Sensitivity Labels Control External Sharing for SharePoint Online Sites

Posted on by Tony Redmond

New Label UI Rolling Out

Update: This capability is now Generally Available. See this post for more information.

Previewed earlier this year, Microsoft has extended the container management settings for sensitivity labels to include control over the external sharing setting for SharePoint Online team sites connected to Microsoft 365 Groups. As per Microsoft 365 roadmap item 68700, the updated user interface to allow tenants to choose the external sharing setting is now rolling out to the Microsoft 365 compliance center.

By default, sensitivity labels do not control external sharing, so if you intend using labels for this purpose, you need to edit the labels used for container management to choose the appropriate setting. To limit the choice available to users and to make label management simpler, my advice is to maintain separate sets of labels: one set for information protection and marking and the other for container management.

Options for External Sharing

SharePoint Online supports organization-level and site-level settings for external sharing. Site-level settings are often used to set a more restrictive level of sharing for sites containing important or confidential information.

The control available in sensitivity labels is over the site-level setting for external sharing. When you assign a sensitivity label to a site (Figure 1), SharePoint Online applies the container management settings to the site, including the external sharing setting.

Selecting a sensitivity label to apply to a SharePoint Online team site
Figure 1: Selecting a sensitivity label to apply to a SharePoint Online team site

As shown in Figure 2, the control in a sensitivity label offers the same four external sharing options as can be applied through the SharePoint admin center (see below) or PowerShell (the relevant value used with the Set-SPOSite cmdlet is in parenthesis):

  • Anyone (ExternalUserAndGuestSharing): Sharing is allowed with all external users, and documents can be shared using anonymous access links (Anyone links).
  • New and existing guests (ExternalUserSharingOnly): Sharing is allowed with new external users, who must accept a sharing invitation and go through an authentication process to create a guest account.
  • Existing guests (ExistingExternalUserSharingOnly): Sharing is only allowed with the guest users already in an organization’s directory.
  • Only people in your organization (Disabled): No sharing with external users is allowed.
Selecting the external sharing settings for a sensitivity label
Figure 2: Selecting the external sharing settings for a sensitivity label

When defined, the external sharing setting is stored in the externalsharingcontroltype value in the label. After connecting a PowerShell session to the compliance center endpoint, we can examine this setting:

$Settings = Get-Label "Confidential Access" | Select -ExpandProperty LabelActions | ConvertFrom-Json
$Settings | ?{$_.Type -eq "protectsite"} | Select -ExpandProperty Settings

Key                        Value
---                        -----
allowfullaccess            false
allowlimitedaccess         false
blockaccess                true
disabled                   false
externalsharingcontroltype Disabled

Label Settings and Tenant Settings

As noted above, the settings available in a sensitivity label match those available for SharePoint Online. Figure 3 shows the values as set in the SharePoint admin center. Remember that the external sharing setting applied to a site cannot be less restrictive than that allowed by the tenant. For instance, if the tenant doesn’t allow Anyone links, you can’t set that external sharing level for a site.

Setting tenant-wide external sharing limits in the SharePoint admin center
Figure 3: Setting tenant-wide external sharing limits in the SharePoint admin center

The compliance center GUI doesn’t validate the external sharing capability selected for a label against what’s allowed by the tenant. If a less restrictive external sharing capability is set in a label, SharePoint Online will ignore the setting when it applies container management settings to the site.

The Effect of Caching

SharePoint Online caches sensitivity label data. For this reason, if you update an existing label to add a setting for external sharing, it won’t be available to be applied to sites for 24 hours. On the other hand, if you create a new label with a setting for external sharing, it will be available within 15 minutes.

The Office 365 for IT Pros eBook is the only book covering the technology, deployment, and management of Office 365 apps which is updated monthly. Don’t you think you need to understand what’s going on inside Microsoft’s cloud office service? Subscribe today!

2 Replies to “Sensitivity Labels Control External Sharing for SharePoint Online Sites”

  1. Pingback: Azure AD Premium Licenses Needed to Manage SharePoint Sites with Sensitivity Labels – My WordPress
  2. Pingback: How to Control the Access of Guest Users to Confidential Information in Microsoft 365 Groups and Teams - Office 365 for IT Pros

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.