SharePoint Permissions and Sensitivity Labels

Leave a Comment / Microsoft 365, Microsoft Teams, SharePoint / By

When sensitivity label is created in the Microsoft 365, it can be configured the way that applying label to SharePoint site would impact site permissions. Specifically, if sensitivity label’s  scope is “Groups & sites”, then “Privacy and external user access” can be configured to “Control the level of access that internal and external users will have to labeled teams and Microsoft 365 Groups”. Sensitivity labels may be applied to both group-based and standalone sites, but effect would be different, and that confuses users and site owners and result in incorrectly assigned permissions, posing a security risk. So in this article we will explain correlations between sites sensitivity labels, privacy and permissions.

Internal sharing – Public/Private concept

Sensitivity labels are part of Microsoft 365 Information Protection and can be configured under Microsoft Purview (Compliance) Center. The kind of labels that can be applied to Microsoft 365 groups and sites, among other configuration options, could be configured the way that setting label also enforces group visibility (privacy).  – e.g. we can have an “Open Resource” sensitivity label with group privacy set to “Public” and we can have a “Members-only resource” with group privacy set to “Private”.

Here is an example how we configure site privacy for a sensitivity label under Microsoft 365 Purview Center Information Protection:

configuring sensitivity label - Define privacyPlease note that Microsoft says “These options apply to all Microsoft 365 Groups and teams” (but not sites). and “When applied, these settings will replace any existing privacy settings for the team or group”.

There are two flavors of SharePoint sites: group-based and standalone (non group-based):

  • Group-based SharePoint sites
    Sites of this kind are created as a “back-end” document storage to “front-end” applications like Teams and Viva Engage. Though these sites are accessible via browser as any other SharePoint site, it is recommended to configure these sites via “front-end” apps, including permissions. This kind of sites are also called group-based sites, as Microsoft 365 group is something that is created when teams team or yammer community is created, and group membership actually defines site permissions, e.g. group owners becomes teams owners and site owners and adding a new member to a team means actually adding a member to the Microsoft 365 group. Microsoft 365 group key property is group visibility: group could be Private or Public.
    Examples: Microsoft Teams connected site, or site that stays behind a Viva Engage community.
  • Standalone sites
    This kind of sites are created as regular (standalone, not connected to any group) SharePoint sites. So these sites are supposed to be accessed and configured with their native SharePoint ways. No Microsoft 365 groups are needed for this kind of sites to exist. Site owners and members are assigned directly under site settings. Since there is no connection to Microsoft 365 groups – there is no concept of Private vs Public group for these sites.
    Example: Communication site.

Group-based SharePoint sites

Owners of group-based sites can manage their group membership and setup group visibility from Manage Groups I own or from the Manage Teams – Settings or from Viva Community settings or via Groups Settings under Outlook. SharePoint experience also allows you to change group (and site) privacy – from Site Settings – Site Information. With respect to site permissions – site owner can add members (or owners) to group, and also provide access to the site only (which we do not recommend as it might confuse users, break experience and cause security issues).

If sensitivity labels are configured and published in Microsoft 365 environment – all users can see and usually site owners can select a sensitivity label for their site – and in GUI dialogue an option for sensitivity label would be right next to the group visibility (privacy) option.

Below is users’ experience of updating group name/description/privacy/sensitivity via Teams (on the left) and My Groups (on the right) (notice the order and field names are different – what is called privacy in teams – called policy under my groups):

Update group settings

Only group owners can edit/update group settings. Group owner can choose sensitivity label only from labels that were published for this user. The sensitivity label policy could be configured to require users to apply label to their site. The sensitivity label could be configured to enforce group privacy. So It depends on sensitivity labels and policies configurations, but group owner could be forced to choose sensitivity label from the list or not. It also depends on sensitivity labels and policies configurations but after assigning specific sensitivity labels – owners could loose ability to assign group privacy (privacy field would be greyed-out) – in other words, to choose group/site privacy – the owner must choose sensitivity label.

Standalone sites

Since standalone sites are sites that are not group-based, there is no concept of group privacy for standalone sites. Site permissions are assigned the usual way – you have Site Collection Administrators with full permissions to the site, and OotB three SharePoint groups created – site Owners with Full Control permissions, site Members with Edit permissions and site Visitors with Read permissions, and you can add individuals or groups to SharePoint groups and admins list.

standalone SharePoint site permissions

 

Group owner vs site owner vs site admin

Here we have a very confusing part, though Microsoft when introducing Teams tried to simplify SharePoint complicated permissions system (and at some level it happened, but overall it made permissions even more complicated). Let’s have a look.

Private group

When a private group is created with SharePoint site behand – here is what happened:

  • m365 group owners are added to site collection admins
  • m365 group members are added to SharePoint site group site Members
  • nothing is added to SharePoint site groups site Members and Visitors

Here is what you can see if you go to advanced permissions settings:

Group-based SharePoint site groups and permissions

 

Notice, that when we say “m365 group owners are added to site collection admins” that does not mean individuals are added, but group is added, so correct phrase would be “m365 group owners group is added to site collection admins“. Let us assume for simplicity that for every Microsoft 365 group there are two subgroups – group members and group owners.
The same is true for group members – “Microsoft 365 group members group is added to SharePoint site group site Members“.

So private group membership to SharePoint site permissions mapping would be:

Group-based site permissions

Pay attention that under “simplified” site permissions settings you can see a slightly different picture 🙂 :

group-based sharepoint site simplified permissions

 

Public Group

Public groups are public by definition, i.e. open to everybody. The mechanic below is as follow. In Microsoft 365 there is a system identity called “Everyone Except External Users”, obviously to address all organizational users only, not including external users. So here are the differences of public group/team/site:

  • with respect to group itself:  owners are owners, members are members, no changes; but group privacy property is set to Public
  • connected team: public teams are not added to every user list of teams (as users are still not members of public team), but user can join a public team (though it’s a separate challenge on how to find public team); no team owner approval is required to join a public team; Once joined a public team – user becomes a member of the group and team.
  • SharePoint sites: public group based SharePoint sites are automatically shared with Everyone Except External Users (EEEU) with Edit permissions.
    What is happening is the system Id “Everyone Except External Users” is getting added automatically by Microsoft timer job to SharePoint site Members group (NB! not visitors):
    public group based SharePoint site permissions

Again: everyone in the organization (except external users) has read and write access to documents (but not pages) stored in the SharePoint site connected to public team.

So below is how public group membership is mapped to SharePoint site permissions:
how public group membership is mapped to SharePoint site permissionsThe above picture is out-of-the-box experience. Surely site owner can provide access to groups or individuals to the SharePoint site directly, but that would be an inconsistence that’d confuse users. You also might be tempted to remove EEEU from site Members and add it to site Visitors (as you might expect that public group based site would allow just read-only access for everyone), but after some time Microsoft’s automation will add EEEU to site Members again.

Sensitivity label impact on site permissions

So, the bottom line, how do sensitivity labels affect site permissions?

  • When you assign sensitivity label to a group-based site and your site’s privacy is changed to public – the entire site becomes open for Everyone except external user with read/write permissions to documents and list items.
  • When you assign sensitivity label to a group-based site and your site’s privacy is changed to private – it does not mean entire that site becomes private, it only means that “Everyone except external user” group will be removed from “Site members” SharePoint group, i.e. individuals who had access to site through EEEU would loose access to site, but all permissions provided by other means would stay. So to ensure site is accessible only by members – it’s recommended to get full site permissions report and fix unwanted access permissions.
  • When you assign sensitivity label to a non-group-based site – you are not seeing privacy settings, so there will be no changes in site permissions for internal users.

The latest fact might confuse users. Example: an organization might implement sensitivity labels “Open resource” and “Private resource” assuming “Private resource” label for private teams and “Open resource” for Public teams. So for teams it would make sense and assigning label will update site permissions accordingly.
But for standalone sites assigning “Private resource” label will not change site permissions to private (if the site was shared with everyone – it will still be shared with everyone).
And vise versa, changing label to “Open resource” will not make site accessible for everyone automatically. You’d still need to provide permissions accordingly.
So for standalone sites like Communication site a sensitivity label is more like a declaration about intended site use, so site users can act accordingly.

External sharing

There is another label configuration that might impact SharePoint site access for external users. If sensitivity label’s  scope is “Groups & sites”, then “External sharing and Conditional Access” settings can be used to “Control external sharing and configure Conditional Access settings to protect labeled SharePoint sites”. But this is a separate story.

Site sensitivity labels and DLP

Before now we discussed how site sensitivity labels affect SharePoint site owner’s life – kind of what sensitivity labels bring to SharePoint. But that is not the only reason why sensitivity labels exist. Actual reason is security and information protection. At the organizational level it is crucial to classify information, so different policies (e.g. DLP policy) can be applied to different kinds of information. At tenant level sites might be (will be) scanned to ensure applied sensitivity label is correct.

 

Leave a Comment

Your email address will not be published. Required fields are marked *