Audit sensitivity labels with Powershell

2022-08-17

Sensitivity labels

Sensitivity labels are part of Microsoft Information Protection solution. Sensitivity labels classify and protect your organization’s data, by applying appropriate permissions and restrictions on the classified content. As opposed to retention labels, which are published to locations such as all Exchange mailboxes, sensitivity labels are published to users or groups. That means that everywhere where the labels are supported, your users will be able to use them. Apps that support sensitivity labels will display them to the users and groups they were published to. The sensitivity labels will show as already applied labels, if they are being applied automatically; or as labels that can be applied, if the Compliance Administrator decided that they can be applied by users.

Prerequisites

Install Exchange Online module and Connect to Security & Compliance Center PowerShell.

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5
Connect-IPPSSession -UserPrincipalName User@contoso.com

Verify existing labels

Use Get-Label cmdlet to see the available labels in your environment, their scopes and priorities.

Get-Label

Get All Details on a Label

Get-Label -Identity keyword-label | fl

Get All Label Actions

If you use -IncludeDetailedLabelActions parameter, you will see the particular actions assigned to each label.

Which Label Causes Trouble

If you are unsure which label is applying specific policy, you can check which labels perform which actions.

Get-Label -IncludeDetailedLabelActions $true | select Applywatermarkingtext, displayname

Get-Label -IncludeDetailedLabelActions $true | select EncryptionEnabled, displayname

Find auto-labeling labels

Each label has a property called “capabilities”. Using it, you can discover which labels are automatically applied to the content.

Get-Label | select Capabilities, DisplayName

Audit Matrix for Label Actions

Audit matrix allows you to see the entire overview of labels, their actions, capabilities and settings at a given point of time. It is a simple Excel file, but may be useful if your organization needs to store the settings for compliance reasons.

See Also

M365 Information protection: Understanding Sensitivity labels vs sensitive information types

Sensitivity labels: Enable labels for groups and sites