Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory
Azure Active Directory (Azure AD), part of Microsoft Entra, supports applying sensitivity labels published by the Microsoft Purview compliance portal to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see Microsoft 365 support for sensitivity labels.
To configure this feature, there must be at least one active Azure Active Directory Premium P1 license in your Azure AD organization.
Enable sensitivity label support in PowerShell
To apply published labels to groups, you must first enable the feature. These steps enable the feature in Azure AD.
Open a Windows PowerShell window on your computer. You can open it without elevated privileges.
Run the following commands to prepare to run the cmdlets.
Install-Module AzureADPreview Import-Module AzureADPreview AzureADPreview\Connect-AzureAD
In the Sign in to your account page, enter your admin account and password to connect you to your service, and select Sign in.
Fetch the current group settings for the Azure AD organization and display the current group settings.
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ) $Setting = $grpUnifiedSetting $grpUnifiedSetting.Values
If no group settings have been created for this Azure AD organization, you will get an empty screen. In this case, you must first create the settings. Follow the steps in Azure Active Directory cmdlets for configuring group settings to create group settings for this Azure AD organization.
If the sensitivity label has been enabled previously, you will see EnableMIPLabels = True. In this case, you do not need to do anything.
Enable the feature:
$Setting["EnableMIPLabels"] = "True"
Check the new applied value:
Save the changes and apply the settings:
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting
If you’re receiving a Request_BadRequest error, it's because the settings already exist in the tenant, so when you try to create a new property:value pair, the result is an error. In this case, take the following steps:
- Repeat steps 1-4 from Enable sensitivity label support in PowerShell.
- Issue a
Get-AzureADDirectorySetting | FLcmdlet and check the ID. If several ID values are present, use the one where you see the EnableMIPLabels property on the Values settings. You will need the ID in step 4.
- Set the EnableMIPLabels property variable:
$Setting["EnableMIPLabels"] = "True"
- Issue the
Set-AzureADDirectorySetting -DirectorySetting $Setting -IDcmdlet, using the ID that you retrieved in step 2.
- Ensure that the value is now correctly updated by issuing
You will also need to synchronize your sensitivity labels to Azure AD. For instructions, see How to enable sensitivity labels for containers and synchronize labels.
Assign a label to a new group in Azure portal
Sign in to the Azure AD admin center.
Select Groups, and then select New group.
On the New Group page, select Office 365, and then fill out the required information for the new group and select a sensitivity label from the list.
Save your changes and select Create.
Your group is created and the site and group settings associated with the selected label are then automatically enforced.
Assign a label to an existing group in Azure portal
Sign in to the Azure AD admin center with a Groups admin account, or as a group owner.
From the All groups page, select the group that you want to label.
On the selected group's page, select Properties and select a sensitivity label from the list.
Select Save to save your changes.
Remove a label from an existing group in Azure portal
- Sign in to the Azure AD admin center with a Global Administrator or Groups admin account, or as a group owner.
- Select Groups.
- From the All groups page, select the group that you want to remove the label from.
- On the Group page, select Properties.
- Select Remove.
- Select Save to apply your changes.
Using classic Azure AD classifications
After you enable this feature, the “classic” classifications for groups will appear only existing groups and sites, and you should use them for new groups only if creating groups in apps that don’t support sensitivity labels. Your admin can convert them to sensitivity labels later if needed. Classic classifications are the old classifications you set up by defining values for the
ClassificationList setting in Azure AD PowerShell. When this feature is enabled, those classifications will not be applied to groups.
Sensitivity labels are not available for assignment on a group
The sensitivity label option is only displayed for groups when all the following conditions are met:
- Labels are published in the Microsoft Purview compliance portal for this Azure AD organization.
- The feature is enabled, EnableMIPLabels is set to True in from the Azure AD PowerShell module.
- Labels are synchronized to Azure AD with the Execute-AzureAdLabelSync cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Azure AD.
- The group is a Microsoft 365 group.
- The organization has an active Azure Active Directory Premium P1 license.
- The sensitivity label scope must be configured for Groups & Sites.
- The current signed-in user has sufficient privileges to assign labels. The user must be either a Global Administrator, Group Administrator, or the group owner.
- The current signed-in user must be within the scope of the sensitivity label publishing policy
Please make sure all the conditions are met in order to assign labels to a group.
The label I want to assign is not in the list
If the label you are looking for is not in the list, this could be the case for one of the following reasons:
- The label might not be published in the Microsoft Purview compliance portal. This could also apply to labels that are no longer published. Please check with your administrator for more information.
- The label may be published, however, it is not available to the user that is signed-in. Please check with your administrator for more information on how to get access to the label.
How to change the label on a group
Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows:
- Sign in to the Azure AD admin center with a Global or Group administrator account or as group owner.
- Select Groups.
- From the All groups page, select the group that you want to label.
- On the selected group's page, select Properties and select a new sensitivity label from the list.
- Select Save.
Group setting changes to published labels aren't updated on the groups
When you make changes to group settings for a published label in the Microsoft Purview compliance portal, those policy changes aren't automatically applied on the labeled groups. Once the sensitivity label is published and applied to groups, Microsoft recommend that you not change the group settings for the label in the Microsoft Purview compliance portal.
If you must make a change, use an Azure AD PowerShell script to manually apply updates to the impacted groups. This method makes sure that all existing groups enforce the new setting.