Creating labels manually and publishing them in Microsoft Purview is easy but rather monotonous and time-consuming. This blog post will cover the basics of creating and configuring sensitivity labels in PowerShell, including how to get current labels, create, update, delete them, and create label policies.
First, create and configure the sensitivity labels you want to make available for apps and other services. For example, the labels you want users to see and apply from Office apps.
Then, create one or more label policies containing the labels and policy settings you configure. Finally, the label policy publishes the labels and settings for your chosen users and locations.
You first need to run the following commands in PowerShell to install and import the Exchange Online PS Module:
Install-Module ExchangeOnlineManagementImport-Module ExchangeOnlineManagement
This example connects to Security & Compliance Center PowerShell in a Microsoft 365 organization:
Connect-IPPSSession
Get-Label returns a summary list of all sensitivity labels in the organization. We could also get detailed information for a specific sensitivity label like this:
Get-Label -Identity Confidential | Format-List
If you want better readability for the label’s actions, you can use IncludeDetailedLabelActions
Get-Label -Identity "Confidential" -IncludeDetailedLabelActions
We will look closer at this in another post, focusing on more advanced examples.
Creating a sensitivity label in PowerShell is easy with the New-Label cmdlet. Here’s an example of how to create a basic label:
New-Label -DisplayName "General" -Name "General" -Tooltip "Use this label for general things."
This example creates a new label named “General” with a display name “General” and the tooltip “Use this label for general things”.
NOTE: There are more than 70 properties available when we create a new Sensitivity Label via the New-Label command, the required ones being Name, DisplayName, and Tooltip.
To update a label, use the Set-Label command with the Identity parameter. This example is from my previous post (When the UI fails - Update Sensitivity Labels via PowerShell and changes the priority of the label:
Set-Label -Identity Personal -Priority 0Set-Label -Identity General -Priority 2
After creating and configuring the labels, you must create a label policy that includes the labels and the policy settings. This label policy will publish the labels and settings to the users and locations you have selected. Allow 24 hours for label and label policy changes to take effect. However, in some scenarios, changes may take effect faster or longer than 24 hours
Let’s take an elementary example where we distribute two labels to all users and groups using ExchangeLocation All.
New-LabelPolicy -Name "Demo Policy" -Labels "General", "Personal" -ExchangeLocation All
You could also use ExchangeLocation “Adele Vance ” for just a single user.
There is a difference between fully deleting a label and unpublishing it by removing it from a label policy. Deleting the label itself is a permanent action. Before you do it, make sure you understand the implications: Removing and deleting labels
Unpublish a label from the label policy:
Set-LabelPolicy -Identity "Demo Policy" -RemoveLabels "General"
Delete a sensitivity label:
Remove-Label -DisplayName "Confidential"
Delete a label policy. First, run the following code and then confirm in PowerShell:
Remove-LabelPolicy -Identity "Demo Policy"
Thank you for reading
/Simon