Set-LabelPolicy
This cmdlet is functional only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.
Use the Set-Label cmdlet to modify sensitivity label policies in your organization.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Set-LabelPolicy
[-Identity] <PolicyIdParameter>
-RetryDistribution
[-AddLabels <MultiValuedProperty>]
[-AdvancedSettings <PswsHashtable>]
[-Confirm]
[-MigrationId <String>]
[-NextLabelPolicy <PolicyIdParameter>]
[-PreviousLabelPolicy <PolicyIdParameter>]
[-RemoveLabels <MultiValuedProperty>]
[<CommonParameters>]
Set-LabelPolicy
[-Identity] <PolicyIdParameter>
[-AddExchangeLocation <MultiValuedProperty>]
[-AddExchangeLocationException <MultiValuedProperty>]
[-AddLabels <MultiValuedProperty>]
[-AddModernGroupLocation <MultiValuedProperty>]
[-AddModernGroupLocationException <MultiValuedProperty>]
[-AddOneDriveLocation <MultiValuedProperty>]
[-AddOneDriveLocationException <MultiValuedProperty>]
[-AddPublicFolderLocation <MultiValuedProperty>]
[-AddSharePointLocation <MultiValuedProperty>]
[-AddSharePointLocationException <MultiValuedProperty>]
[-AddSkypeLocation <MultiValuedProperty>]
[-AddSkypeLocationException <MultiValuedProperty>]
[-AdvancedSettings <PswsHashtable>]
[-Comment <String>]
[-Confirm]
[-MigrationId <String>]
[-NextLabelPolicy <PolicyIdParameter>]
[-PolicyRBACScopes <MultiValuedProperty>]
[-RemoveExchangeLocation <MultiValuedProperty>]
[-RemoveExchangeLocationException <MultiValuedProperty>]
[-RemoveLabels <MultiValuedProperty>]
[-RemoveModernGroupLocation <MultiValuedProperty>]
[-RemoveModernGroupLocationException <MultiValuedProperty>]
[-RemoveOneDriveLocation <MultiValuedProperty>]
[-RemoveOneDriveLocationException <MultiValuedProperty>]
[-RemovePublicFolderLocation <MultiValuedProperty>]
[-RemoveSharePointLocation <MultiValuedProperty>]
[-RemoveSharePointLocationException <MultiValuedProperty>]
[-RemoveSkypeLocation <MultiValuedProperty>]
[-RemoveSkypeLocationException <MultiValuedProperty>]
[<CommonParameters>]
Set-LabelPolicy
[-Identity] <PolicyIdParameter>
[-AddLabels <MultiValuedProperty>]
[-AdvancedSettings <PswsHashtable>]
[-Comment <String>]
[-Confirm]
[-Force]
[-MigrationId <String>]
[-NextLabelPolicy <PolicyIdParameter>]
[-PreviousLabelPolicy <PolicyIdParameter>]
[-RemoveLabels <MultiValuedProperty>]
[-Setting <PswsHashtable>]
[-Settings <PswsHashtable>]
[-WhatIf]
[<CommonParameters>]
To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Purview compliance portal.
Note: Don't use a piped Foreach-Object command when adding or removing scope locations: "Value1","Value2",..."ValueN" | Foreach-Object {Set-LabelPolicy -Identity "Global Policy" -RemoveExchangeLocation $_ }
.
Set-LabelPolicy -Identity "Global Policy" -AdvancedSettings @{EnableCustomPermissions="False"}
This example configures the specified advanced setting for the sensitivity label policy name Global Policy.
The AddExchangeLocation parameter specifies the mailboxes to add to the list of included mailboxes when you aren't using the value All for the ExchangeLocation parameter. A valid value is a mailbox.
To specify the mailbox, you can use any value that uniquely identifies it. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The AddExchangeLocationException parameter specifies the mailboxes to add to the list of excluded mailboxes when you use the value All for the ExchangeLocation parameter. A valid value is a mailbox.
To specify the mailbox, you can use any value that uniquely identifies it. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The AddLabels parameter specifies the sensitivity labels that you want to add to the policy. You can use any value that uniquely identifies the label. For example:
- Name
- Distinguished name (DN)
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The AddModernGroupLocation parameter specifies the Microsoft 365 Groups to add to the list of included Microsoft 365 Groups. To identify the Microsoft 365 Group, you must use the primary SMTP address.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The AdvancedSettings parameter enables client-specific features and capabilities for the sensitivity label policy.
Specify this parameter with the identity (name or GUID) of the policy, with key/value pairs in a hash table. To remove an advanced setting, use the same AdvancedSettings parameter syntax, but specify a null string value.
Some of the settings that you configure with this parameter are supported only by the Microsoft Purview Information Protection client and not by Office apps and services that support built-in labeling. For a list of these, see Advanced settings for Microsoft Purview Information Protection client.
Supported settings for built-in labeling:
AttachmentAction: Unlabeled emails inherit the highest priority label from file attachments. Set the value to Automatic (to automatically apply the label) or Recommended (as a recommended prompt to the user. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{AttachmentAction="Automatic"}
. For more information about this configuration choice, see Configure label inheritance from email attachments.EnableAudit: Prevent Office apps from sending sensitivity label data to Microsoft 365 auditing solutions. Supported apps: Word, Excel, and PowerPoint on Windows (version 2201+), macOS (version 16.57+), iOS (version 2.57+), and Android (version 16.0.14827+); Outlook on Windows (version 2201+), Outlook on the web, and rolling out to macOS, iOS, and Android. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableAudit="False"}
.EnableRevokeGuiSupport: Remove the Track & Revoke button from the sensitivity menu in Office clients. Supported apps: Word, Excel, and PowerPoint on Windows (version 2406+). Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableRevokeGuiSupport="False"}
. For more information about this configuration choice, see Track and revoke document access.DisableMandatoryInOutlook: Outlook apps that support this setting exempt Outlook messages from mandatory labeling. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{DisableMandatoryInOutlook="True"}
. For more information about this configuration choice, see Outlook-specific options for default label and mandatory labeling.OutlookDefaultLabel: Outlook apps that support this setting apply a default label, or no label. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel="None"}
. For more information about this configuration choice, see Outlook-specific options for default label and mandatory labeling.TeamworkMandatory: Outlook and Teams apps that support this setting can enable or disable mandatory labeling for meetings. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{TeamworkMandatory="True"}
. For more information about labeling meetings, see Use sensitivity labels to protect calendar items, Teams meetings, and chat.teamworkdefaultlabelid: Outlook and Teams apps that support this setting apply a default label, or no label for meetings. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{teamworkdefaultlabelid="General"}
. For more information about labeling meetings, see Use sensitivity labels to protect calendar items, Teams meetings, and chat.HideBarByDefault: For Office apps that support the sensitivity bar, don't display the sensitivity label name on the window bar title so that there's more space to display long file names. Just the label icon and color (if configured) will be displayed. Users can't revert this setting in the app. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{HideBarByDefault="True"}
DisableShowSensitiveContent: For Office apps that highlight the sensitive content that caused a label to be recommended, turn off these highlights and corresponding indications about the sensitive content. For more information, see Sensitivity labels are automatically applied or recommended for your files and emails in Office. Supported apps: Word for Windows (version 2311+). Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{DisableShowSensitiveContent="True"}
Additionally, for Power BI:
powerbimandatory: Mandatory labeling for Power BI. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{powerbimandatory="true"}
. For more information about this configuration choice, see Mandatory label policy for Power BI.powerbidefaultlabelid: Default label for Power BI content. Example:
Set-LabelPolicy -Identity Global -AdvancedSettings @{powerbidefaultlabelid="General"}
. For more information about this configuration choice, see Default label policy for Power BI.
Type: | PswsHashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The Comment parameter specifies an optional comment. If you specify a value that contains spaces, enclose the value in quotation marks ("), for example: "This is an admin note".
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
- Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax:
-Confirm:$false
. - Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The Force switch hides warning or confirmation messages. You don't need to specify a value with this switch.
You can use this switch to run tasks programmatically where prompting for administrative input is inappropriate.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The Identity parameter specifies the policy that you want to view. You can use any value that uniquely identifies the policy. For example:
- Name
- Distinguished name (DN)
- GUID
Type: | PolicyIdParameter |
Position: | 1 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The NextLabelPolicy parameter updates the policy order so the policy that's specified by this parameter is after the current policy that you're modifying. You can use any value that uniquely identifies the policy. For example:
- Name
- Distinguished name (DN)
- GUID
Type: | PolicyIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The PolicyRBACScopes parameter specifies the administrative units to assign to the policy. A valid value is the Microsoft Entra ObjectID (GUID value) of the administrative unit. You can specify multiple values separated by commas.
Administrative units are available only in Microsoft Entra ID P1 or P2. You create and manage administrative units in Microsoft Graph PowerShell.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The PreviousLabelPolicy parameter updates the policy order so the policy that's specified by this parameter is before the current policy that you're modifying. You can use any value that uniquely identifies the policy. For example:
- Name
- Distinguished name (DN)
- GUID
Type: | PolicyIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The RemoveExchangeLocation parameter specifies the mailboxes to remove from the list of included mailboxes when you aren't using the value All for the ExchangeLocation parameter. Valid values are:
- A mailbox
- A distribution group or mail-enabled security group (all mailboxes that are currently members of the group).
To specify a mailbox or distribution group, you can use any value that uniquely identifies it. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The RemoveExchangeLocationException parameter specifies the mailboxes to remove from the list of excluded mailboxes when you're using the value All for the ExchangeLocation parameter. Valid values are:
- A mailbox
- A distribution group or mail-enabled security group (all mailboxes that are currently members of the group).
To specify a mailbox or distribution group, you can use any value that uniquely identifies it. For example:
- Name
- Distinguished name (DN)
- Email address
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The RemoveLabels parameter specifies the sensitivity labels that you want to remove from the policy. You can use any value that uniquely identifies the label. For example:
- Name
- Distinguished name (DN)
- GUID
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The RemoveModernGroupLocation parameter specifies the Microsoft 365 Groups to remove from the list of included groups. To identify the Microsoft 365 Group, you must use the primary SMTP address.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN"
.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | MultiValuedProperty |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The RetryDistribution switch specifies whether to redistribute the policy to all Exchange Online locations. You don't need to specify a value with this switch.
Locations whose initial distributions succeeded aren't included in the retry. Policy distribution errors are reported when you use this switch.
Note: Because the process of retrying distribution is a significant operation, run it only if necessary and for one policy at a time. It is not intended to be run every time you update a policy. If you run a script to update multiple policies, wait until the policy distribution is successful before running the command again for the next policy.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | PswsHashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
This parameter is reserved for internal Microsoft use.
Type: | PswsHashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
The WhatIf switch doesn't work in Security & Compliance PowerShell.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |