TenLens
Back to script library
Entra / Microsoft 365 · Compliance & audit

Analyze sensitivity label usage

A script to analyze the usage of sensitivity labels based on Office 365 audit log data.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-ExchangeOnline
Connect-IPPSSession

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [int] $LookbackDays = 90,
    [string] $StartDate = (Get-Date).AddDays(-$LookbackDays),
    [string] $EndDate = (Get-Date).AddDays(1)
)
 
Connect-ExchangeOnline
Connect-IPPSSession
 
Write-Host "Retrieving sensitivity labels used in the tenant"
$Labels = @{}
[array]$LabelSet = Get-Label | Select-Object ImmutableId, DisplayName
If (!($LabelSet)) { Write-Host "Can't find any sensitivity labels - exiting"; break }
ForEach ($L in $LabelSet) { $Labels.Add([string]$L.ImmutableId, [string]$L.DisplayName) }
 
$Operations = ("SensitivityLabelUpdated", "SensitivityLabelApplied", "FileSensitivityLabelApplied", "MIPLabel")
[Array]$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 5000 -Operations $Operations
If (!($Records)) { Write-Host "No audit records for sensitivity label application found - exiting" ; break }
 
$Records = $Records | Where-Object {$_.RecordType -ne "ComplianceDLPExchange"}
$Report = [System.Collections.Generic.List[Object]]::new()
 
ForEach ($Rec in $Records) {
   $AuditData = $Rec.AuditData | ConvertFrom-Json
   $LabelRemoved = $Null; $LabelAdded = $Null; $Type = $Null; $LabelRemoved = $Null; $Item = $Null; $Site = $Null
 
   If ($AuditData.Application -ne "Outlook") {
   Switch ($Rec.Operations) {
    "FileSensitivityLabelApplied" {
      $Type = "Default label applied by policy"
      $LabelAdded = $Labels[$AuditData.DestinationLabel]
      $Application = $AuditData.Workload
      $ObjectId = $AuditData.ObjectId
      $Item = $AuditData.DestinationFileName
      $Site = $AuditData.SiteUrl
    }
    "SensitivityLabelApplied" {
     $Type = "Label assigned by user"
     $LabelAdded = $Labels[$AuditData.SensitivityLabelEventData.SensitivityLabelId]
     $Application = $AuditData.Application
     $ObjectId = [System.Web.HttpUtility]::UrlDecode($AuditData.ObjectId)
     $Item = $ObjectId.Split('/')[-1]
     $Site = "https://" + $ObjectId.Split("/")[2] + "/sites/" + $ObjectId.Split("/")[4] + "/"
    }
     "SensitivityLabelUpdated" {
     $Type = "Label updated by user"
     $LabelAdded = $Labels[$AuditData.SensitivityLabelEventData.SensitivityLabelId]
     $LabelRemoved = $Labels[$AuditData.SensitivityLabelEventData.OldSensitivityLabelId]
     $Application = $AuditData.Application
     $ObjectId =  [System.Web.HttpUtility]::UrlDecode($AuditData.ObjectId)
     $Item = $ObjectId.Split('/')[-1]
     $Site = "https://" + $ObjectId.Split("/")[2] + "/sites/" + $ObjectId.Split("/")[4] + "/"
    }
    "MIPLabel" {
     $Type = "Email labeled"
     $LabelAdded = $Labels[$AuditData.LabelId]
     $Application = "Exchange Online"
     $ObjectId = "Email"
     $Item = "Email"
     $Site = "N/A"
     }
   } #End Switch
 
 If ($UserId -eq "app@sharepoint") {
     $Type = "Default label applied by document library"
 } ElseIf ($UserId -eq "SHAREPOINT\system") {
   $Type = "Label applied by auto-label policy" }
 If ($ObjectId -like "*/personal/*") { #Fix-up for OneDrive accounts
    $Site = "https://" + $ObjectId.Split("/")[2] + "/personal/" + $ObjectId.Split("/")[4] + "/" }
 
  $DataLine = [PSCustomObject] @{
       Timestamp    = Get-Date($Rec.CreationDate) -format g
       User         = $AuditData.UserId
       Operation    = $Rec.Operations
       LabelAdded   = $LabelAdded
       LabelRemoved = $LabelRemoved
       Application  = $Application
       Type         = $Type
       Site         = $Site
       Object       = $ObjectId
       Item         = $Item }
 
 $Report.Add($DataLine)
 } #End if
} # End ForEach
 
# Analysis
Write-Host ""
Write-Host "Most commonly used sensitivity labels"
Write-Host "-------------------------------------"
$Report | Group-Object LabelAdded | Sort-Object Count -Descending | Format-Table Name, Count
Write-Host ""
Write-Host "Most prolific applier of sensitivity labels"
Write-Host "-------------------------------------------"
$Report | Group-Object User | Sort-Object Count -Descending | Format-Table Name, Count
 
$Report | Out-GridView

Parameters

ParameterDefaultNotes
-LookbackDays90Number of days of audit log data to analyze for sensitivity label events.
-StartDate(Get-Date).AddDays(-90)Start of the reporting window.
-EndDate(Get-Date).AddDays(1)End of the reporting window.
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.