Cloud Confidential

MS Purview Supports sublabels, or nested sensitivity labels. For the detailed explanation and use cases of the Sublabels, stay tuned for the upcoming article. In this article, I am going to show you how to convert labels to sublabels.

Why would we want to convert labels to sublabels ?

Here is a scenario: You have “Legal” and “R&D” labels; but now, your organization has decided that these should be sublabels of the newly created “Highly Confidential” label.

Once these labels are created, there is no way you can modify them to become sublabels. You can only create a sublabel and assign it to a Parent label when you are creating it. However, there is no option to assign a label to a Parent label.

I am going to show you how to accomplish this with PowerShell.

Install the ExchangeOnlineManagement Module if it's not installed:

Install-Module -Name ExchangeOnlineManagement -Force

Import the ExchangeOnlineManagement Module:

Import-Module ExchangeOnlineManagement -Force

Then connect to MS Purview:

Connect-IPPSSession

Get our sensitivity labels, first the the parent label, which is the “Highly Confidential”. Get the R&D Label. And then Legal Label.

$labelParent = Get-Label | Where-Object { $_.DisplayName -eq “Highly Confidential” }

$label2 = Get-Label | Where-Object { $_.DisplayName -eq “R D” }

$label = Get-Label | Where-Object { $_.DisplayName -eq “Legal” }

Next, extract the ImmutableId of each label – it will be used to tie it all together.

$label.ImmutableId
$label2.ImmutableId
$labelParent.ImmutableId

To assign a label to a parent, use the following command: Set-Label with a ParentId parameter. It will assign the label to a Parent Label.

We run this command for the “R&D” Label and then for “Legal” Label.

Set-Label -Identity "d49de6be-b792-4aeb-a3b3-7395c56e105a" -ParentId "b631ff93-110b-4875-b475-7ec1648e3d31"

Set-Label -Identity " 2379d880-51d8-4138-a7b5-1a5ab8d7dc2f" -ParentId "b631ff93-110b-4875-b475-7ec1648e3d31"

The effect of these commands is immediate – let’s take a look at the results.

I will retrieve all Labels and their following properties: Name, ImmutableId, ParentId

Get-Label | Format-Table Name, ImmutableId, ParentId

As you can see, our “R&D” and “Legal” labels both have a GUID in the ParentId column. This means that they are both sublabels. The ParentId shows that the parent is the 'Highly Confidential' label.

If you now switch to MS Purview (you will need to refresh your browser), you can see that the Highly Confidential label now has an icon that shows that it has nested labels.

Click on it to expand. You will see the “R&D” and the “Legal” Labels nested below. As you can see, the “R&D” and “Legal” Labels are now sublabels and Highly Confidential is a Parent Label.

After the labels were published to SharePoint, we can go to the document properties and take a look at the available Sensitivity Labels:

And here is how sublabels are presented to the end user in Microsoft Word:

If you made a mistake or simply do not want to use sublabels, you can use the following command: Set-Label -Identity and set ParentId to a null value.

Set-Label -Identity "d49de6be-b792-4aeb-a3b3-7395c56e105a" -ParentId $null

Set-Label -Identity "2379d880-51d8-4138-a7b5-1a5ab8d7dc2f" -ParentId $null

Execution of these commands takes effect immediately. If you inspect the available sensitivity labels, you will see that there is no longer ParentId for either of the labels.

If you go back to Microsoft Purview portal, after refreshing your browser, you will see that the labels are no longer nested.

Watch video here:

Read the article below or watch the video:

In Insider Risk Management, a sequence isn’t just one activity, like downloading a file. It’s a chain of related activities carried out by a single user, one after the other. These sequences help identify risky behaviour by showing how actions connect.

Imagine a user downloads a file named "Financial Report" from SharePoint. By itself, downloading isn’t alarming. But now, they rename the file to "My Vacation Plan." Then, they email it to their personal address and delete the original.

If you were only looking at the email attachment, you'd see "My Vacation Plan" and might not think twice. But IRM detects the entire sequence. It shows the file started as "Financial Report," was renamed, sent, and deleted. This context raises red flags for investigators.

Sequences give you the full story, not just isolated events. It’s about understanding the why behind actions, not just the what. The activities are NOT treated as isolated random events. 

Select the Alert to review its risk factors:

On the All Risk Factors page of the IRM Alert, you can find the Sequences of Activity dashboard.

Select "View all sequence activity"

In the Activity Explorer you can see the sequences on the left.

Files exfiltrated and cleaned up. It also shows a Risk Score—in this case, it’s 100 out of 100.

For this sequence, we can see 72 events were detected. These include files downloaded from SharePoint, uploaded to the cloud, and then deleted. Of those, 26 events involve files with sensitive information.

You can select one of the events from the events grid to inspect the event's details.

The Activity Details Panel shows information such as Date and time, Operations, location details (in this case it’s SharePoint Site URL). Object ID provides a full path SharePoint path and file name.

The Result Status section breaks down all of the steps of the sequences.

Step 1 is SharePoint file download. It also says that there were 16 of such events within one hour.

Step 2 – user copied the downloaded file to Personal Cloud.

And in Step 3, the downloaded file was deleted.

Next you can select the “User activity” tab.

The activities are displayed as two connected dots inside of the circle.

If you hover over the icon to see the date and time of the risky activity associated with this sequence. Here you can “connect the dots” when you are looking at the activities in this sequence.

If you click on the Sequence Icon to see the Summary of the Sequence.

You can use Sequence indicators as triggering events for the IRM Policy.

When you creating IRM Policy, note that Sequence indicators triggering events are only available for General Data Leaks (Data Leaks) or Data Leaks by Priority users templates.

In the “Triggering event” screen of the Policy Wizard scroll down to Sequences section to select which sequences will trigger this policy. As you can see, there are quite a few sequences to choose from. It’s a good idea to have all sequences selected.

Thresholds for sequences are much lower than those for single events, and for good reason—sequences are a strong indicator of potential insider risk.

You’ll often find users downloading existing files or templates from SharePoint, renaming them, uploading them to the cloud, and then deleting them. In many cases, workers are simply reusing templates, but these activities can trigger sequence indicators. To avoid generating too many false positives, you might need to revise your procedures or further customize your policies.

Additionally, if your SharePoint tenant isn’t properly configured, IRM policies may generate alerts stating that files are being uploaded to a personal cloud. To prevent this, make sure the company’s tenant is added as a trusted cloud app in Microsoft Defender for Cloud Apps. You should also verify that the company’s tenant domain is properly registered in Azure AD, as misconfigured domains can appear as external.

There is a scenario where your SharePoint files can still be shared with external users, even if you have DLP policies applied.  

This scenario is applicable if your tenant is set up to allow external sharing. For example, your tenant might allow external sharing in a B2B setup, where one business collaborates with another. Or your organization might have regional divisions in different countries, each with its own tenant, requiring users to be added as guests for collaboration.

Let’s say your organization creates a large number of reports or other files at the end of the quarter and uploads them to SharePoint. These newly uploaded files are not immediately protected by DLP policies because it takes time to process new files.

During this delay, external users could still access these sensitive files before DLP scanning is complete.

You can easily fix this by using the following PowerShell command:

Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing

This setting applies to all SharePoint sites within your tenant. Once enabled, all newly uploaded files are treated as sensitive by default until DLP scans them. Guests will not have access to these files during this time. Instead, they’ll see a page with a message that scanning is in progress.

This setting only affects external users - files can still be shared freely with internal users.

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force

Import-Module Microsoft.Online.SharePoint.PowerShell

Connect-SPOService -Credential $creds -Url https://[YOURTENANT]-admin.sharepoint.com -ModernAuth $true -AuthenticationUrl https://login.microsoftonline.com/organizations

Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing

You will need to wait about 15 minutes or so until the setting takes effect.

To reverse this setting, run the following command:

Set-SPOTenant -MarkNewFilesSensitiveByDefault AllowExternalSharing