Skip to Content

MC247827: Microsoft Information Protection: Apply granular conditional access policies to SharePoint Online sites via sensitivity labels (preview)

Coming soon to preview, administrators will be able to use Conditional Access policies and associated sensitivity labels to require additional user authentication for accessing sensitive SharePoint sites when the user’s context does not meet the requirements of the site. This message is associated with Microsoft 365 Roadmap ID 70594.

Admins will have the ability to use Azure AD conditional access policies to trigger multi-factor authentication (MFA), device and location policies on a specific SharePoint site collection based by simply attaching CA policies to a label. Then these labels can be applied to Sites and now users access these sites will have to go through the CA policies in order to gain access. The Preview will be available in May 2021.

MC247827: Microsoft Information Protection: Apply granular conditional access policies to SharePoint Online sites via sensitivity labels (preview)
Affected Workloads

  • Microsoft 365 suite

When this will happen

  •  Preview rollout will begin the end of May (previously April)
  • GA rollout will begin the end of August and should be complete by the end of December (previously end of November

How this will affect your organization

You might want additional authentication for accessing certain sensitive sites. For example, when a user visits a highly sensitive site labeled Confidential, you might want to enforce a step-up authentication with granular policies such as multi-factor authentication (MFA) when the user’s context does not meet the access requirement of the site.

In this preview release, you will be able to create Conditional Access authentication contexts in Azure Active Directory (Azure AD) tailored to your organization’s security posture.

You can then associate these authentication contexts with Microsoft Information Protection (MIP) sensitivity labels in the Microsoft 365 compliance center.

For example:

  • Low authentication context requires single factor authentication; this can be associated with a ‘General’ sensitivity label.
  • High authentication context requires MFA such as one time passcode verification and/or IP network location policy. This authentication context can be associated with a Confidential sensitivity label.

Once an admin configures the sensitivity label with authentication context, when a user applies a sensitivity label, the associated granular contextual and conditional policies are automatically enforced.

What you need to do to prepare

This preview release has no impact on existing Conditional Access policies in Azure AD. Nor is there a change in how SharePoint Online sites use existing Conditional Access policies.

To benefit from this new feature:

  • Create Authentication Context in the Azure AD portal
  • Tag the Authentication Context name with a Conditional Access policy in the Azure AD portal
  • Choose the right Authentication Context name for a new sensitivity label in compliance center. Note: If you do not use labels that are applied to SharePoint sites, then you can directly apply the above authentication context to a given SharePoint Online site via PowerShell (download the latest SharePoint Online management shell).

After you have completed these steps, you will see the preview feature:
[There was an image]

Learn more

Review online documentation that includes instructions to opt in for this capability, configuration details, and links to a webinar with demos.

Message ID: MC247827
Published: 30 March 2021
Updated: 12 October 2021

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.