Sensitivity labels in SharePoint help classify and protect content based on compliance and security requirements. Organizations use Microsoft Purview to define sensitivity labels, which can be applied to SharePoint sites to enforce security measures such as encryption, access control, and governance policies.
PnP PowerShell (Patterns & Practices PowerShell) simplifies managing SharePoint Online, including applying sensitivity labels to sites. This guide provides a step-by-step approach to managing SharePoint Sensitivity Labels using PnP PowerShell.
Step 1: Prerequisites
Before using PnP PowerShell for managing sensitivity labels, ensure you meet the following requirements:
1.1 Install PnP PowerShell
Ensure that PnP PowerShell is installed on your system. If not, install it using the following command:
Install-Module PnP.PowerShell -Scope CurrentUser
If you already have it installed, update it to the latest version:
Update-Module PnP.PowerShell
1.2 Required Permissions
Ensure you have the necessary permissions:
- Global Administrator or SharePoint Administrator in Microsoft 365
- Access to Microsoft Purview Compliance Center (to create and manage labels)
- The PnP Management Shell registered in Azure AD
1.3 Connect to SharePoint Online
To connect to SharePoint Online, run:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Replace "yourtenant" with your actual tenant name. This command will prompt you to log in using Microsoft authentication.
Step 2: Retrieve Available Sensitivity Labels
Before assigning labels, retrieve a list of existing sensitivity labels in your tenant.
Get-PnPSiteSensitivityLabel
This command will return all available sensitivity labels defined in Microsoft Purview. If no labels are returned, ensure that labels are published in Microsoft 365 Compliance Center.
Step 3: Assign a Sensitivity Label to a SharePoint Site
To apply a sensitivity label to a SharePoint site, use the Set-PnPSite command.
3.1 Apply a Sensitivity Label
Set-PnPSite -Identity "https://yourtenant.sharepoint.com/sites/YourSiteName" -SensitivityLabel "Confidential"
- Replace
"YourSiteName"with the actual site name. "Confidential"should be replaced with the exact name of the sensitivity label retrieved in Step 2.
3.2 Verify the Applied Sensitivity Label
After assigning the label, confirm it using:
Get-PnPSite -Identity "https://yourtenant.sharepoint.com/sites/YourSiteName"
Look for the SensitivityLabel property in the output.
Step 4: Remove a Sensitivity Label from a SharePoint Site
To remove an existing sensitivity label, set it to an empty value:
Set-PnPSite -Identity "https://yourtenant.sharepoint.com/sites/YourSiteName" -SensitivityLabel $null
This will remove any sensitivity label applied to the site.
Step 5: Automate Sensitivity Label Assignment for Multiple Sites
If you need to apply labels to multiple sites, use a CSV file containing site URLs and their corresponding sensitivity labels.
5.1 Create a CSV File
Create a SitesList.csv file with the following format:
SiteUrl,SensitivityLabel
https://yourtenant.sharepoint.com/sites/SiteA,Confidential
https://yourtenant.sharepoint.com/sites/SiteB,Internal
https://yourtenant.sharepoint.com/sites/SiteC,Public
5.2 Apply Labels in Bulk Using PowerShell
Run the following script to apply sensitivity labels from the CSV file:
$sites = Import-Csv -Path "C:\Path\To\SitesList.csv"
foreach ($site in $sites) {
Set-PnPSite -Identity $site.SiteUrl -SensitivityLabel $site.SensitivityLabel
Write-Host "Applied label '$($site.SensitivityLabel)' to $($site.SiteUrl)"
}
This script:
- Reads the
SitesList.csvfile. - Loops through each site and applies the respective sensitivity label.
- Outputs the progress to the console.
Step 6: Troubleshooting and Best Practices
6.1 Error: “The term ‘Set-PnPSite’ is not recognized”
If you encounter this error, ensure that:
- PnP PowerShell is installed.
- You are using the correct session (
Connect-PnPOnlinebefore running commands).
6.2 Error: “Sensitivity Label Not Found”
If the label does not exist, verify its name using:
Get-PnPSiteSensitivityLabel
Ensure that labels are published in the Microsoft Purview Compliance Center.