Applying sensitivity labels to groups - best practice and advice

Jon Kilner 61 Reputation points
2024-06-18T15:36:07.4433333+00:00

We have a very large tenant of many tens of thousands of users. I'm looking to apply sensitivity labels to about 50% of our user base, who are currently members of different security groups.

Reading online about how to deploy labels to groups of users, the compliance portal and msft learn say I can only assign label policies to M365 groups, mail enabled security groups and distribution lists - https://learn.microsoft.com/en-us/purview/sensitivity-labels#what-label-policies-can-do

Reading about group types https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide only M365 groups can have dynamic membership.

We want to apply labels to users that meet certain conditions, such as their department name or location matching a string.

We can't use our existing security groups as label policies can't be applied to them. Mail enabled security groups and distribution lists don't allow for dynamic members, which rules them out.

We could look at using M365 groups, but each group of users would need to be in their own M365 group as we don't want users using the group as a means of communication/collaboration. We'd also prefer not to have all the associated resources that get created with an M365 group.

It seems to me that the logic of applying labels to groups is wrong. Why would you allow a mail enabled security group to be allowed to have a label policy applied but not a security group.

Any advice would be greatly recieved

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,325 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,056 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 100K Reputation points MVP
    2024-06-18T16:27:05.24+00:00

    By design, Rights management/Sensitivity labels only works with mail-enabled recipients, hence the requirement for mail-enabled group. In your scenario, you might be able to use administrative units as scoping mechanism, they do allow for dynamic membership, in a manner very similar to Entra security groups. Here's the relevant documentation: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-members-dynamic


  2. PRADEEPCHEEKATLA-MSFT 85,351 Reputation points Microsoft Employee
    2024-06-24T08:25:19.2966667+00:00

    @Jon Kilner - Thanks for the question and using MS Q&A platform.

    Based on the information you provided, it looks like you are trying to apply sensitivity labels to a large number of users in your tenant, but you are having trouble finding the best way to do this.

    You are correct that sensitivity labels can only be applied to Microsoft 365 groups, mail-enabled security groups, and distribution lists. However, you mentioned that you cannot use your existing security groups as label policies cannot be applied to them, and mail-enabled security groups and distribution lists do not allow for dynamic members.

    One option you could consider is using dynamic groups in Azure AD to create groups of users based on certain conditions, such as department name or location matching a string. Dynamic groups are based on rules that you define, and they automatically add or remove members based on those rules. You can then apply sensitivity labels to these dynamic groups.

    Another option you could consider is using Microsoft 365 groups, but creating a separate group for each group of users you want to apply a sensitivity label to. You mentioned that you don't want users using the group as a means of communication/collaboration, but you can configure the group settings to prevent this. For example, you can set the group type to "Security" instead of "Unified", which will prevent the group from having a shared mailbox, calendar, or OneDrive.

    I understand that you would prefer not to have all the associated resources that get created with an M365 group, but keep in mind that you can choose which resources to create when you create the group. For example, you can choose not to create a shared mailbox or calendar.

    Regarding your question about why mail-enabled security groups can have a label policy applied but not security groups, I'm not sure about the reasoning behind this decision. However, it's worth noting that mail-enabled security groups are designed specifically for email distribution, while security groups are designed for granting access to resources.

    Yes, you are correct that Microsoft 365 groups have a limit of 100,000 members. This should be more than enough for your needs, as you mentioned. However, it's worth noting that some Microsoft 365 applications may have their own limits on the number of members that can be added to a group. For example, Microsoft Teams has a limit of 5,000 members per team, and a limit of 2,500 concurrent users in a meeting.

    As for sensitivity labels, there are no specific limits on the number of members in a Microsoft 365 group that has a sensitivity label applied to it. However, keep in mind that applying a sensitivity label to a large group may impact performance, especially if the group is used frequently.

    Hope this helps. Do let us know if you any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.