Using Security & Compliance Labels for Content Rollup in “Modern” SharePoint

It’s almost the normal course of events that we SharePointilists have to bend SharePoint’s capabilities to our whim to accomplish business requirements. This post is about one of these sort of bastardizations of the platform which allow us to get something important done. I’m writing it up because it’s what I do, but also to get some SharePoint Product Group eyeballs on it to make sure it’ll stand the test of time.

When I first saw how Security & Compliance labels worked, this is exactly the sort of thing I thought it might enable well, but I’ve not seen anyone try something like this. That is, I sort of ignored the words “security” and “compliance” and saw a overarching way to label content for knowledge management in Office 365.

Here’s the basic scenario:

1. We have a set of “modern” sites – let’s call them Group A, Group B, etc. – which are effectively subsites to a Communications site – let’s call it the Department Site.
2. We want to be able to roll up content from the Group sites where a certain piece of metadata has been applied to mark the document as Important.
3. We don’t know how many Document Libraries or Content Types might exist in the Group sites, since people are likely to use the sites to get work done, adding content repos as they need them over time.
4. We’d like to stick to “out-of-the-box”. It’s tempting to want to go and write some code in a custom SharePoint Framework Web Part, but that doesn’t necessarily cover some of the other requirements here.

Ideally, we’d have a great Information Architecture in place using the Content Type Hub, but usually we don’t have the luxury for that across a large organization – the discussions run on far longer than the requirement dictates we act. Plus, number 3 above. Plus, the Content Type Hub is way long in the tooth and really isn’t an effective tool in the “modern” era. Reasons for this include:

• Management of Content Types is rudimentary, at best
• The new flat site topology (subsites are now considered the “spawn of the devil” – to me this is throwing babies out with bath water) means that it’s MUCH harder to share Content Types across “modern” “sites” (which are now Site Collections)
• Content Types have to be published to all Site Collections, which means that a large organization is likely to create an incredibly large set of Content Types – i.e., a real IA mess

Given the scenario and the new capabilities in the Security & Compiance center with labels, it seemed to make sense to try:

• Creating an Important label. This label will effectively be used only as a tagging mechanism.
• Publish the label only to the “modern” “sites” which actually need item. The requirements for one Department may well be different than those for other departments in a large organization. Of course, we can also choose the publish to all site. Even better, the label can be published for use in Exchange, SharePoint, OneDrive, and Groups! In other words, it transcends the normal bounds of SharePoint.
• Any document in any of the target sites can have the label applied once the label is published. (This is supposed to take up to 24 hours, but in my testing, it was less than one hour.)
• Use the Highlighted Content Web Part (HCWP) in the “modern” Department Site to display content which has the Important label applied.

The hard part was figuring out the mechanics of all of this. We don’t want to just start plopping labels into Security & Compliance willy-nilly, for – as noted above – their reach and scope can be quite wide.

The other thing that wasn’t at all apparent was whether the label data was available as a managed property for filtering in the HCWP. There were some complications here:

• What managed property might contain the data? Was there actually a managed property to serve this purpose?
• Would the managed property be available for filtering in the HCWP? The documentation for the HCWP says that only managed properties which are searchable would be available.

Well, it turns out there is a managed property: it’s called ComplianceTag and it’s mapped to the crawled property ows_ComplianceTag. I’ll admit I didn’t figure this out – someone at my client clued me in. The only references for this that I’ve found are developer references, so it wouldn’t be at all obvious to a normal person setting up filtering in a HCWP.

Based on the settings we see above, it’s not “searchable”, but read on…

Create the Label

You have to have access to the Security & Compliance center for this, which is in the Admin center. This access is often limited to IT, so yes, you’ll have to have one of those conversations. Once you are there, click on Classifications, then Labels, then Create a Label.

You’ll give you label a name and probably two descriptions: one for admins and one for users. It makes sense that they might not be the same.

Next, we can decide if we want to specify any retention policies for this label. I’m going to keep this simple and gloss over that part – leaving retention off for this label.

Finally, we review and save.

Now the label is in place, but it isn’t available anywhere yet, thus we need to publish it, and there’s a convenient button for that: Publish label.

Publish the Label

First we make sure we’re dealing with the right label(s).

Next, we decide where we want top publish the label. The default is EVERYWHERE. In a smaller organization, that might make perfect sense.

In a larger organization, you may want to publish to very specific places, and the capabilities here should have you covered.

When we publish the label, we’re actually creating a new label policy, and we have to give it a name and optionally, a description.

Finally, we review the settings and publish. Note the important message at the top of the screen:  It will take up to 1 day for labels to appear to your users. Labels will appear in Outlook and Outlook web app only for mailboxes that have at least 10 MB of data. As I mentioned, it took only less than an hour in my tenant, but clearly it can take longer.

Apply the Label

Once the label is available where you’ve published it, you can add it to content. The nice thing about this, is that applying a label is no different than working with any other metadata; the label capability is simply there in the Properties panel for each list item. Yes, this works the same in lists and libraries. Note that here I’m applying a the Final label because I didn’t want to wait for the Important label to proliferate.

Retrieve the Items

My items and documents with labels were indexed overnight (yes, indexing can still be problematic for these things), and I can now do a search with “ComplanceTag:Final” and retrieve them in the “classic” search center…

…and in the “modern” search results. Note that the list item is not displayed here – to me that is a bug.

Add the Highlighted Content Web Part

Finally, let’s display this content in our Department Site using the HCWP. Edit a page and add the HCWP to it. In the settings, we need to choose All sites, as it’s the only way to reach across Site Collections.

In the Filter and sort section, choose a Managed property filter and set it to use the ComplianceTag and your specific value.

And voila! You’re displaying the content you want in a “roll up”.

Caveats

• The Source in the HCWP has to be All Sites – which could become inefficient over time. There’s no option currently to specify a site or a library in another site.
• Because of the above, we can add a SitePath filter for sites which contain something specific in their path. Not a great method, but it should suffice until we can create a Hub Site with its own Search Scope (assuming the Highlighted Content Web Part) . Alternatively (and perhaps in this case preferably), we can add a Highlighted Content Web Part per Group site with the specific URL as a filter.
• The display is limited to these columns: DocType, Title, Modified, Modified By.
• We can’t rename the HCWP, so we’re stuck with whatever title it gives us. Adding a Text Web Part above each of the HCWPs could be a workaround. John Sanders (@johnsanders) pointed out that we can indeed change the HCWP title. I tried in vain to do it, but once you know that you can type right in the title location (though the value is auto-populated based on the sort when you create the Web Part), you can most definitely change it.
• The documents displayed come from the search index, and as with my experience testing this, that index can take a while to populate. So people who label their document as Important (or Final) and attempt to search for it or see it in the Highlighted Content Web Parts will not see that content until the index catches up. This is an indeterminate period of time in SharePoint Online, and often creates a lot of frustration.
• This does not scale as your content corpus grows. I’d like to think that the HCWP will gain new capabilities over time which will help us with this, just as with the Content Search Web Part and the Content Query Web Part before it.

Summary

So there you have it – basically a cheat to enable knowledge management using Security & Compliance capabilities. I think  it’s truly powerful, as it transcends SharePoint alone and can work across Office 365 to a large degree, but I’m not sure if I’ve stumbled on something here which will fall apart if Microsoft makes changes to the way all this works. Stay tuned to this post and I’ll update it if I find out more.