Both Teams and SharePoint are good solutions for sharing and collaborating with sensitive information internally as well as externally.
With help of Sensitivity labels, we can define rules and permissions for everything from allow/block external guests, sharing of files, as well as conditions for accessing different Teams and SharePoint sites.
In the most cases a certain team or project often includes different kinds of files with different sensitivity. Everything from public non-sensitive information to more confidential information that all have different rules and regulations.
All settings around “Groups & Sites” that we can define in Sensitivity Labels are based on existing Teams/SharePoint settings.
The biggest challenge is most often when we use Teams or restricted channels in Teams to restrict access to certain information. Even if we set a Team or a Teams channel as private, the default setting for sharing is that files can be shared to anyone within your organization.
In the most cases we have specific private Team and/or private channel to restrict access to only the members. But…
Regardless of the private setting of the team and channel that restrict access to the specific location, files within this team can be shared to users outside of the Team/Channel.
This is due to the following global setting in SharePoint
Within information security, it is of course most advantageous to change the global settings for Shares to ”Specific people”. This does not allow files to be shared to anyone other than those who have access to the Team or channel.
However, it is often difficult to change the global setting as there is uncertainty about the need for information sharing. After all, it is usually a small part of our information that is actually more sensitive.
This week we have got new functionality within Microsoft Information Protection that solves this challenge.
We can now, based on the sensitivity of both the team and specific documents, control just sharing settings. This applies both to who we can share files with, and to control whether we allow edit or view only access to the shared document.
Some examples, if we have Team sites including private channels where we need to restrict sharing to only members of the Team/Channel, we can define this setting on the sensitivity label of the site.
If sensitive information is located in a nonrestrictive team we can restrict the sharing setting only on these files.
For more information how to configure sensitivity labels with default sharing link type in SharePoint and OneDrive:
Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive – Microsoft 365 Compliance | Microsoft Docs