Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory

Azure Active Directory (Azure AD), part of Microsoft Entra, supports applying sensitivity labels published by the Microsoft Purview compliance portal to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see Microsoft 365 support for sensitivity labels.

Important

To configure this feature, there must be at least one active Azure Active Directory Premium P1 license in your Azure AD organization.

Enable sensitivity label support in PowerShell

To apply published labels to groups, you must first enable the feature. These steps enable the feature in Azure AD.

  1. Open a Windows PowerShell window on your computer. You can open it without elevated privileges.

  2. Run the following commands to prepare to run the cmdlets.

    Install-Module AzureADPreview
    Import-Module AzureADPreview
    AzureADPreview\Connect-AzureAD
    

    In the Sign in to your account page, enter your admin account and password to connect you to your service, and select Sign in.

  3. Fetch the current group settings for the Azure AD organization and display the current group settings.

    $grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
    $Setting = $grpUnifiedSetting
    $grpUnifiedSetting.Values
    

    Note

    If no group settings have been created for this Azure AD organization, you will get an empty screen. In this case, you must first create the settings. Follow the steps in Azure Active Directory cmdlets for configuring group settings to create group settings for this Azure AD organization.

    Note

    If the sensitivity label has been enabled previously, you will see EnableMIPLabels = True. In this case, you do not need to do anything.

  4. Enable the feature:

    $Setting["EnableMIPLabels"] = "True"
    
  5. Check the new applied value:

    $Setting.Values
    
  6. Save the changes and apply the settings:

    Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting
    

If you’re receiving a Request_BadRequest error, it's because the settings already exist in the tenant, so when you try to create a new property:value pair, the result is an error. In this case, take the following steps:

  1. Repeat steps 1-4 from Enable sensitivity label support in PowerShell.
  2. Issue a Get-AzureADDirectorySetting | FL cmdlet and check the ID. If several ID values are present, use the one where you see the EnableMIPLabels property on the Values settings. You will need the ID in step 4.
  3. Set the EnableMIPLabels property variable: $Setting["EnableMIPLabels"] = "True"
  4. Issue the Set-AzureADDirectorySetting -DirectorySetting $Setting -ID cmdlet, using the ID that you retrieved in step 2.
  5. Ensure that the value is now correctly updated by issuing $Setting.Values again.

You will also need to synchronize your sensitivity labels to Azure AD. For instructions, see How to enable sensitivity labels for containers and synchronize labels.

Assign a label to a new group in Azure portal

  1. Sign in to the Azure AD admin center.

  2. Select Groups, and then select New group.

  3. On the New Group page, select Office 365, and then fill out the required information for the new group and select a sensitivity label from the list.

    Assign a sensitivity label in the New groups page

  4. Save your changes and select Create.

Your group is created and the site and group settings associated with the selected label are then automatically enforced.

Assign a label to an existing group in Azure portal

  1. Sign in to the Azure AD admin center with a Groups admin account, or as a group owner.

  2. Select Groups.

  3. From the All groups page, select the group that you want to label.

  4. On the selected group's page, select Properties and select a sensitivity label from the list.

    Assign a sensitivity label on the overview page for a group

  5. Select Save to save your changes.

Remove a label from an existing group in Azure portal

  1. Sign in to the Azure AD admin center with a Global admin or Groups admin account, or as a group owner.
  2. Select Groups.
  3. From the All groups page, select the group that you want to remove the label from.
  4. On the Group page, select Properties.
  5. Select Remove.
  6. Select Save to apply your changes.

Using classic Azure AD classifications

After you enable this feature, the “classic” classifications for groups will appear only existing groups and sites, and you should use them for new groups only if creating groups in apps that don’t support sensitivity labels. Your admin can convert them to sensitivity labels later if needed. Classic classifications are the old classifications you set up by defining values for the ClassificationList setting in Azure AD PowerShell. When this feature is enabled, those classifications will not be applied to groups.

Troubleshooting issues

Sensitivity labels are not available for assignment on a group

The sensitivity label option is only displayed for groups when all the following conditions are met:

  1. Labels are published in the Microsoft Purview compliance portal for this Azure AD organization.
  2. The feature is enabled, EnableMIPLabels is set to True in from the Azure AD PowerShell module.
  3. Labels are synchronized to Azure AD with the Execute-AzureAdLabelSync cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Azure AD.
  4. The group is a Microsoft 365 group.
  5. The organization has an active Azure Active Directory Premium P1 license.
  6. The sensitivity label scope must be configured for Groups & Sites.
  7. The current signed-in user has sufficient privileges to assign labels. The user must be either a Global Administrator, Group Administrator, or the group owner.
  8. The current signed-in user must be within the scope of the sensitivity label publishing policy

Please make sure all the conditions are met in order to assign labels to a group.

The label I want to assign is not in the list

If the label you are looking for is not in the list, this could be the case for one of the following reasons:

  • The label might not be published in the Microsoft Purview compliance portal. This could also apply to labels that are no longer published. Please check with your administrator for more information.
  • The label may be published, however, it is not available to the user that is signed-in. Please check with your administrator for more information on how to get access to the label.

How to change the label on a group

Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows:

  1. Sign in to the Azure AD admin center with a Global or Group administrator account or as group owner.
  2. Select Groups.
  3. From the All groups page, select the group that you want to label.
  4. On the selected group's page, select Properties and select a new sensitivity label from the list.
  5. Select Save.

Group setting changes to published labels aren't updated on the groups

When you make changes to group settings for a published label in the Microsoft Purview compliance portal, those policy changes aren't automatically applied on the labeled groups. Once the sensitivity label is published and applied to groups, Microsoft recommend that you not change the group settings for the label in the Microsoft Purview compliance portal.

If you must make a change, use an Azure AD PowerShell script to manually apply updates to the impacted groups. This method makes sure that all existing groups enforce the new setting.

Next steps