English

Home > Appendices > Information about Managing Sensitivity Labels > Overview

Information about Managing Sensitivity Labels

Before removing/applying sensitivity labels to files/emails/sites in your SharePoint Online, OneDrive, Exchange Online, Microsoft 365 Groups, Microsoft Teams, and/or Microsoft Teams Chat migrations, refer to the following information to prepare and understand known issues.

General

This covers Exchange Online, Microsoft 365 Groups, Microsoft Teams Migration, and Microsoft Teams Chat Migration.

- If you use the service account authentication method in the source connection, make sure the service account is assigned as **super user**. Refer to  for details.

- If you use the service account authentication method in the destination connection, make sure the destination sensitivity labels to be applied are published to the service account. 

- If you only use the app profile authentication method in the destination connection, make sure the destination sensitivity labels of the **Assign permissions now** type are published to **All**.

- Destination sensitivity labels to be applied should exist in the destination tenant, and Fly removes and applies sensitivity labels according to the label display names.

	- If you select the **Apply same label in the destination** option in the migration policy, make sure there are existing destination labels using the same display name as the source. 

	- If you select the **Apply labels in the destination based on label** **mappings** option to define label mappings, configure display names for each source and destination label mapping.

- There may be a time delay after a newly created sensitivity label is published. Therefore, we recommend you create and publish the destination sensitivity labels in advance before the migration.

Exchange Online

This covers Exchange Online Migration and Group mailboxes of Groups/Teams in Microsoft 365 Groups/Microsoft Teams Migration.

- When you select to apply destination sensitivity labels to the migrated emails, the encryption settings of destination sensitivity labels must be the same as the source labels.

- When the **Assign permissions now or let users decide?** setting of the sensitivity label is **Let users assign permissions when they apply the label**, you need to configure a user mapping for the source user based on the display name. If you do not change the domain, you also need to select **Replace email addresses of senders/recipients based on user mappings** in the migration policy.

- If you select to keep the source sensitivity labels of the emails to the destination, the email addresses in source emails cannot be replaced in the destination.

- If you pin emails with sensitivity labels applied on the top and select to remove the source sensitivity labels from the emails, the emails cannot be pinned on the top in the destination after the migration due to Microsoft 365 API limitations.

- If users assign built-in archive and/or retention policies to emails with sensitivity labels applied, and you select to remove source sensitivity labels from the emails and apply destination sensitivity labels, the assigned built-in policies cannot be kept in the destination after the migration due to Microsoft 365 API limitations.

To manage sensitivity labels for emails, also note the following issues:

- The source content making settings, including headers, footers, and watermarks, cannot be removed from files or emails due to Microsoft API limitations. In this case, though destination sensitivity labels are applied to the files and emails, the files and emails only have source content making settings.

- Fly does not support removing or applying sensitivity labels that have the **Use Double Key Encryption** option selected.

- Sensitivity labels applied to the emails that are not encrypted cannot be migrated.

SharePoint Sites

This covers SharePoint Online Migration, OneDrive Migration, and sites of Groups/Teams/chat users in Microsoft 365 Groups/Microsoft Teams/Microsoft Teams Chat Migration.

- Before migrating PDF files with sensitivity labels applied, refer to the following steps to prepare for the migration:

	1. Right-click **Windows PowerShell** and click **Run as administrator**. Enter the following command to connect to the SharePoint admin center.

	2. `Connect-SPOService -Url " "`

	3. Enter the SharePoint central admin URL as the attribute value and press **Enter** on the keyboard. Then, the Microsoft sign in page appears, sign in with a Microsoft 365 Global Administrator account to continue the execution. 

	4. Enter the following command and press **Enter** on the keyboard to enable sensitivity labels for PDF files.

		`Set-SPOTenant -EnableSensitivityLabelforPDF $true`

- Source sensitivity labels of the **Assign permissions now** type are not supported to map to destination sensitivity labels of the **Let users assign permissions** type.

- For source sensitivity labels of the **Assign permissions now** type, Fly supports mapping the defined users based on user mappings or the **User** **principal name** **Prefix**/**Email** **address prefix** property.

- If Fly fails to apply destination sensitivity labels to destination sites, Fly will continue the migration job, and will report the error for the sites in the migration job report.

- If source sensitivity labels are newly applied or updated for source sites after a migration job, the updated **Sensitivity** setting of the source sites will not be kept to the destination in the next incremental job.

- For sensitivity columns, the values of sensitivity columns are synced by Microsoft's backend. After the migration, it cannot be ensured whether the column values can be displayed. The names of labels of the **Assign permission now** type may be displayed as the values in the column, while the names of labels of the **Let user assign permissions when they apply the label** type cannot be displayed.

- For PDF files with sensitivity labels applied, if the sensitivity labels are not displayed in the library where the files are stored, Fly cannot process the sensitivity labels in the migration.

- After the migration, the label classification may not be displayed in **Content explorer** immediately. Labels will be displayed when the Microsoft backend timer job is finished. Refer to  for details.

Required Permissions for Exchange Online Migration

Required Permissions for Exchange On-Premises Migration

Required Permissions for Microsoft 365 Groups Migration

Required Permissions for Microsoft Teams Migration

Required Permissions for Microsoft Teams Chat Migration

Required Permissions for OneDrive Migration

Permissions for Destination OneDrive

Required Permissions for Power Platform Migration

Required Permissions for SharePoint Online Migration

Required Permissions for Gmail Migration

Required Permissions for Google Drive Migration

Required Permissions for Entra ID Migration

Aviator for Microsoft Teams

Permissions Required by Source Teams

Permissions Required by Destination Teams

Aviator for Microsoft 365 Groups

Permissions Required by Source Microsoft 365 Groups

Permissions Required by Destination Microsoft 365 Groups

Aviator for SharePoint Online

Permissions Required by Source SharePoint Online

Permissions Required by Destination SharePoint Online

Aviator for OneDrive

Filter Policies

Configurations for Customized Features