Skip to main content

017: Implement SharePoint Permission Strategy

Overview

Sensitivity labels can be applied not just to documents and emails, but also to SharePoint sites and OneDrive. When applied to sites, sensitivity labels can be used to enforce SharePoint policies for external sharing, guest access, privacy controls and conditional access. They can also be used to assign default labels for content and other settings.

At this stage you should design and implement a strategy for SharePoint Online sites permissions and labeling including:

  • Decide whether you will use the same label taxonomy as the one you used for documents and emails (recommended) or you will use a separate group of labels for this scenario. Even in the case of a separate set of labels, it is recommended that the language used for the labels is closely aligned between the two to help reinforce their meaning.
  • Decide whether a default label will be used for sites, and whether labeling will be mandatory. In environments where Zero Trust is being implemented, mandatory labeling of sites should be enforced, and a default label which enforces internal-only access by authenticated users can be configured.
  • Decide which controls will be enforced by these labels. Generally, labels such as "public" do not enforce major restrictions, though anonymous sharing should be disabled for all sites to achieve zero trust. For sites related to internal-only content, the following settings are recommended to align with the zero trust principles:
  • Configuring the privacy level settings to "Private" so access to sites must be explicitly granted.
  • Configuring external sharing settings in the label to either allow only people in your organization for labels designating internal sites, or for external sites to only allow existing guests (which must be explicitly added to your directory by using Entra ID) to access the site. Enabling the option to give access to new guests will allow individual users in the company to automatically add people as guest to the organization by just sharing content in SharePoint, so this option should not be selected unless the burden of manually inviting users is considered unacceptable in the company's business.
  • Enforce Conditional Access to access the sites, according to C.A. policies defined as part of the workshop for the Identity pillar. For labels designating internal sites, allow only access from managed devices. For labels designating external sites, allowing web access only is recommended.

You can also use sensitivity labels on Teams for teams and channels, as well as for Microsoft 365 groups, using criteria similar to the ones used for SharePoint and OneDrive.

Depending on the type of site (Team site, Channel sites, Communication sites, Hub sites) apply the appropriate permissions. You should also consider using SharePoint Advanced Management options for further restricting and monitoring access to SharePoint sites.

Reference