Access from unmanaged devices (AAD Conditional Access)
Default sharing link type for a SharePoint site (PowerShell Only)
Site sharing settings (PowerShell Only)
Introduction
Before you begin it is recommended you first read this article.
At the Container-Level, Sensitivity Labels can regulate the following aspects of the Container (e.g. a SharePoint)
Let's explore these in a little more detail!
Privacy
The Privacy setting of a container can be managed by an administrator even where no Sensitivity label is applied.
If a Sensitivity label IS applied to the container, then the Privacy setting of the container is updated to reflect the setting described in the Sensitivity Label.
- Public: Anyone in the organisation can access the group, site or team and add members.
- Private: Only team owners and members can access the group or team, and only owners can add members.
- None: Team and group members can set the privacy settings themselves.
External User Access
This setting controls whether MS365 Group owners can add guests (users from outside the organisation) to the group.
This setting can be defined by Administrators at a tenant level but then overwritten by Sensitivity labels to allow for further restrictions for specific M365 groups. (Sensitivity Labels cannot be used to lower tenant level restrictions, ONLY to make settings more restrictive).
External Sharing
This setting controls who content can be shared with, based on whether the recipient is an internal users (organisation users) or an external user (guests in the organisation Azure Active Directory). This setting can be configured at tenant level and also on a site-by-site basis.
Sensitivity Labels will take precedence in the Teams and SharePoint sites ONLY if they are higher than the restrictions at tenant level (restrictions can be heightened, but not lowered by Sensitivity labels).
The available options are:
- Anyone: Users can share files and folders using links that don't require a sign-in.
- New and existing guests: Guests must sign in or provide a verification code.
- Existing guests: Only guests in the organisation's directory.
- Only people in your organisation: No external sharing allowed.
Access from unmanaged devices (AAD Conditional Access)
This setting can be applied to a SharePoint or Teams site; it blocks or limits access to the site when the user tries to access its content from an unmanaged device.
In this context, "unmanaged devices" are those not "Hybrid AD joined" or compliant in Intune.
To allow access to a SharePoint or Teams site, with this setting applied, the user must be using a device that matches one of the following requirements:
- The device is joined to both on-premises AD ("hybrid AD joined") and to Azure Active Directory
- The device (company or privately owned) is enrolled in Intune with one or more compliancy policies that confirm that the device is compliant.
The "Access from unmanaged devices" setting can typically be defined at tenant level and also on each SharePoint site.
The available options for the "Access from unmanaged devices" setting are:
- Allow full access from desktop apps, mobile apps, and the web
- Allow limited, web-only access
- Block access
Authentication context
This setting is currently set to preview ONLY. (November 2022) - If this feature looks to be of interest or you'd like to find out more do refer to Official Microsoft Guidance or send an email to support@clearpeople.zendesk.com
Default sharing link type for a SharePoint site (PowerShell Only)
This is considered Advanced Configuration and would require expertise in PowerShell. The Microsoft Purview portal does NOT support configuring this setting from its UI. You can read how to do this from this article
If this feature looks to be of interest or you'd like to find out more send an email to support@clearpeople.zendesk.com
Site sharing settings (PowerShell Only)
NOTE: This is considered Advanced Configuration and would require expertise in PowerShell. The Microsoft Purview portal does NOT support configuring this setting from its UI.
This setting is equivalent to the configuration settings that can be applied by Administrators via the SharePoint Admin Centre. Controlling these settings through the SharePoint Admin Centre will always be the preferred option for most organisations
If this feature looks to be of interest or you'd like to find out more send an email to support@clearpeople.zendesk.com
What if?...
Let's consider some facts through a couple of scenarios:
If a Sensitivity Label is applied to a Container, say a SharePoint Site, what can we expect if we add a file (Content) that has no Content-level Sensitivity Label applied? Or a Sensitivity Label that is different to the SharePoint Site Container. What policies will be applied?
Let us stick with our examples of a SharePoint site as a Container and a File as Content
One thing to bear in mind is that with or without Sensitivity Labels, a SharePoint site already has settings of some type, about who can see and access the site (and its contents).
- When we add a Sensitivity Label to a site, those settings are affected, as if they were applied to the Site itself! (For example, there might be a Tenant Level policy for external guests, but this can be superseded by applying a more restrictive policy, through to Site itself via a Container Level Sensitivity Label.)
- When Files are moved in to a Site which has a Sensitivity Label applied, the File does NOT get labelled as such but is protected by the Sensitivity Label applied to the Site.
- When a File that has a Content-level Sensitivity Label applied is moved in to a Site, the Site ignores the content-level Sensitivity Label.
- If a Sensitivity Label is applied directly to a File, the Label stays with the file wherever it goes, even if sent outside of the organisation on an email.
Further Reading
If you've made it this far, do please take a look at the Official Microsoft Guidance
You might also be interested in the Content Security Features article, the Content-Level equivalent of this.
Finally, here you can read about new features in Atlas 4.1 for Container Level Sensitivity Labels through Connex Studio
Comments
0 comments
Article is closed for comments.