Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»Intune»Secure SharePoint Online data – Part 2
    Intune

    Secure SharePoint Online data – Part 2

    Peter KlapwijkBy Peter KlapwijkSeptember 18, 2018Updated:December 3, 201916 Mins Read

    In my previous blog post, which you will find here, I showed how to start with securing SharePoint Online data with just a few simple steps. In this blog post I will go further with securing SharePoint Online by using Office 365 Labels and Data Loss Prevention (DLP) policies. By using those labels and policies, you are able to show your users a policy tip when they share confidential data with people outside the organization or even block sharing SharePoint documents with people outside your organization.
    To use this features you need to assign your users at least an Office 365 E3 license.

    Create an Office 365 Label

    Office 365 labels and DLP policies are managed using the Security & Compliance Admin center. Open the admin center and navigate to Data governance, Dashboard. Click Create a label.

    Data governance

    Give your Office 365 label a name and description for admins and users and click Next.

    Name your label

    Your subtitle here

    On the next page you can choose to turn on retention for this label, I left retention turned off. Click Next.

    Retention

    Your subtitle here

    Review your settings and click Create this label.

    Review your settings

    Publish an Office 365 label

    After creating the Office 365 label, we need to publish the label to SharePoint Online. From the properties of the label click Publish label.

    Publish label

    On the Choose labels to publish tab click Next.

    Choose labels to publish

    Your subtitle here

    At this moment I`m not using this label in Exchange, so I switched Exchange email off. But if preferred you can choose the default option All Locations as long as it contains SharePoint sites its fine for this setup.

    Choose locations

    Your subtitle here

    Give your policy a Name and description and click Next.

    Name your policy

    Your subtitle here

    Review your settings and click Publish labels.
    NB: It can take up to 1 day before the label is published and visible in SharePoint. Fortunately most of the times it`s visible in half an hour till a few hours.

    Review settings

    After clicking Publish, the status is shown as On (pending). If successfully published the status will be On (Succes).

    Status On

    Apply a label to your SharePoint Online site

    Now we need to apply the Office 365 label to the SharePoint Online site to automatically label all items in the preferred document library, in my case a library under the Legal Department site.
    Open the SharePoint Online site and navigate to the documents library. On the right top click the Settings icon and click Library settings.

    SharePoint Online site

    Your subtitle here

    Under Permissions and Management click Apply label to items in this list or library.

    Library settings

    Choose the label you previously created, in my case Highly confidential, and check Apply label to existing items in the library. Click Save.

    Apply label

    Your subtitle here

    After some time you see the items are labeled with the label you chose in the previous step.

    Documents are labeled

    Create and apply a DLP policy

    Now your SharePoint Online documents are automatically labeled with an Office 365 label it`s time to apply a DLP policy to our High Confidential documents.
    Switch back to the Compliance & Security center. Navigate to Data loss prevention, Policy and click Create a policy.

    DLP Policies

    Your subtitle here

    We need to create a Custom policy.

    Custom policy

    Enter a name and description for the DLP policy and click Next.

    Image title

    Your subtitle here

    Check Let me choose specific locations and click Next.

    Choose locations

    Your subtitle here

    Switch off Exchange email and OneDrive accounts. If you click Choose sites, you are able to search for your SharePoint site to only apply the policy to that specific site.
    Click Next.

    Switch off Exchange

    Your subtitle here

    On the next page make sure Detect when this content is shared is set to with people outside my organization.
    Above that option click Edit to select the High Confidential label we already applied to the SharePoint site.

    Policy settings

    As type of content we need to select Labels.

    Choose the type of content to protect

    Your subtitle here

    Select the High Confidential label.
    Back on the Policy settings tab click Next to get some more options.

    Labels

    Your subtitle here

    Now it`s time to set the actions which need to be taken when sensitive info is detected. By default a policy tip is shown. Also by default the option to detect when a specific amount of sensitive data is shared is turned on and an incident report is send by email. This option will send an incident report to the Global admin and the account which setup the policy.

    A more restrictive option you can set on this tab is to check Restrict access or encrypt the content and check Block people from sharing and restrict access to shared content. This will not only show a policy tip and send en email, but will prevent accidental sharing of confidential files. 
    After setting the preferred options click Next.

    Actions to take on sensitive info

    Your subtitle here

    On the next page check Only people outside your organization.
    If you want your users to be able to override the policy, switch that option on. It is a good option if you allow override, you check Require a business justification to override. All policy overrides are recorded, with this option you as an admin get information on all policy overrides and the reason why the users did share the item.
    Click Next.

    Customize access and override permissions

    Check Yes, turn it on right away and click Next.
    In the next screen, review your settings and click Create.

    Turn on the policy

    Your subtitle here

    With all the previous steps we have applied an Office 365 label (High Confidential) to a document library in a SharePoint Online site (Legal department). By applying a DLP policy your users will see a policy tip when they try to share a High Confidential document with people outside the organization.
    Depending on the options set, the user is able to override the policy and share the document. But the override will be recorded (if also turned on).

    End-user experience

    Let`s have a look at the user-experience. Logon to the SharePoint Online site and navigate to the documents library. Try to share one of the labeled documents with an external users. A policy tip will be shown. Click View policy tip.

    Send link

    Your subtitle here

    The policy tip is shown. You are able to Report an issue or Override the policy. Click Override to see how that looks like.

    Override policy

    Your subtitle here

    You need to enter a business justification to override the policy and click Submit. The override is recorded and the user is able to share the document with an external user.

    Image title

    Your subtitle here

    The next step in securing your SharePoint Online data is encrypting the documents with Azure Information Protection. In a future blog post I will have a look these options.

    Azure AD EMS Intune Microsoft 365 Office 365 Security SharePoint Online
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Prevent personal Windows 10 devices from enrolling to Microsoft Intune

    March 19, 2019

    Deploy Win32 apps with Microsoft Intune

    November 1, 2018

    Specify preferred Azure AD Domain with Intune

    August 7, 2018
    View 1 Comment

    1 Comment

    1. Kodjo on April 14, 2021 14:30

      Thanks for this Peter. Tried applying labels to a SharePoint library (after labeling the site) but was faced with an issue; none of the published labels are showing up in the drop-down option in library settings.

      Any idea what might cause this?

      Reply
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Update Windows Defender during Windows Autopilot enrollments

    May 16, 2025

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025

    Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs

    April 13, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    • Bluesky 1.5K
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Adam on Get notified on expiring Azure App Registration client secrets
    • Peter Klapwijk on Update Windows Defender during Windows Autopilot enrollments
    • Rob van de Ven on Add a certificate to the Trusted Publishers with Intune without reporting errors
    • Carl on Update Windows Defender during Windows Autopilot enrollments
    • Peter Klapwijk on The next step in a passwordless Windows experience
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS Bluesky
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}