Jun 17 2020
- last edited on
May 24 2021
I have created a SharePoint site Sensitivity set to Highly Confidential. In CSS I have set up this sensitivity label as follows.
The site and Group Settings -Private- Only Members can access the site
Also unchecked - External users access- Let O365 group owner add people outside the organization to the group.
Then I have shared a document with an external user. The external user successfully can access this document. Is this expected behavior or the SharePoint site shouldn't allow an external user to access this document because the site is classified as Highly Confidential.
FYI- Document is not classified, the document sitting on the document library on the above site and the external user is not a member of the site.
Jun 20 2020 04:41 AM
Hi, in my testing of this, I set my label as below,
Then I created a SPO Team site with this sensitivity label applied to it. I created a word doc and was able to share it to an external Gmail account (completely new test Gmail account).
However, when opening it, I was challenged to send a verification code to the Gmail account.
The code never arrives. Have tried resending it a number of times. I believe this is probably going to be the expected behaviour. What I might do is leave it a while and see if anything changes. Then I will add the Gmail account as a guest user and see if that changes anything.
Jun 20 2020 08:10 AMSolution
Little bit more digging, and this article - https://joannecklein.com/2020/06/19/site-sensitivity-and-the-documents-within/ explains how it all works brilliantly!
Jun 21 2020 01:50 AM - edited Jun 21 2020 05:52 AM
So what's the point of having container classification then.
Jun 22 2020 12:31 AM
I agree that this has a way to go before it's the finished article. It's a step in the right direction though I think and I suggest keeping an eye on it to see the functionality evolve. It's only going to get better and better. In the meantime, you can classify and protect very effectively at the document level.
Aug 09 2020 03:20 PM
Aug 09 2020 03:20 PM
@Nip17 At the moment the sensitivity labels for containers (SharePoint/ Teams) only provide controls that manager the container and not the content.
They can be useful if you want to restrict guest access to specific Teams only or enforce access is only from managed devices.
The labelling of content needs to be added separately.
Note that if you already use sensitivity labels for content and then decide you want to be ale to provide more granular levels of control to a Team using sensitivity labels (such as creating internal only and guest allowed) these labels also appear when labelling content