This PowerShell script creates or updates TLP 2.0–aligned sensitivity labels in Microsoft Purview and applies baseline encryption, header markings, and Sites & Groups defaults.
It is idempotent (safe to re-run) and supports Retail (Commercial/GCC) and US Gov (GCC High / DoD) environments.
TLP reference: https://www.cisa.gov/tlp
Labels (with priority order):
Public— TLP:CLEARGeneral— TLP:GREENConfidential – External— TLP:AMBERConfidential – Internal— TLP:AMBER+STRICTConfidential – View Only— TLP:RED
- Confidential – Ext: Encrypted, broad rights for
AuthenticatedUsers, header marking. - Confidential – Int: Encrypted, rights scoped to tenant primary domain, header marking.
- Confidential – View Only: Encrypted,
VIEWonly, header marking.
Public: Public, guests allowed, external + guest sharing.General: Guests allowed, external users only.Confidential – External: Private, guests allowed, external users only.Confidential – Internal: Private, no guests, sharing disabled.Confidential – View Only: No container settings applied.
- PowerShell (run as Administrator)
ExchangeOnlineManagementmodule- Purview / Compliance admin permissions
This guy did it better
https://github.com/GarthVDW/M365-Purview-DLP-Enable-Sensitivity-Labels
Import-Module Microsoft.Online.SharePoint.PowerShell -UseWindowsPowerShell