In our interconnected digital world, data moves effortlessly across platforms, applications, and collaborative spaces. Meet the container labels, the guardians responsible for protecting data sensitivity and access controls in Microsoft 365. These labels allow you to create rules and policies for different content types across SharePoint sites, Microsoft Teams, and Unified Groups. Get ready as we dive into the detailed process of creating and managing these labels, using both the user-friendly interface (UI) and powerful PowerShell commands.

Empowering End-Users: Setting Up Container Labels

Let’s compare the capabilities of the UI and PowerShell when configuring container labels. While the UI provides a user-friendly experience, PowerShell offers additional settings and flexibility.

UI Settings:

• Privacy (Public or Private): Determine whether a team site or Microsoft 365 group is public (accessible to all) or private (restricted to members).
• External User Access: Control external user access to team sites and groups.
• External Sharing from SharePoint Sites: Define sharing policies for SharePoint sites.
• Access from Unmanaged Devices: Enforce device-based access controls.
• Authentication Contexts: Specify authentication requirements for accessing content.
• Default Label for Channel Meetings: Associate a default label with channel meetings

PowerShell-Only Settings:

Configure Site Sharing Permissions:

• MembersCanShare:
  • MemberShareAll: Site owners and members can share files, folders, and the site.
  • MemberShareFileAndFolder: Site owners, members, and users with Edit permissions can share files and folders, but only site owners can share the site.
  • MemberShareNone: Only site owners can share files, folders, and the site.

Set-Label -Identity <LabelGUID> -AdvancedSettings @{MembersCanShare="MemberShareNone"}

• Default Sharing Link Type:
  • DefaultSharingScope: Choose from SpecificPeople, Organization, or Anyone.
  • DefaultShareLinkPermission: Specify View or Edit permissions.

Set-Label -Identity <LabelGUID> -AdvancedSettings @{DefaultSharingScope="SpecificPeople"}

Set-Label -Identity <LabelGUID> -AdvancedSettings @{DefaultShareLinkPermission="Edit"}

• Default Share Link to Existing Access: Override other settings by enabling DefaultShareLinkToExistingAccess.

Set-Label -Identity <LabelGUID> -AdvancedSettings @{DefaultShareLinkToExistingAccess="True"}

Crafting Container Labels

General Label

• Description: Suitable for public or private teams.
• Permissions:
  • Guests are allowed.
  • File and folder sharing is permitted.
  • Members can share content.
  • Only site owners can share the entire site.

New-Label -Name General `
    -DisplayName General `
    -Tooltip "Public or private team | Guests allowed | File and folder sharing allowed | Members can share content, site owners share the site" `
    -ContentType "Site, UnifiedGroup" `
    -AdvancedSettings @{
        MembersCanShare = "MemberShareFileAndFolder"
    }

Sensitive Label:

• Description: Intended for private teams.
• Permissions:
  • Guests are allowed.
  • Sharing is restricted to specific people.
  • Site and group protection settings ensure privacy.

New-Label -Name Sensitive `
    -DisplayName Sensitive `
    -Tooltip "Private team | Guests allowed | File and folder sharing allowed | Members can share content, site owners share the site" `
    -ContentType "Site, UnifiedGroup" `
    -AdvancedSettings @{
        MembersCanShare = "MemberShareFileAndFolder"
        DefaultSharingScope = "SpecificPeople"
    } `
    -SiteAndGroupProtectionEnabled $true `
    -SiteAndGroupProtectionPrivacy "Private" `
    -SiteAndGroupProtectionAllowAccessToGuestUsers $true

Highly Sensitive Label:

• Description: Reserved for strictly internal teams.
• Permissions:
  • Guests are not allowed.
  • Sharing is limited to internal members only.
  • Site owners have exclusive sharing rights.

New-Label -Name "Highly Sensitive" `
    -DisplayName "Highly Sensitive" `
    -Tooltip "Private team | Guests not allowed | Internal sharing only | Only site owners can share content and the site" `
    -ContentType "Site, UnifiedGroup" `
    -AdvancedSettings @{
        MembersCanShare = "MemberShareNone"
        DefaultSharingScope = "SpecificPeople"
    } `
    -SiteAndGroupProtectionEnabled $true `
    -SiteAndGroupProtectionPrivacy "Private" `
    -SiteAndGroupProtectionAllowAccessToGuestUsers $false `
    -SiteExternalSharingControlType "Disabled"

Wrapping up

In this journey through the intricacies of container labels, we’ve explored options for both the user-friendly UI and the powerful realm of PowerShell. Armed with this knowledge, you can now confidently sculpt rules and policies for your content—whether it resides in SharePoint sites, Microsoft Teams, or Unified Groups.

Remember, the UI provides simplicity and ease of use, while PowerShell offers additional settings and flexibility.

Thank you for reading
/Simon