Every organization have some extra sensitive information that requires more caution from its users. Common examples that emphasize sensitivity can be for example extra authentication or terms of use approval before they get access to the information. It’s all about raising awareness to reduce the risk of accidental information leaks!
Microsoft has now started a preview of a solution that can assist with this.
In Conditional Access we can now configure conditions for accessing certain SharePoint Sites/Teams based on the sensitivity label of these sites.
In the example below the user can access Public, Business and Confidential sites but to get access to information stored in classified Secret sites, we require MFA.
It works the same in Microsoft Teams where Multifactor authentication is triggered when you access the team sites files:
If we need to raise awareness with more clarity, Terms of Use is a good complement.
The trick is a new feature in Conditional Access called Authentication Context where we can define conditions and then add this context to the site and group setting of a Sensitivity label
We first create a new authentication context from the new part in Conditional Access. In my example I call this “TOU Secret Inf”
We can then create a Conditional Access Policy for this authentication context:
Then define the conditions we want, in my case MFA and Terms of Use:
We then configure the sensitivity label with this new authentication context that are now available (in preview)
If for some reason you haven’t started classifying your Sites (I’d mainly recommend starting with that), you can use the PowerShell management for SharePoint and use the Set-SPOSite command to define what Conditional Access policy that should be used for the specific site.
This is done in the format:
Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName “same name as provided in AAD”
You have more information on docs
Good luck
