Container label
Classifies a site, Team, Microsoft 365 group, and other supported workspace. Enforces configured boundary settings such as privacy, guests, SharePoint sharing, devices, authentication context, discovery, and shared-channel rules.
Design sensitivity labels as enforceable protection boundaries for SharePoint sites, Microsoft Teams, and Microsoft 365 groups. Map plain-language classification to privacy, guest access, SharePoint external sharing, unmanaged-device access, authentication context, shared-channel behavior, and safe sharing defaults—then pilot, publish, apply, validate, monitor, and roll back without assuming the label protects every file inside.

Microsoft Purview sensitivity labels can protect collaborative containers in addition to documents and email. For sites, Teams, and Microsoft 365 groups, the label can define supported settings such as public or private privacy, guest access, SharePoint external-sharing level, unmanaged-device restrictions, authentication context, private-team discoverability, and which teams may be invited to shared channels.
The control must be understandable before it is technical. A site owner choosing “Confidential — External Collaboration” should know which guests are allowed, what link types remain available, whether unmanaged devices receive web-only or blocked access, whether step-up authentication applies, who may change the label, and what happens to existing guests and links after a downgrade or restriction.
Boundary distinction: a Groups & sites label protects supported settings on the container. It does not automatically apply that label to files, encrypt documents, add headers or watermarks, set retention, block every oversharing path, or replace site permissions. File labels, default library labels, auto-labeling, DLP, retention, access reviews, sharing policy, and Conditional Access must be designed as coordinated but separate controls.
Reusing familiar names can help users, but each scope applies different settings and has different evidence. Never infer one scope from another.
Classifies a site, Team, Microsoft 365 group, and other supported workspace. Enforces configured boundary settings such as privacy, guests, SharePoint sharing, devices, authentication context, discovery, and shared-channel rules.
Classifies items and can apply encryption, content marking, access restrictions, sharing defaults, DLP conditions, and other item behavior. The container label does not automatically label its files.
Controls supported meeting options, invites, and chat. A container label can be associated with a default meeting/chat label for channel meetings when prerequisites and licensing are satisfied.
Retention policies and labels control how long content is kept or deleted and whether it becomes a record. Sensitivity labels classify and protect; they are not retention labels or backup.
| Control question | Container sensitivity label | Coordinating control | Evidence to validate |
|---|---|---|---|
| Who may join or reach the workspace? | Privacy, external-user access, SharePoint external-sharing level, unmanaged-device policy, and authentication context | Microsoft 365 group/Team/site permissions, Entra B2B and cross-tenant access, Conditional Access, sharing policy, owner recertification | Label ID, effective site/group settings, membership/guest/link inventory, device/authentication persona tests, access denials |
| How is a document classified and protected? | Container label can signal and govern the workspace but does not automatically label documents | File label, default library label, policy default, manual/auto-labeling, encryption, DLP, default sharing link | File label ID/priority, encryption/permissions, library default, audit events, supported formats, upload/edit and sharing tests |
| How long is content kept? | No direct retention or backup behavior | Purview retention policy/label, record management, eDiscovery hold, versioning, recycle bins, backup and restore | Retention/record IDs, location scope, preservation behavior, restore test, legal approval, disposal review |
| How are Teams meetings protected? | Optional association with a meeting/chat label for channel meetings; shared-channel behavior depends on the parent Team | Meeting sensitivity labels, Teams meeting policies, recording/transcription, external participant, Purview and eDiscovery controls | Container association, meeting label/options, client/licensing support, organizer/member/guest tests, recording/chat evidence |
| Does a more sensitive file belong here? | SharePoint can detect a higher-priority file label than the site label and generate an event/email; upload is not blocked | Owner workflow, DLP, auto-labeling, library default, content architecture, Restricted Content Discovery or access controls as applicable | DocumentSensitivityMismatchDetected event, email routing, owner action, file move/relabel decision, false-positive and closure record |
| Label setting | Protection intent | Dependencies and limits | Validation |
|---|---|---|---|
| Privacy | Set a group-connected Team/site as public or private so membership and discovery match the classification | Changing label settings later doesn’t update hiddenMembership or roleEnabled group properties; reconcile current state rather than relying on the label definition alone | Create and relabel test Teams/groups; verify visibility, membership, owners, group/site/Team label consistency, and application behavior |
| External user access | Allow or prevent guests in the Microsoft 365 group/Team associated with the labeled workspace | A later label-definition change applies to new users, not existing guests. Removing permission in the label is not guest cleanup | Test owner invitation, existing guest continuity, new guest block/allow, external sponsor, group membership, and removal workflow |
| SharePoint external sharing | Set the site’s sharing capability from internal-only through authenticated guests or Anyone, within tenant limits | Tenant sharing is the ceiling; Entra domain restrictions can also apply. Existing links, guests, direct access, and item permissions need separate review | Compare tenant/site values, create permitted/prohibited links, test recipients, inventory existing links/guests, and verify downgrade remediation |
| Unmanaged devices | Use SharePoint/Entra Conditional Access integration to allow full access, limited web-only access, or blocked access | Choose a label setting equal to or more restrictive than the organization-wide unmanaged-device setting. Test Office, browser, sync, mobile, workflow, and download behavior | Managed/compliant/unmanaged personas, supported clients, web download/print/sync, service accounts, emergency access, and help-desk evidence |
| Authentication context | Require a published Entra Conditional Access authentication context when a user accesses the site | Context and CA policy must exist; effect follows the next authentication. Unsupported clients, third-party apps, Power Apps, and Power Automate may fail or behave differently | Supported/unsupported client matrix, MFA/auth strength/device/location conditions, browser and desktop apps, workflow/integration tests, sign-in logs |
| Private Team discoverability | Allow or suppress discovery of a private Team for users who otherwise have discovery capability | It changes discoverability, not membership or permission. Document the user experience and search expectations | Nonmember search/discovery, invitation, join-request path, owner experience, label change, and privacy regression test |
| Shared-channel invitations | Restrict which teams may be invited to the labeled Team’s shared channels: internal-only, same-label, or private-Team patterns as supported | Depends on privacy/external-user settings. Parent-Team label settings flow to shared channels; the label can’t be independently removed or replaced there | Same/different label Team invitations, internal/external participant scenarios, existing channel relationships, removal behavior, cross-tenant settings |
| Default sharing link | Preselect Specific people, organization, Anyone, view, edit, or existing-access link behavior to reduce casual oversharing | PowerShell advanced settings; the user can usually override the default if broader sharing is otherwise allowed. It is a safe starting selection, not enforcement | Label configuration export, Share dialog default, override behavior, site and document scope, view/edit outcome, supported clients |
Export sites, Teams, Microsoft 365 groups, channel sites, existing labels/classifications, owners, purpose, sensitivity, sharing, guests, device policy, authentication context, activity, retention, DLP, and lifecycle. Identify unlabeled, incorrectly labeled, and unsupported container types.
Use a small set of plain-language outcomes with clear examples and exclusions. Microsoft notes that real-world effectiveness declines when too many labels or sublabels are shown. Separate container-only labels only when the benefit outweighs user and priority complexity.
For each label define privacy, guest access, SharePoint sharing, unmanaged devices, authentication context, discovery, shared-channel invitations, default link, item/meeting relationships, owner guidance, exception, and rollback. Record which settings are descriptive versus enforced.
Validate current Purview, SharePoint, Teams, Entra, Conditional Access, and meeting-option licensing. Assign least-privileged label, policy, compliance, SharePoint, Teams, and identity roles. Document sovereign-cloud/client limitations and a manual fallback.
Complete Microsoft’s one-time Entra group setting to enable sensitivity labels for containers, connect to Security & Compliance PowerShell, and run the documented label synchronization. Export before/after settings and verify Groups & sites scope becomes configurable.
Create or edit labels in Purview. Capture the immutable ID, scope, descriptions, color, settings, and priority. Put less restrictive labels above more restrictive labels and plan ordering carefully when container-only and item labels coexist.
Publish authentication contexts and Conditional Access before referencing them. Configure default sharing link values through approved PowerShell, meeting/chat associations where required, and external/shared-channel dependencies. Keep exact commands and previous values for failback.
Create a label policy for named pilot users/groups with clear defaults, mandatory-selection decisions, support guidance, and policy priority. Users can select only labels published to them in filtered services; admins may see a broader tenant label inventory.
Create communication sites, group-connected team sites, Teams, guest-enabled workspaces, and shared-channel scenarios. Apply and change each label. Test owners, members, visitors, guests, unmanaged devices, supported/unsupported clients, links, workflows, apps, and audit evidence.
Approve a current-to-target mapping by owner and risk. Use supported admin centers or controlled PowerShell for scale. Track site/group IDs, old/new label IDs, settings, operator, time, result, propagation, exception, validation, communication, and rollback.
Allow documented propagation time, then compare the effective site, group, and Team settings. Do not assume a restrictive label removes existing guests, links, direct permissions, or access. Remediate each residual path and test the business workflow.
Monitor label coverage, changes, site/file mismatches, creation failures, guest/sharing drift, authentication/device failures, exceptions, owner requests, and policy changes. Review definitions and assignments at least annually and after major product, legal, or collaboration changes.
When a sensitivity label is applied to a Team, the service applies the same label to its Microsoft 365 group and connected SharePoint team site. Microsoft 365 group owners can change the label in supported SharePoint or Teams experiences. Reconcile all three surfaces and don’t change only a downstream property.
A SharePoint site administrator can apply or change a published site label. Communication sites and standalone sites still need owners, sharing, device, authentication, file-label, retention, and permission governance even though there is no Microsoft 365 group membership plane.
Shared channels inherit sensitivity-label settings from the parent Team and can’t use a different label. Private/shared channel sites and Teams client behavior need channel-aware testing. A label applied directly to a private-channel site may not appear as expected in the Teams client.
Change caution: Microsoft recommends not changing site/group settings on a label after it is applied. If you do, allow at least 24 hours for replication, then verify each container. If external-user access changes from allowed to disallowed, existing guests remain and require explicit review/removal. Treat the label edit as a controlled migration, not an instant global fix.
Export label IDs, names, priority, scope, descriptions, settings, advanced settings, publishing policies, policy priority, assignments/exclusions, Entra container-label setting, synchronization date, authentication contexts, and Conditional Access policies.
For each label, create representative SharePoint sites, Teams, and groups. Capture selected label, privacy, owner, guest invitation behavior, SharePoint sharing, default link, unmanaged-device state, authentication context, channel behavior, and creation errors.
Test owner, internal member, nonmember, guest, blocked-domain guest, anonymous recipient, same/different-label Team, and direct permission. Inventory existing guests, links, groups, and item exceptions after a label becomes more restrictive.
Use managed/compliant, managed/noncompliant, unmanaged, mobile, browser, Office desktop, Teams desktop/web, OneDrive, and supported business apps. Capture Conditional Access and SharePoint outcomes, download/sync behavior, errors, and support guidance.
Upload/edit unlabeled, lower-priority, same-priority, and higher-priority files. Verify library defaults, item labeling, encryption, DLP, sharing defaults, DocumentSensitivityMismatchDetected event/email, owner response, and Preservation Hold limitations.
Change and remove a label in pilot, preserve old/new values, allow propagation, verify residual settings, repair guests/links, test creation, and document rollback. Never delete a published label first and discover that new Team/site creation fails afterward.
Audit signal: when a document with a higher-priority sensitivity label is uploaded to a lower-priority labeled site, SharePoint generates an audit event and emails the uploader plus site owners/admins, up to the documented limit. The upload is not blocked. Build a response route, severity, owner, due date, and closure check around the signal.
A visible label is evidence of classification—not proof that every intended boundary, item, guest, link, client, and workflow is protected.
Owners believe a site label automatically labels, encrypts, watermarks, retains, or applies DLP to every file inside.
Overlapping labels and sublabels confuse owners, produce inconsistent provisioning, and make support and audit evidence ambiguous.
“Confidential” is published with no defined privacy, guest, sharing, device, authentication, file, or exception outcome.
Container-only and file labels are ordered inconsistently, weakening mismatch detection and misleading downgrade interpretations.
A label is expected to allow external sharing that tenant, domain, cross-tenant, or site policy blocks—or to override a broader unsafe setting it doesn’t govern.
Admins disable guests or sharing in the label definition but existing guests, links, direct permissions, and downloaded data remain.
Unsupported clients, third-party apps, Power Apps, Power Automate, or sync workflows fail after the context is applied.
Label behavior is weaker than the organization-wide setting or breaks download, sync, printing, preview, and operational workflows.
Privacy, external-user, same-label, cross-tenant, and parent-Team rules conflict with the intended shared-channel collaboration.
The Share dialog starts at Specific people or View, but users can override it because the underlying sharing capability is broader.
A label is removed before policies and creation paths are reconciled, causing new sites, Teams, or groups to fail or show stale choices.
The project records a label ID but never compares site, group, Team, guest, link, device, authentication, channel, and file outcomes.
Safer failback: restore the prior label assignment or definition from an approved export, reapply prior site/group/Team settings where the label doesn’t reverse them, allow propagation, and retest. Removing a label, deleting it, or disabling container labels is not a complete rollback because existing guests, links, privacy state, classifications, item labels, and downstream policies may persist or diverge.
Review cadence: reconcile high-risk or externally shared workspaces quarterly, review label architecture and policy annually, and trigger a focused review after a label-definition change, tenant sharing/device/Conditional Access change, acquisition, regulatory change, major Teams/SharePoint feature change, incident, or repeated mismatch pattern.
No. A Groups & sites label applies supported container settings such as privacy, guests, SharePoint sharing, unmanaged-device access, authentication context, discovery, and shared-channel rules. Files require their own sensitivity-label strategy through manual labeling, policy defaults, default library labels, or auto-labeling. DLP and retention are also separate controls.
Microsoft documents that SharePoint generates the DocumentSensitivityMismatchDetected audit event and emails the uploader plus site owners/admins, up to the documented recipient limit. The upload is not blocked. Your process must route, investigate, move/reclassify, or formally accept the content and close the event.
No. Microsoft states that a changed external-user setting applies to new users but not existing guests. Inventory and remove existing group guests, direct site/file access, sharing links, and other external paths separately, then retest effective access.
Yes, a container label can reference a published Microsoft Entra authentication context tied to Conditional Access. Test supported and unsupported clients, workflows, apps, emergency access, device requirements, and sign-in evidence. Existing sessions may not reflect the setting until the next authentication.
For a group-connected site, Microsoft 365 group owners can change the label in supported SharePoint or Teams experiences. For a non-group-connected site, a SharePoint site administrator is required. Administrative scripts and portals should still follow authorization, change, evidence, and validation controls.
Map existing containers to approved replacement labels, validate effective settings, remove the retiring label from publishing policies, wait the Microsoft-documented interval, and test new Team/group/site creation until it no longer appears. Remove automation and documentation dependencies before deletion. Preserve exports and rollback instructions throughout.
IT Perfection can help Orange County and Southern California organizations inventory collaboration workspaces, design a usable label taxonomy, coordinate Purview, SharePoint, Teams, Entra, DLP, retention, sharing, and Conditional Access controls, run pilot testing, migrate existing sites, and establish operational evidence.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.