Sensitivity labels in SharePoint Online help classify and protect data by controlling access, encryption, and sharing settings. Using PnP PowerShell, administrators can automate the configuration of Sensitivity Labels across SharePoint sites.
Key Benefits of Sensitivity Labels:
✔ Restrict external sharing
✔ Control access permissions
✔ Encrypt sensitive files
✔ Apply DLP (Data Loss Prevention) policies
✔ Ensure compliance with security policies
This guide walks through the step-by-step process of configuring Sensitivity Labels in SharePoint Online using PnP PowerShell.
Step 1: Install & Update PnP PowerShell
Ensure PnP PowerShell is installed and updated:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
Connect to your SharePoint Admin Center:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
For app-based authentication, use:
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
Step 3: Retrieve Available Sensitivity Labels
To view all configured Sensitivity Labels, run:
Get-PnPSensitivityLabel | Format-Table -AutoSize
✔ Displays Label Name, GUID, and Description
Step 4: Apply Sensitivity Labels to SharePoint Sites
Apply a Label to a Specific Site
$siteUrl = "https://yourtenant.sharepoint.com/sites/SensitiveData"
$labelId = "your-label-guid"
Set-PnPTenantSite -Url $siteUrl -SensitivityLabel $labelId
✔ Ensures data classification for that site.
Apply Sensitivity Labels to Multiple Sites in Bulk
$sites = @(
"https://yourtenant.sharepoint.com/sites/Finance",
"https://yourtenant.sharepoint.com/sites/HR",
"https://yourtenant.sharepoint.com/sites/Legal"
)
$labelId = "your-label-guid"
foreach ($site in $sites) {
Set-PnPTenantSite -Url $site -SensitivityLabel $labelId
Write-Host "Sensitivity Label applied to: $site"
}
✔ Automates label assignment for multiple sites.
Step 5: Verify Sensitivity Label Assignment
To confirm that a label is applied:
Get-PnPTenantSite | Select-Object Url, SensitivityLabel
✔ Confirms if sites have the correct label.
Step 6: Remove or Change Sensitivity Labels
Remove a Sensitivity Label from a Site
Set-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/SensitiveData" -SensitivityLabel $null
✔ Removes classification from the site.
Change Sensitivity Label for a Site
$siteUrl = "https://yourtenant.sharepoint.com/sites/SensitiveData"
$newLabelId = "new-label-guid"
Set-PnPTenantSite -Url $siteUrl -SensitivityLabel $newLabelId
✔ Updates the classification level.
Step 7: Automate Sensitivity Label Assignment for New Sites
To automatically apply labels to newly created sites, schedule the following script in Azure Automation or Task Scheduler.
$labelId = "your-label-guid"
$sites = Get-PnPTenantSite | Where-Object { $_.SensitivityLabel -eq $null }
foreach ($site in $sites) {
Set-PnPTenantSite -Url $site.Url -SensitivityLabel $labelId
Write-Host "Applied Sensitivity Label to: $site.Url"
}
✔ Ensures all new sites are secured automatically.