MC247827: Microsoft Information Protection: Apply granular conditional access policies to SharePoint Online sites via sensitivity labels (preview)

Coming soon to preview, administrators will be able to use Conditional Access policies and associated sensitivity labels to require additional user authentication for accessing sensitive SharePoint sites when the user’s context does not meet the requirements of the site. This message is associated with Microsoft 365 Roadmap ID 70594.

Admins will have the ability to use Azure AD conditional access policies to trigger multi-factor authentication (MFA), device and location policies on a specific SharePoint site collection based by simply attaching CA policies to a label. Then these labels can be applied to Sites and now users access these sites will have to go through the CA policies in order to gain access. The Preview will be available in May 2021.

Affected Workloads

• Microsoft 365 suite

When this will happen

•  Preview rollout will begin the end of May (previously April)
• GA rollout will begin the end of August and should be complete by the end of December (previously end of November

How this will affect your organization

You might want additional authentication for accessing certain sensitive sites. For example, when a user visits a highly sensitive site labeled Confidential, you might want to enforce a step-up authentication with granular policies such as multi-factor authentication (MFA) when the user’s context does not meet the access requirement of the site.

In this preview release, you will be able to create Conditional Access authentication contexts in Azure Active Directory (Azure AD) tailored to your organization’s security posture.

You can then associate these authentication contexts with Microsoft Information Protection (MIP) sensitivity labels in the Microsoft 365 compliance center.

For example:

• Low authentication context requires single factor authentication; this can be associated with a ‘General’ sensitivity label.
• High authentication context requires MFA such as one time passcode verification and/or IP network location policy. This authentication context can be associated with a Confidential sensitivity label.

Once an admin configures the sensitivity label with authentication context, when a user applies a sensitivity label, the associated granular contextual and conditional policies are automatically enforced.

What you need to do to prepare

This preview release has no impact on existing Conditional Access policies in Azure AD. Nor is there a change in how SharePoint Online sites use existing Conditional Access policies.

To benefit from this new feature:

• Create Authentication Context in the Azure AD portal
• Tag the Authentication Context name with a Conditional Access policy in the Azure AD portal
• Choose the right Authentication Context name for a new sensitivity label in compliance center. Note: If you do not use labels that are applied to SharePoint sites, then you can directly apply the above authentication context to a given SharePoint Online site via PowerShell (download the latest SharePoint Online management shell).

After you have completed these steps, you will see the preview feature:
[There was an image]

Learn more

Review online documentation that includes instructions to opt in for this capability, configuration details, and links to a webinar with demos.

• Azure AD docs: Conditional Access: Cloud apps or actions
• Microsoft 365 docs: Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites
• Blog post: Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work

Message ID: MC247827
Published: 30 March 2021
Updated: 12 October 2021