Skip to Content

MC424416: Information Protection: Apply granular conditional access policies to SharePoint Online sites via sensitivity labels

With this update, administrators will be able to use Conditional Access policies and associated sensitivity labels to require additional user authentication for accessing sensitive SharePoint sites when the user’s context does not meet the requirements of the site. This message is associated with Microsoft 365 Roadmap IDs 82115, 82163, and 85979.

Admins will have the ability to use Azure AD conditional access policies to trigger multi-factor authentication (MFA), device and location policies on a specific SharePoint site collection based by simply attaching CA policies to a label.

Admins will have the ability to use Azure AD conditional access policies to trigger multi-factor authentication (MFA), device, and location policies on a specific SharePoint site collection by simply attaching CA policies to a label. For example, the Top-Secret label can now have a conditional access policy that requires MFA when accessing a site. This feature for GCC-H and DoD environments tracked by the roadmap item 85979.

Admins will have the ability to use Azure AD conditional access policies to trigger multi-factor authentication (MFA), device and location policies on a specific SharePoint site collection based by simply attaching CA policies to a label.

Admins will have the ability to use Azure AD conditional access policies to trigger multi-factor authentication (MFA), device, and location policies on a specific SharePoint site collection by simply attaching CA policies to a label. For example, the Top-Secret label can now have a conditional access policy that requires MFA when accessing a site. This feature for GCC-H and DoD environments tracked by the roadmap item 85979.

MC424416: Information Protection: Apply granular conditional access policies to SharePoint Online sites via sensitivity labels

When this will happen

Rollout will begin in late September and is expected to be complete by end of November.

How this will affect your organization

You might want additional authentication for accessing certain sensitive sites. For example, when a user visits a highly sensitive site labeled Confidential, you might want to enforce a step-up authentication with granular policies such as multi-factor authentication (MFA) when the user’s context does not meet the access requirement of the site.

With this release, you will be able to create Conditional Access authentication contexts in Azure Active Directory (Azure AD) tailored to your organization’s security posture.

You can then associate these authentication contexts with sensitivity labels in Microsoft Purview compliance portal > Information Protection. For example:

  • Low authentication context requires single factor authentication; this can be associated with a ‘General’ sensitivity label.
  • High authentication context requires MFA such as one time passcode verification and/or IP network location policy. This authentication context can be associated with a Confidential sensitivity label.

Once an admin configures the sensitivity label with authentication context, when a user applies a sensitivity label, the associated granular contextual and conditional policies are automatically enforced.

What you need to do to prepare

This release has no impact on existing Conditional Access policies in Azure AD. Nor is there a change in how SharePoint Online sites use existing Conditional Access policies.

To benefit from this new feature:

  1. Create Authentication Context in the Azure AD portal
  2. Tag the Authentication Context name with a Conditional Access policy in the Azure AD portal
  3. Choose the right Authentication Context name for a new sensitivity label in the compliance portal. Note: If you do not use labels that are applied to SharePoint sites, then you can directly apply the above authentication context to a given SharePoint Online site via PowerShell (download the latest SharePoint Online management shell).

After you have completed these steps, you will see the option within your Information Protection sensitivity label configuration flow:

After you have completed these steps, you will see the option within your Information Protection sensitivity label configuration flow.

Access the Information Protection solution in the Microsoft Purview compliance portal:

Learn more

Message ID: MC424416
Published: 01 September 2022
Updated: 01 September 2022
Platform: Online, US Instances, Web, World tenant

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.