How to add sensitivity labels to my existing groups, teams and sites? This was a question I was asked after one of my previous blogs on how to protect your groups, Teams and sites. If you only have a small number of groups, teams and sites, then it is easy to manually add the container sensitivity label to each group team or site. But what happens when you have thousands of groups, couples and sites?

Fortunately, there is a way to automate this task using PnP PowerShell. In this blog post, I will walk you through the steps needed first to analyze your existing groups, teams and site and then to programmatically apply container sensitivity labels to your existing Teams, Groups, and Sites in Microsoft 365 to help you protect your important data from unauthorized access and accidental sharing.

Step 1 – Define your sensitivity label policy

The first step is to define your sensitivity label policy for your Microsoft 365 Groups, Teams and SharePoint sites, referred to as container labels. This policy should determine what types of information are considered sensitive and how the data should be classified.

Step 2 – Create your sensitivity labels in Microsoft Purview

I recommend starting with two labels, Internal and External, unless you have specific needs for the other labels. I also recommend keeping these container labels separate from content labels as they serve different purposes.

Once you’ve defined your container sensitivity label policy, you can create your sensitivity labels in the Microsoft Purview Admin Center> Information Protection. If you see the message below, you must first enable sensitivity labels for groups, Teams and sites.

Read my blog on How to protect your Microsoft Teams, Groups and Sites, where I described how to enable the functionality and create sensitivity labels.

Step 3 – Create a PowerShell script to identify external users and external sharing in your existing groups, teams and sites

The third step is to review the access control permissions of your existing groups, teams and sites with sensitivity labels to understand better which groups, Teams and sites have external guests and external sharing.

Use PnP PowerShell to create a CSV file of the access control permissions for your existing groups, teams and sites.

The script connects to each SharePoint site in turn and retrieves the following properties:

Site Name


Group Id (non-group connected SharePoint sites have a GroupId of 00000000-0000-0000-0000-000000000000)

Site owner

Site template (this will show the type of site, e.g. communications site, group, teams channel etc.)

Group type

Site sharing permissions

Site conditional access policy

File sharing link

File sharing link type

Sensitivity label

For the group-connected sites, the script connects to each group-related site (Template type GROUP#0) and returns the group-specific properties:

Group privacy (public, private)

Site owners (this is not the same as a group owner)

Group owner email addresses

Are guests allowed

Number of external guests

I ignored Teams Private and shared channels with templates TEAMCHANNEL#0 or TEAMCHANNEL#1 as the channels inherit the permissions from the parent group.

The script uses the PnP PowerShell module, which can be downloaded and installed from

Download the PowerShell script from my GitHub Public/Groups_Teams_Site_Report_PnP.ps1 at main · nikki-c/Public (

Open a PowerShell window and connect to your SharePoint Online tenant using `Connect-PnPOnline -Url`.

The CSV detailing the summary of all your existing groups, Teams and sites is created when the PowerShell script has finished.

Step 4 – Analyse your existing Microsoft 365 Groups, Teams and SharePoint sites

The fourth step is to review the CSV file and map which sensitivity label to apply to each Microsoft 365 Group, Teams or SharePoint site.

The CSV provides key information on the current access controls and whether it is connected to a group and whether that group is a group, Team, or Yammer community.

I recommend saving your CSV as an Excel file and formatting the data as a table so you can easily filter and create pivot tables.

The default site sharing permissions are different depending on the type of site:

Communication sites = Only people in your organization

Microsoft 365 Groups and Teams = New and existing guests.

Review each group, Team and site and establish which label should apply. For example:

Guest count = 0 plus external sharing is disabled = Apply Internal label

Guest count > 0 plus external sharing allowed and should be used for external sharing = Apply the External label.

Guest count > 0 and or external sharing allowed, but the content should not be shared externally = Apply Internal label and Importantly remove existing guests from the Team.

You can identify any issues or gaps, such as duplicate names, inconsistent naming conventions, missing owners or inappropriate site-sharing options.

The review and labeling of your groups, teams and sites can be an iterative process. Just make sure you label your high-risk containers first.

Step 5 – Apply labels to your existing Micro oft 365 Groups, Teams and SharePoint sites

The fifth step is to create a CSV file that lists the sites and their sensitivity labels and to use PowerShell to add a sensitivity label for each site.

Important. Before you update any Teams with a label that will block guest access, remember to remove any existing guests first. This is because the label does not block access for existing guests.

The script requires the sensitivity label ids rather than the display name. The sensitivity label ids are not visible in the Purview Admin center. Use Security and Compliance Center PowerShell Connect to Security & Compliance PowerShell | Microsoft Learn using an administrator account to retrieve the Guids.

Get-Label | Where-Object {$_.ContentType -EQ ‘Site, UnifiedGroup’} |Format-Table DisplayName, Guid

To batch update your groups, teams and sites, create a CSV file with two columns named URL and LabelID. Add your list of site URLs and corresponding sensitivity label ids to the CSV file. Note. You must use the sensitivity label Guid.

The script uses PnP PowerShell, imports the CSV, loops through each row, and adds the sensitivity label to each site URL. If the site is a Microsoft 365 group-connected site, the label is also applied to the Teams or group. Finally, a CSV file is created to summarize the updates.

Download the PowerShell script from my GitHub Public/Bulk_Add_Container_Sensitivity_Labels.ps1 at main · nikki-c/Public (

You can also rerun the report created in Step 3 to get an updated view of your groups, teams and sites, including the sensitivity labels.

Managing sensitivity labels

Admins can view and manage the sensitivity labels in the SharePoint Admin Center and Teams Admin Center.

Users will see the sensitivity labels at the top of the group, Team or site.

Group, team and site owners can change the container sensitivity labels, so you may want to keep track and revert to the original label. Read my colleague Alexander Holmeset’s blog post on Monitor and reset to the original Sensitivity Label if changed for your SharePoint site or M365 Group/Team! | A blog about automation and technologies in the cloud (


Applying container sensitivity labels to all your existing groups, teams and sites is a critical step in securing access to your corporate data by providing relevant access depending on the sensitivity of your data.

Following the steps outlined in this blog post, you can create and apply container sensitivity labels to all your existing groups, teams and sites.

Microsoft Reference

Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites – Microsoft Purview (compliance) | Microsoft Learn

Connect to Security & Compliance PowerShell | Microsoft Learn

The post How to add sensitivity labels to your existing Microsoft 365 Groups, Teams and SharePoint sites appeared first on Nikki Chapple.

​ Nikki Chapple

about Infinite Loop Digital

We support businesses by identifying requirements and helping clients integrate AI seamlessly into their operations.

Gartner Digital Workplace Summit Generative Al

GenAI sessions:

  • 4 Use Cases for Generative AI and ChatGPT in the Digital Workplace
  • How the Power of Generative AI Will Transform Knowledge Management
  • The Perils and Promises of Microsoft 365 Copilot
  • How to Be the Generative AI Champion Your CIO and Organization Need
  • How to Shift Organizational Culture Today to Embrace Generative AI Tomorrow
  • Mitigate the Risks of Generative AI by Enhancing Your Information Governance
  • Cultivate Essential Skills for Collaborating With Artificial Intelligence
  • Ask the Expert: Microsoft 365 Copilot
  • Generative AI Across Digital Workplace Markets
10 – 11 June 2024

London, U.K.