In a SharePoint document library, site collection owners can enable a feature to classify new or changed documents automatically since July 2022.
When SharePoint is enabled for sensitivity labels, you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don’t already have a sensitivity label, or they have a sensitivity label but with lower priority.
This feature is now enhanced by automatically encrypting unencrypted documents in SharePoint, currently available as a Public Preview.
The feature applies to all unencrypted documents in a document library. Word, Excel, PowerPoint, and PDF files are currently supported. A document is considered encrypted if it has been assigned a sensitivity label that includes encryption.
It’s still a Public Preview and disabled by default in this state. The section marked in the screenshot is missing if the configuration is disabled.
A SharePoint administrator must enable the configuration in the tenant. It’s a global tenant configuration, not per site collection. The SharePoint Online Management Shell module version 16.0.25430.12000 or later is required for the configuration.
I advise you to read the full documentation and known limitations before activation. In addition, Microsoft does not mention license requirements (which is common during a public preview).
The documentation describes the property ExtendPermissionsToUnprotectedFiles.
ExtendPermissionsToUnprotectedFiles
This property can be used to turn on/off the capability called “Extended SharePoint permissions to unprotected files”.
Set-SPOTenant -ExtendPermissionsToUnprotectedFiles $trueNote
Microsoft notes the short link aka.ms/ExtendSharePointPermission on various places. Microsoft forgot to configure the link correctly. Apparently, nobody has tested the link. I expect it should be linked to the official documentation.
I enabled the new feature in my tenant. SharePoint will list supported labels. There are two in my test tenant.
Two configurations should be known for the selection.
- The “Default sensitivity label for a SharePoint document library” feature from 2022 does not support sensitivity labels with “user-defined permissions”. Such labels are inactive in the selection; see my example.
It is noted in the documentation:
Limitations
…
As with sensitivity labels for Office for the web, some label configurations that apply encryption aren’t suitable for SharePoint, and so don’t support a default sensitivity label for a SharePoint document library:
- Let users assign permissions when they apply the label and the checkbox In Word, PowerPoint, and Excel, prompt users to specify permissions is selected. This setting is sometimes referred to as “user-defined permissions”.
- User access to content expires is set to a value other than Never.
- Double Key Encryption is selected.
- The new feature “Configure SharePoint with a sensitivity label to extend permissions to downloaded documents” supports the opposite. It supports labels with “user-defined permissions” but not “admin-defined permissions”.
After you’ve selected a sensitivity label that applies encryption with user-defined permissions, save the configuration.
…
This feature is mutually exclusive with the option to select a default sensitivity label for a SharePoint document library that supports sensitivity labels without encryption, and sensitivity labels that are configured with the option Assign permissions now (sometimes referred to as “admin-defined permissions”).
For this reason, there are two labels to choose from in my tenant. I defined user-defined permissions for both labels.
For a label with user-defined permissions, it is partly a matter of trying and testing. During my tests, various labels were unavailable for selection despite user-defined permissions. A change to the label takes up to 24 hours in SharePoint. It is not yet clear to me which additional configuration in a label defines when it is active or inactive in the selection. Microsoft does not explain this further in the documentation.
****************
Update from 4 January 2025:
In the meantime, I know the scope for Emails is the reason why a sensitivity label is not selectable, even when user-defined permissions and the Files / Sites scopes are configured. If you create a label without the scope the label is selectable after some hours.
****************
Site collection owners should note that enabling the feature forces a resync of the document library in the OneDrive Sync client. This can delay users when storing many documents in the library.
After the library is configured with the sensitivity label, all existing files will be resynchronized if the library is synced via the OneDrive sync client. The resynchronization process can take a while and until it’s complete, the extended protection won’t be applied.
Unencrypted documents will be quickly encrypted with the selected label if the file format is supported.
- Supported documents such as Word, Excel, PowerPoint, and PDF are classified.
- It did not classify the Loop file in my case.
- An already encrypted document will not be changed.
The selected sensitivity label will be applied to all files that are unlabeled, and files that are labeled but the label configuration doesn’t apply encryption. The Sensitivity column for the document library displays your selected label for existing, new, and edited files. Users see the selected label displayed when they open the file for editing but won’t experience any changes in permissions as a result of the label.
It should also be noted that users can no longer classify documents in this library with a label without encryption.
In the SharePoint document library that you’ve configured for the sensitivity label, users can’t remove the applied sensitivity label in their Office apps and can change it only if the replacement label applies encryption.
The application will not allow the change or show an error.
