When sensitivity labels are configured in the Microsoft 365 environment, they can impact how we manage access to SharePoint sites. Sensitivity labels may be applied to both group-based and standalone sites, but in different ways, which can sometimes confuse site owners and result in incorrectly assigned permissions, posing a security risk. So in this article we will explain correlations between sites sensitivity labels, privacy and permissions.
Sensitivity labels are part of Microsoft 365 Information Protection and can be configured under Microsoft Purview (Compliance) Center. The kind of labels that can be applied to Microsoft 365 groups and sites, among other configuration options, could be configured the way that setting label also enforces group visibility (privacy). – e.g. we can have an “Open Resource” sensitivity label with group privacy set to “Public” and we can have a “Members-only resource” with group privacy set to “Private”.
Here is an example how we configure site privacy for a sensitivity label under Microsoft 365 Purview Center Information Protection:
Please note that Microsoft says “These options apply to all Microsoft 365 Groups and teams” (but not sites). and “When applied, these settings will replace any existing privacy settings for the team or group”.
There are two flavors of SharePoint sites: group-based and standalone (non group-based):
- Group-based SharePoint sites
Sites of this kind are created as a “back-end” storage service to supposed “front-end” applications like Teams and Viva Engage. Though these sites are accessible via browser as any other SharePoint site, it is recommended to configure these sites via “front-end”, including permissions. This kind of sites are also called group-based sites, as Microsoft 365 group is something that is created first when teams team or yammer community is created, and group membership actually defines site permissions, e.g. group owners becomes teams owners and site owners and adding a new member to a team means actually adding a member to the Microsoft 365 group. Microsoft 365 group key property is group visibility: group could be Private or Public.
Examples: Microsoft Teams connected site, or site that stays behind a Viva Engage community.
- Standalone sites
This kind of sites are created as regular (standalone, not connected to any group) SharePoint sites. So these sites are supposed to be accessed and configured with their native SharePoint ways. No Microsoft 365 groups are needed for this kind of sites to exist. Site owners and members are assigned directly under site settings. Since there is no connection to Microsoft 365 groups – there is no concept of Private vs Public group for these sites.
Example: Communication site.
Group-based SharePoint sites
Owners of group-based sites can manage their group membership and setup group visibility from Manage Groups I own or from the Manage Teams – Settings or from Viva Community settings or via Groups Settings under Outlook. SharePoint experience also allows you to change group (and site) privacy – from Site Settings – Site Information. With respect to site permissions – site owner can add members (or owners) to group, and also provide access to the site only (which we do not recommend as it might confuse users, break experience and cause security issues).
If sensitivity labels are configured and published in Microsoft 365 environment – all users can see and usually site owners can select a sensitivity label for their site – and ind GUI dialogue an option for sensitivity label would be right next to the group visibility (privacy) option.
Below is users’ experience of updating group name/description/privacy/sensitivity via Teams (on the left) and My Groups (on the right) (notice the order and field names are different – what is called privacy in teams – called policy under my groups):
Only group owners can edit/update group settings. Group owner can choose sensitivity label only from labels that were published for this user. The sensitivity label policy could be configured to require users to apply label to their site. The sensitivity label could be configured to enforce group privacy. So It depends on sensitivity labels and policies configurations, but group owner could be forced to choose sensitivity label from the list or not, and after assigning specific sensitivity labels – owners could loose ability to assign group privacy (privacy field would be greyed-out).