Enterprise Mobility Information Protection

Creating New Sensitivity Labels with a PowerShell

Read Time: 3 minutes

Sensitivity Labels can be used to apply the information security classification for your organization to files & emails (and other areas) within Microsoft 365. Specifically to files inside of SharePoint Online, Microsoft Teams, OneDrive and all of your emails in Exchange.

Sensitivity Labels are created and managed within the Compliance Center in M365 and are available to both M365 E3 and M365 E5 licensed organizations.

One of the key advantages to using Sensitivity Labels over legacy methods to apply a classification is the label is not merely metadata, but we can automate and enforce classification standards on our files & emails.

We can use the user friendly user-interface in the Compliance Center, or we can build our own PowerShell script which will allow us to add configuration items otherwise not available to us. In additional to gaining access to additional features (e.g., providing a multilingual experience), PowerShell scripts allow us to build and test our Sensitivity Labels deployment in a structured and repeatable method. This reduces risk as it removes opportunity for human error and ensures the staging environment deployment will be identically deployed in our production environment.

1. PowerShell Pre-requisites

In order to create and configure our Sensitivity Labels, we need to install the Exchange Online Management Shell if we don’t have it using PowerShell ISE (Run as Admin).

Import-Module ExchangeOnlineManagement

2. Connect to the Security & Compliance PowerShell

Using Exchange Online Management module, we must connect to the Security & Compliance PowerShell.


3. Create the Label

In order to create the Label at its most basic level, we will run the New-Label command, and identify three (3) fields for the label

  1. DisplayName: The display name is what is seen by end users and can be updated based on business needs (in the event it must)
  2. Name: The name cannot be changed and is generally considered to be a unique value in your tenant. The name is what will be displayed in the Audit Log and various administrative consoles.
  3. ToolTip: The tool tip field should include language which communicates the sensitivity of the file which has the applied label.

In this case, we will create a label called “public” with an identical display name and a description of whom the file can be distributed to.

New-Label -DisplayName "Public" -Name "Public" -ToolTip "This content can be freely shared with the public."

With that simple line we created a Sensitivity Label which can be furthered configured from the Compliance Centre or with the Set-Label command.

Now that we have created the label, we will use PowerShell to apply the following (in future posts):

  • Multilingual Support
  • File & Email settings
    • Header, footer, and watermark markings
    • Encryption Settings
    • Default Share and Permissions Scope
  • Groups & Sites settings
    • Public and Private options for MS Teams membership
    • external access

Following completion of configuring our labels, we will create a Sensitivity Label Policy (or two).

Share This