Microsoft has now started a preview of a solution that can assist with this.
In Conditional Access we can now configure conditions for accessing certain SharePoint Sites/Teams based on the sensitivity label of these sites.
In the example below the user can access Public, Business and Confidential sites but to get access to information stored in classified Secret sites, we require MFA.
It works the same in Microsoft Teams where Multifactor authentication is triggered when you access the team sites files:
The trick is a new feature in Conditional Access called Authentication Context where we can define conditions and then add this context to the site and group setting of a Sensitivity label
Let´s have a look on the configuration
We first create a new authentication context from the new part in Conditional Access. In my example I call this “TOU Secret Inf”
We can then create a Conditional Access Policy for this authentication context:
We then configure the sensitivity label with this new authentication context that are now available (in preview)
If for some reason you haven’t started classifying your Sites (I’d mainly recommend starting with that), you can use the PowerShell management for SharePoint and use the Set-SPOSite command to define what Conditional Access policy that should be used for the specific site.
This is done in the format:
Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName ”same name as provided in AAD”
You have more information on docs