Introduction
Sensitivity labels play a major role in implementing DLP policies for the data in the M365 cloud. These policies govern how the data is stored and archived. By default, MSFT provides default sensitivity labels in the Purview Center (https://compliance.microsoft.com). These are
- Personal
- Public
- General
- Confidential
- Highly Confidential
As per the organization's requirements, you can create new ones based on the above labels. In this article, we will focus on how to get existing labels in our tenants. This is required to apply sensitivity to SharePoint online site collections via PowerShell.
Pre-requisites
To get the labels, you need to have
- The account you are using should have Global Reader or Global Admin rights. Since we are doing a get operation Global Reader should suffice.
- You need to have the Exchange Online Management Module installed. IPPS (Information Protection PowerShell Module) comes with an Exchange Online management PowerShell module.
- You need to have the PowerShell 7 or above to have the successful result.
- VS Code to be installed. Since PowerShell does not come with ISE, I have used VS Code as a PowerShell ISE emulator. To set up VS Code as a PowerShell Emulator please follow the reference section.
Steps
Step 1. Install the Exchange Online Module. This step is needed only if you do not have the Exchange Online Module installed. If you already have it proceed to Step 2. Below is the command to install the “Exchange Online Module”.
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
Step 2. Check if the account has Global Reader rights. In most organizations as a standard practice, the accounts will have eligible rights which will be given rights for a particular time, and after that admin rights are revoked. Once the required rights are activated which in this case is ‘Global Reader’ proceed to the next step.
Step 3. Store the credentials in a variable using the Get-Credential command.
$Creds=Get-Credential -UserName $AdminAccount -Message "Connecting to Exchange Online Module to get the Labels"
Step 4. Run the Get-Label command, to get the required labels.
Get-Label | Select-Object DisplayName, Guid
Step 5. Validate the output, please note that here I have used to select only the Display Name and GUID properties of the label, which is needed in my case. You can use Select * to get all the available properties.
![Display Name]()
Complete Script
Import-Module -Name ExchangeOnlineManagement
# Replace with the account that have either Global Reader or Global Admin rights
$AdminAccount="[email protected]"
$Creds=Get-Credential -UserName $AdminAccount -Message "Connecting to Exchange Online Module to get the Labels"
try {
# Connecting to Information Protection PowerShell Session
Connect-IPPSSession -Credential $Creds
Write-Host "Successfully connected to Exchange Online Managment" -f Green
Get-Label | Select-Object DisplayName, Guid
}
catch {
write-host -f Red "Error connecting to Exchange Online Managment" $_.Exception.Message
}
Conclusion
Thus, in this article, we have seen how to get the existing Sensitivity Labels in our tenant using the Exchange Online module PowerShell commands.
References