Classifying your Teams sensitivity labels

5 min read
5 min read

By defining a governance strategy, you significantly increase the changes of a successful roll-out and usage of Microsoft Teams in your organization. Your governance strategy contains all the settings and requirements for your Microsoft Teams environment. The following requirements are part of the teams you create:

  • Privacy (open or private) ​
  • Inviting external users (allowed or disabled) ​
  • Type of sharing link (everyone, new & existing guests, existing guests or disabled) ​
  • Access with an unmanaged device (full access, web only or disabled)

Microsoft provides the use of sensitivity labels to enforce these requirements. Traditionally, sensitivity labels are used to classify and protect documents. The labels are now extendable to use with Microsoft 365 Groups (Microsoft Teams & SharePoint Team Sites).
In the scenario for this article, we are providing a classification label for the creation of teams in Microsoft Teams. Before we create sensitivity labels and attach it to our teams, we need to follow the instructions from the following resource for enabling labels:

Creating the sensitivity label

Now we continue by creating a new sensitivity label in the Compliance Administration Center. We start by providing a name & description for our label:

Next step, we define the scope for our label:

We are only using this label to classify our teams and not our content. The scope of our label, in this scenario, is Group & Sites. We click on Next twice and select the following two options:

Next step, we want our teams to be private by default and external users are allowed.

Next step, we allow the members to share content with new & existing guests. Complying to our device management policy we only allow members with unmanaged devices to use the web version of Office:

We click on next until we reach the review screen and create our label. Our business users can’t apply the label until we published the label.
We select the label and click on publish:

Did you create more labels? Select all labels. In our case, we only have our project label. We click on Next:

We are publishing the label to all our users. Normally, we advise to publish the label to a selection of users to make sure the label works as designed. We click on next until we reach the following menu:

We aren’t using a default label because we want our users to decide, when they create a new team, what label to apply. The last steps consist out of naming our policy:

We are now ready to create our policy and make the new label available! Be aware: The label isn’t available immediately. This can take up to 24 hours. In our experience it’s often one hour.

Assigning a label to a new team

We can use our label when we create a new team:

We select our projects label:

According to our label settings, the team is private. We can also add guests:

The label is always visible on the top right side of the team:

Do you need to apply different requirements for all your teams with the project label? You only change the settings of the label and all teams, with the label, inherit the new settings. Don’t forget to communicate the change towards the owners!


One part of your governance strategy should contain the collaboration templates you are facilitating through Microsoft Teams in your organization. For example: Projects, departments, or customers. Microsoft Teams supports the creation of out-of-the-box templates:

At the moment of writing, Microsoft doesn’t support sensitivity labels with templates. No need to worry! Roadmap ID 84232 has the following description:

“Sensitivity labels allow Teams admins to protect and regulate access to sensitive organizational content created during collaboration within teams. With this update, you will be able to apply sensitivity labels to teams created from templates as well.”

The update is rolling out late September and is expected to be completed by mid-October. In case you are using your own provisioning solution, we advise to look at PNP PowerShell or the Microsoft Graph. These should offer, or are working on, an integration of sensitivity labels.

Ultimately, once sensitivity labels are applied to your teams, and you are happy with how things are configured, effectively governing external access and sharing as part of your wider Microsoft 365 governance approach means being able to scale your processes according to how rapid your Microsoft 365 environment is growing as  adoption takes off.

Third-party solutions such as Rencore Governance can help fill in gaps when platform usage and growth becomes hard to tackle with out-of-the-box or in-house built solutions.

If you are interested in learning more about governance in Teams, I also recommend the following Teams governance best practices free whitepaper.

Subscribe to our newsletter