---

---

Part 2 of 2: The Admin Experience

The video demonstration below provides a basic overview of how I created the sensitivity labels and the associated policy that I used during my Part 1 of 2: The End User Experience post. If you are new to this topic it should provide a useful few minutes of content to help you get started.

Enabling Sensitivity Labels in a Tenant: At the time of writing I had to enable MIP (Microsoft Information Protection) in my tenant to turn on Sensitivity labels. Some getting started documentations is provided here. I’ve pasted a screenshot of the Group.Unified template with MIP enabled below:

In a production environment there are numerous other considerations we need to incorporate into a deployment plan. For example, if a tenant has previously used Classic Azure AD group classification, then you’ll probably want to migrate these labels to your new ones. For more detailed information about this topic and others start here.

---

---

Part 1 of 2: The End User Experience

Guest Access is a really useful way to work collaboratively in Microsoft Teams with people who are not part of your tenant. However, most organisations want to provide controls that allow some teams to have Guests and block external users from others. This can be achieved in a number of ways ranging from PowerShell to the Power Platform and the approach an administrator takes will most likely depend of the business requirements and the security posture of their company.

One way of providing end users the ability to choose their Guest policy as they create (or edit) a team is via the assignment of a Sensitivity Label. These can be used for a variety of purposes such as protecting content or restricting access from un-managed devices but the video below focuses on blocking/allowing external users within a team.

In Part 2 of this blog I’ll run through the basic admin experience around the creation of the Sensitivity Labels shown in the above demonstration.