Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Some features in this article require Microsoft Syntex - SharePoint Advanced Management
In this article, we look at setting up a team for a highly sensitive level of protection. Be sure you've completed the steps in Deploy teams with baseline protection before following the steps in this article.
For this tier of protection, we create a sensitivity label that can be used across your organization for highly sensitive teams and files.
The highly sensitive tier offers the following additional protections over the baseline tier:
Watch this video for a walkthrough of the procedures described in this article.
Depending on the nature of your business, you may or may not want to enable guest sharing for teams that contain highly sensitive data. If you do plan to collaborate with people outside your organization in the team, we recommend enabling guest sharing. Microsoft 365 includes a variety of security and compliance features to help you share sensitive content securely. This is generally a more secure option than emailing content directly to people outside your organization.
For details about sharing with guests securely, see the following resources:
To allow or block guest sharing, we use controls available in sensitivity labels.
We use a Microsoft Entra authentication context to enforce more stringent access conditions when users access SharePoint sites.
First, add an authentication context in Microsoft Entra ID.
To add an authentication context
In Microsoft Entra Conditional Access, under Manage, select Authentication contexts.
Select New authentication context.
Type a name and description and select the Publish to apps check box.
Select Save.
Next, create a conditional access policy that applies to that authentication context and that requires guests to use multifactor authentication when accessing SharePoint.
To create a conditional access policy
In Microsoft Entra Conditional Access, select Create new policy.
Type a name for the policy.
On the Users tab, choose the Select users and groups option, and then select the Guest or external users check box.
Choose B2B collaboration guest users from the dropdown.
On the Target resources tab, under Select what this policy applies to, choose Authentication context, and select the check box for the authentication context that you created.
On the Grant tab, select Require multifactor authentication, and then choose Select.
Choose if you want to enable the policy, and then select Create.
We'll point to the authentication context in the sensitivity label.
For the highly sensitive level of protection, we use a sensitivity label to classify the team. We also use this label to classify and encrypt individual files in the team. (It can also be used on files in other file locations such as SharePoint or OneDrive.)
As a first step, you must enable sensitivity labels for Teams. See Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites for details.
If you already have sensitivity labels deployed in your organization, consider how this label fits with your overall label strategy. You can change the name or settings if needed to meet the needs of your organization.
Once you have enabled sensitivity labels for Teams, the next step is to create the label.
To create a sensitivity label
Once you've created the label, you need to publish it to the users who will use it. For sensitive protection, we make the label available to all users. You publish the label in the Microsoft Purview compliance portal, on the Label policies page under Information protection. If you have an existing policy that applies to all users, add this label to that policy. If you need to create a new policy, see Publish sensitivity labels by creating a label policy.
Further configuration of the highly sensitive scenario is done in the team itself and in the SharePoint site associated with the team, so the next step is to create a team.
We'll create the team in the Teams admin center.
To create a team for highly sensitive information
In this tier, we restrict creating private channels to team owners.
To restrict private channel creation
Shared channels doesn't have team-level settings. The shared channel settings you configure in the Teams admin center and the Microsoft Entra admin center apply to individual users.
Each time you create a new team with the highly sensitive label, there are two steps to do in SharePoint:
The default sensitivity label must be configured in the site itself and can't be set up from the SharePoint admin center or via PowerShell.
Each time you create a new team with the highly sensitive label, you need to turn on site access restriction on the associated SharePoint site. This prevents people from outside the team from accessing the site or its content. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)
If you haven't used site access restriction before, you need to turn it on for your organization.
It might take up to an hour for this to take effect.
To turn on site access restriction for the site
We'll use the sensitivity label that we created as the default sensitivity label for the site document library that is connected to Teams. This will automatically apply the highly sensitive label to any new label-compatible files that are uploaded to the library, encrypting them. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)
You need to be a team owner to do this task.
To set a default sensitivity label for a document library
In Teams, navigate to the General channel of the team you want to update.
In the tool bar for the team, select Files.
Select Open in SharePoint.
In the SharePoint site, open Settings and then choose Library settings.
From the Library settings flyout pane, select Default sensitivity labels, and then select the highly sensitive label from the drop-down box.
For more details about how default library labels work, see Configure a default sensitivity label for a SharePoint document library and Add a sensitivity label to SharePoint document library.
Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreTraining
Module
Implement sensitivity labels - Training
This module examines the process for implementing sensitivity labels, including applying proper administrative permissions, determining a deployment strategy, creating, configuring, and publishing labels, and removing and deleting labels.
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.