan to create a video on eDiscovery?
WOW!!! This helped me out alot! Thanks many time.
You're welcome and great to hear that it helped out
Working, thanks for sharing.
You're welcome!
Thank you very much for this video. How do files with sensitivity labels applied to them behave when membership to the label is based on dynamic group? I have create a label and distributed it to a dynamic group. I have later tagged a word document with this label. At a later stage I also amended the dynamic group to include more users, however the new employees in the group never get access to the previous old word document. How does this work? I have waited a couple of days, still the behaviour is that new employees within the group still do not have access to old documents.
So you assigned the information rights management permissions on the file (like limiting printing) to a dynamic group? Then after adding a new user to that dynamic group, after a few days they are still unable to print or perform the actions assigned in IRM? I honestly haven't tried this yet, so I'm not 100%, but I haven't heard of any issues with this. I'll try to give it a try though and get back to you on that.
@@Ben_Stegink even if the dynamic group is used to give access to the complete file (co-owner), any new members of this dynamic group are not granted to past files with the same label. Same behaviour with static groups.
Hi team! Thanks for the great video. @Can you please tell me, I have already configured sensivity label the same as you. When I`am creating teams from scratch, the system automatically assign the sensivity label for private team. Is it ok? Is that mean, that now I can`t create Teams group without assigning the sensivity label?
Correct, once you set this up you will have to select a sensitivity label every time you create a Team. So if you don't want the one for the private team, you may also create a labels that is general, or something else for "non-private" Teams.
Wow. Thanks for this clarifiying video. Excelent explanation. Very useful.
Hi, thanks for a good video. How does the labels apply on "Private Channels" created within the Team? -> Own SPO site different from the "mother" SPO site for Teams. Do we need to apply on SPO site afterwards or? Any tips around Private Channels and labels?
Niklas, Private channels actually inherit the sensitivity label from their parent team. It won't even allow you to go in and change the label in SharePoint for those site collections created via a private channel.
excellent
Thank you! This helped a lot. I will be sharing this video!
Awesome, thanks, and glad it helped!
made life easy
Excellent video Ben. Quick question I am unclear on. If I apply a sensitivity level to a brand new Team is that label also applied to the document library‘s that live there or do I need to apply those individually?
Jim, thanks for the question! They need to be applied individually to anything within the Team/SharePoint site...document libraries, documents, folders, etc. The labels applies at the container level only.
Hoping maybe we get an update to would allow for that option. I think one could argue for the current implementation or an implementation where everything with a container gets the label by default. Both seem to have theirs pros/cons in my mind.
~Ben
Hey Ben great video ! but I have a question, can you use sensitivity labels and DLP policy to actually block file sharing within teams itself ?
Johnathan, absolutely. As file sharing within Teams itself is just file sharing from SharePoint, if you prevent file sharing in SharePoint with DLP (or any other means) it will also block file sharing within Teams as well.
Hello Ben. when i run the $setting = Get-AzureAADirectorySetting ... I get an error unrecognized cmdlet. Please advise. Also where can i find the links to these PS scripts. Thank you.
Sounds like you probably need to install the AzureADPreview PowerShell Module. It's the first step here - docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-labels
As for the scripts, they are all available on docs.microsoft.com...forgot to include them int he original description. I'm updating that now with links to the various articles.
Great overview - thanks!
You're welcome! Glad it was helpful.
Nice job Ben. Keep up the good work!
Thanks!
Hey Ben, how is it!? This video helped my fix my tenant to activate the sensitivity labels.
Alex, going well! How about you? Glad I could help out with the sensitivity labels in your tenant! :) Hope to see you around at a conference again one of these days!
@@Ben_Stegink For sure. Been enjoyning the podcasts as well. Will have to get together and do something!
Good video and well explained. Sensitivity labels are working. Question if we have uploaded say for example 1000 office documents in a SharePoint document library is it possible to auto attach one sensitivity label to all the 1000 documents?
Cliff, you can't go back and retroactively do it in bulk that I'm aware of that's general available. I haven't tried it, but it's possible you could write a PowerShell script to do it as well. If you have E5 licenses, you could also use the autolabel functionality there to do it.
However, all that being said, there is also a preview feature rolling out now to configure a default sensitivity label for a document library. I haven't tried it yet, but based on the documentation this will apply a default library to all new content as well as content that doesn't have a label yet. So you wouldn't be able to pick documents and bulk apply them, but you could do it on a library by library basis. - docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label?view=o365-worldwide.
@@Ben_Stegink thanks
Great Ben, i have succesfully deploy with your tutorial, but after Define the scope for this label , Groups & Site still grey out
Hm...did it start working? The only time I've seen that is 1) a step was missed to enable something, or 2) there was a bit of a lag in getting everything enabled. Hoping it was maybe #2. If not, I might need a few more details to troubleshoot what might be missing :)
Is there any possible way in which we can use this sensitivity label in word in the office 365 environment?
Gokul, absolutely. You can use them in web, desktop, and mobile versions of Office. Sensitivity labels actually came to the office apps first and only relatively recently to Sites, Groups, and Teams. You can find the documentation here on how to use them in Office Apps. There is also a link to the admin documentation for setting it up - support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9
Please help- how can i restrict so that only few admin users can lower down sensitivity labels if file is marked confidential
There is a setting in your sensitivity labels can control users ability to lower a sensitivity and even some restrictions around it (like requiring justification to lower it). In this way you can audit when and why a user might lower the sensitivity, or even set up alerts for it in various ways. However, I'm not aware of being able to set it to only be lowered by peopler with specific permissions.
Hi, Is it possible to assign label to multiple teams sites at once?
Not currently in the UI. However you shoudl be able to write some Powershell to do it in bulk. I just haven't tried that approach yet :)
Thanks a lot for the video! we have a strange issue, the sensivity button does not appear on our office web apps (word online, excel online) but it does appears on the client apps, anyone knows something about that? many thanks gustavo
Hm...I don't have any ideas off the top of my head, but if I think of something or run across any ideas I'll definitely let you know!
Hey Gustavo, I'm running into the same issue... did you figure it out by any chance?
Great video! Microsoft should hire you for training. Do you have to run the import commands on each client PC?
Jeff, thanks! Glad it helped and thanks for the compliment. As far as the import, that's just on whatever machine you happen to use for the initial configuration. No need to run it on every client.
@@Ben_Stegink Thanks Mate. After you Create and publish a label, do you have to republish the label again if you make a change to the watermark for example ?
@Jeff, nope, there shouldn't be any republishing needed. Just make the change (and maybe wait a little bit) and the change should go live automatically.
what licenses do we require to apply these labels?
Sensitivity labels on Microsoft 365 Groups require a minimum of an Azure AD Premium P1 license
Hi guys,
Great Vidéo! I get this error when trying to apply sensitivity label which encrypt files:
"Sorry... we coudnt find right management templates"
Can someone help me ?
Thank you.
Hm...I haven't seen that one before. If I get a chance though I'll do a little digging and see if I can come up with anything. Were you trying to apply this sensitivity labels to a Site or a Team?
@@Ben_Stegink Thank you for your response, it' was when I applied on files. But it somehow disapeared after approximately 24h when I tryed on the production tenant... Lucky me.
Maybe i should have just waited more on test tenant. Before deploying on production tenant i had found a plan B to solve the issue by installing AIP client for unified labeling. But its weird cause it should had worked with the built in client. Didnt had to deploy the AIP client in the end.
I see two difference between my production tenant and the test one :
- Production is on premise the other one on the cloud (Maybe it has something to do with my firewalls...)
- On the test tenant I had enabled the feature for group and site but no one in the tenant had the right license (I didnt use the feature).
In the end I just dont know what happened, I pray each time I apply a label ..
@@S0VER3IGN you must enforce the label with powershell to synchronise with the ARM templates
1-Connect-AipService
2-Get-AipServiceTemplate | FL name*, TemplateId : to get the ID of the label
3-Set-AipServiceTemplateProperty -TemplateID "Label's ID" -Status Published
4-Get-AipServiceTemplate | FL name*, TemplateId , Status : to verify the status of the label : must be in "published"
I hope to gawd I don't have to use PowerShell for this.
Sorry... :(