Table of Contents
Analyze Sensitivity Label Policies to See Who Gets What Labels
A question in the Microsoft Technical Community asked about the best method to find which sensitivity label policies are assigned to specific users. Vasil Michev weighed in to recommend using the information recorded by Exchange Online about inplace holds in user mailboxes and the organization configuration. The information includes entries for the policies which publish retention labels and sensitivity labels to users. Exchange Online and its clients use this data to figure out the precise set of labels available to users.
Checking In-Place Holds for Sensitivity Label Policies
As an example, these commands retrieve the in-place hold information applicable to all users from the organization configuration and the identifiers and display names for sensitivity label publishing policies. A match exists for policy 19200b9a-f084-4252-9be0-70dae2fd54d3, so we can say that all users receive the labels published by the General sensitivity policy.
Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds grpd34273e9a8504c6c965d947f152d13c2:2 mbxf6a1654abdba4712a43c354e28a4d56c:1 mbx95c7ff3a9a344cb49b4116180c9e975a:3 grp95c7ff3a9a344cb49b4116180c9e975a:3 grp85eb38087b2642619b79161788f5b81b:1 grp5d763f9615e8424a8190b49687c65f46:1 grpfcab5f8ef3e74a778c33a744d686b010:1 mbx19200b9af08442529be070dae2fd54d3:1 grpf6a1654abdba4712a43c354e28a4d56c:1 mbxc1e2d6f1785d4bf8a7746a26e58e5f66:1 Get-LabelPolicy | Format-Table Name, Guid Name Guid ---- ---- Eyes Only Policy 5de1c9f6-ca28-402a-81b7-89177755897b Black Matter Policy 4f8ff12c-5665-4e45-b7bc-3e9fc1bbc91c Container Management Labels fac260a8-1bc4-44bd-9735-7ab0072bcfc4 General sensitivity policy 19200b9a-f084-4252-9be0-70dae2fd54d3
However, that’s not the whole story because publishing policies can include per-user exclusions that block those users from being able to use labels published by policies targeted at all users.
Scripting a Solution to Reveal Policies that Publish Labels
Anyway, looking at lists of GUIDs is not a user-friendly way to figure out information about how users gain access to sensitivity labels. A different approach is to analyze the sensitivity label publishing policies to find what labels each policy publishes and the target users to figure out where the labels available to a specific user come from. The code below:
- Defines the user to check.
- Connects to Exchange Online and the compliance endpoint.
- Fetches details of the sensitivity labels defined in the tenant and store them in a hash table to allow the script to resolve the label identifiers stored in policies to label names.
- Fetches details of the sensitivity label publishing policies and sorts them so that the policy with highest priority is processed first.
- For each policy, check if the user is targeted individually (as a named location) or because the policy covers all users.
- Check if the policy excludes the user. Exclusion means that even if the policy covers all users, the specified user cannot see and use the sensitivity labels contained in the policy.
- If the user is within the scope of a policy, the script fetches details of the sensitivity labels published by the policy and resolves the identifiers to display names.
- Outputs the results.
Here’s the code:
If ($Null -eq (Get-ConnectionInformation)) { Connect-ExchangeOnline } Connect-IPPSSession $User = "Lotte.Vetler@office365itpros.com" Write-Host "Finding details of sensitivity labels and policies…" Write-Host "" # Get set of sensitivity labels in tenant [array]$Labels = Get-Label $LabelsHash = @{} ForEach ($L in $Labels) { $LabelsHash.add([string]$L.ImmutableId,[string]$L.DisplayName) } # Get policies in order of importance [array]$Policies = Get-LabelPolicy | Where-Object {$_.Type -eq 'PublishedSensitivityLabel'} | Sort-Object Priority -Ascending Clear-Host; Write-Host (“Checking {0} against sensitivity label policies…” -f $User) Write-Host "" ForEach ($Policy in $Policies) { $UserFound = $False [array]$LabelNames = $Null If ($User -in $Policy.ExchangeLocation.Name) { $UserFound = $True } If ($Policy.ExchangeLocation.Name -eq "All") { $UserFound = $True } If ($User -in $Policy.ExchangeLocationException.Name) { $UserFound = $False Write-Host ("User {0} blocked from labels published in policy {1}" -f $User, $Policy.Name) -foregroundcolor Red } If ($UserFound) { ForEach ($Label in $Policy.ScopedLabels.Guid) { $LabelName = $LabelsHash[$Label] $LabelNames += $LabelName } Write-Host ("Policy {0} (Priority {1}) gives {2} access to the labels {3}" -f $Policy.Name, $Policy.Priority, $User, ($LabelNames -join ", "), $Policy.Name) -Foregroundcolor Yellow } } # End ForEach Policy
Figure 1 shows the output. It’s a little more human-friendly than looking through lists of GUIDs.

PowerShell Knowledge Key
This discussion proves once again that there’s usually multiple ways to solve a problem in Microsoft 365. It also reinforces the worth of knowing how to use PowerShell to interact with system data. All in a day’s work…
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.