Share via

Applying sensitivity labels to groups - best practice and advice

Jon Kilner 86 Reputation points
2024-06-18T15:36:07.4433333+00:00

We have a very large tenant of many tens of thousands of users. I'm looking to apply sensitivity labels to about 50% of our user base, who are currently members of different security groups.

Reading online about how to deploy labels to groups of users, the compliance portal and msft learn say I can only assign label policies to M365 groups, mail enabled security groups and distribution lists - https://learn.microsoft.com/en-us/purview/sensitivity-labels#what-label-policies-can-do

Reading about group types https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide only M365 groups can have dynamic membership.

We want to apply labels to users that meet certain conditions, such as their department name or location matching a string.

We can't use our existing security groups as label policies can't be applied to them. Mail enabled security groups and distribution lists don't allow for dynamic members, which rules them out.

We could look at using M365 groups, but each group of users would need to be in their own M365 group as we don't want users using the group as a means of communication/collaboration. We'd also prefer not to have all the associated resources that get created with an M365 group.

It seems to me that the logic of applying labels to groups is wrong. Why would you allow a mail enabled security group to be allowed to have a label policy applied but not a security group.

Any advice would be greatly recieved

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,770 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,613 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 118.9K Reputation points MVP Volunteer Moderator
    2024-06-18T16:27:05.24+00:00

    By design, Rights management/Sensitivity labels only works with mail-enabled recipients, hence the requirement for mail-enabled group. In your scenario, you might be able to use administrative units as scoping mechanism, they do allow for dynamic membership, in a manner very similar to Entra security groups. Here's the relevant documentation: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-members-dynamic

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    6 deleted comments

    Comments have been turned off. Learn more

  3. Marc Panton 0 Reputation points
    2025-01-27T09:21:39.07+00:00

    @Jon Kilner - You are responding to a GPT bot. Evidence: "I apologize for the confusion in my previous response. You are correct that..."

    Proof: Go to your fav ChatGPT interface and ask a question, then tell it the answer is wrong.

    #MSFTShambles

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.