Powered by Zoomin Software. For more details please contactZoomin

Use Semaphore for SharePoint Online

Table of Contents

Sensitivity labels

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 5 minute read
    • Semaphore
    • Documentation

A SharePoint sensitivity label classifies and protects content stored in SharePoint document libraries. This section describes how to use and configure sensitivity labels in Semaphore for SharePoint Online.

About SharePoint sensitivity labels

See the Microsoft documentation for more information about sensitivity labels.

PDF files

Microsoft Information Protection (MIP) is a framework designed to help organizations classify, label, and protect sensitive data across Microsoft 365 services. MIP has to be enabled for PDF files:

  1. Download an SPO Management Shell.

    1. If you already have an SPO Management Shell installed, verify that the version is at least 16.0.24009.12000 using this command in Windows PowerShell:

      Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

  2. Login by executing this command in Windows PowerShell:

    Connect-SPOService -Url https://<tenant>-admin.sharepoint.com -ModernAuth $true

  3. After logging in, execute this command:

    Set-SPOTenant -EnableSensitivityLabelforPDF $True

  4. A successful login displays a message like this:

    Sample Image

    A message like this appears once MIP protection is enabled for PDF files.

Note:

  • After enabling PDF support, it can take a few minutes before you can assign labels to PDF files.
  • MIP can also be enabled from Microsoft Purview. See the Microsoft documentation for more information.

Verify encryption for sensitivity labels is working

If you are using sensitivity labels configured with encryption, verify that encryption is working correctly by following these steps:

  1. Download a document with a sensitivity label that uses encryption.
  2. Attempt to open the document. You should see a message indicating that you either need to sign in, or that access to the document is restricted.

Configure an appropriate Microsoft Entra ID app registration to allow Semaphore access

Note:

You must be an Entra Administrator with permissions to the Entra tenancy/directory to make the changes described in this section.

  1. Login to the Azure Portal.
  2. Click Microsoft Entra ID.
  3. On the sidebar, click App registrations.
  4. Click New registration.
  5. Complete the form and click Register.

Add permissions

After completing the registration, you can add permissions:

  1. On the sidebar, click API Permissions. For a description of the permissions, see Permission descriptions.
  2. Click Add a permission.
  3. On the sidebar, add Azure Rights Management Services permissions by clicking Azure Rights Management Services > Application permissions > and searching for and adding the Content.SuperUser and Content.Writer permissions.
  4. Next, add Microsoft Information Protection Sync permissions by clicking Add a permission > APIs my organization uses > and searching for and selecting Microsoft Information Protection Sync Service.
  5. Click Application permissions.
  6. Search for and add the UnifiedPolicy.Tenant.Read permission.

Permission descriptions

Permissions API Explanation
Content.SuperUser Azure Rights Management Services Required so that all protected content can be sent to Semaphore for classification.
Content.Writer Azure Rights Management Services Required to assign sensitivity labels. See the Microsoft documentation for more details.
UnifiedPolicy.Tenant.Read Microsoft Information Protection Sync Service Required to read tenant label policies.

Generate a new secret

After the permissions are set, generate a new secret. After the secret is generated, save the secret with the client ID and tenant ID.

To generate a new secret:

  1. On the sidebar, click Overview.
  2. On the sidebar, under Manage, click Certificates & Secrets.
  3. Click Client secrets.
  4. Click New client secret.
  5. In the right-hand sidebar, enter an easy-to-understand description (e.g. "Secret for 2025-2026").
  6. In the Expires text box, select a value. 365 days is the recommended value.
  7. Click Add. The Certificates & secrets page appears.
  8. Copy the client secret displayed in the Value column. It is used when you Configure PDC with app registration information.
    Important:

    The secret is displayed immediately after creation. Copy it before navigating away from the screen.
    Certificates and Secrets
    Copy the client secret from the Certificates & Secrets page. The secret is used when configuring PDC.

Configure PDC with app registration information

Note:

To complete the task in this section, the TenantAdministrator or TenantCoAdministrator security roles are required.

Once the app registration is complete, send this information to PDC using the PUT /api/tenant/mipconfig?spHost=<spHost> API call. This allows PDC to interact with Microsoft Purview Information Protection.

Notes:

  • The request body must include tenantId, clientId, and clientSecret.
  • clientId is the Application (client) ID value on the Overview page of the app registration.
  • clientSecret is the secret generated in Generate a new secret.
  • EnableSensitivityLabelforPDF is an optional parameter. To support setting the sensitivity label for PDF files for a specific SPO host, set this parameter to true in the site configuration for that host.

Sample Image

Use the PUT /api/tenant/mipconfig call to push the information to PDC.

Delete a registration

To delete an app registration configuration, use the DELETE /api/tenant/mipconfig?spHost=<spHost> API call.

View a registration

To view an app registration configuration, use the GET /api/tenant/mipconfig?spHost=<spHost> API call.

Classify MIP encrypted files

After configuring PDC with the app registration, classify SPO files encrypted with MIP.

Update sensitivity labels

If you have Microsoft Purview Information Protection in your SharePoint Online subscription, and have enabled support for it in PDC, then you will be able to set a library's sensitivity label based on classification results returned from Semaphore. You can set the classification setting by clicking the Edit button.

Sample Image

Update sensitivity labels in Semaphore for SharePoint Online by clicking Edit.

Labels with access control

The process described on this page does not apply to labels that have access control enabled. The access control process requires specifying users who can access and view labeled items. Semaphore for SharePoint Online cannot do that currently.

Important considerations

If you plan to use Semaphore to set sensitivity labels, take the following into consideration:

  • The Semaphore Classification Server has to return the exact sensitivity label name.
  • The PDC integration only applies a MIP sensitivity label if an existing label is not applied.
  • PDC supports the same file types for sensitivity labels as Microsoft SharePoint Online. See Supported File Types in the Microsoft Documentation for additional information.
TitleResults for “How to create a CRG?”Also Available inAlert