Sensitivity labels can be applied to groups across apps and services such as Outlook, Microsoft Teams, and SharePoint. For more information, see Support for sensitivity labels from the Purview documentation.
Important
To configure this feature, there must be at least one active Microsoft Entra ID P1 license in your Microsoft Entra organization.
Enable sensitivity label support in PowerShell
To apply published labels to groups, you must first enable the feature. These steps enable the feature in Microsoft Entra ID. The Microsoft Graph PowerShell SDK comes in two modules, Microsoft.Graph and Microsoft.Graph.Beta.
All Microsoft operated regions should choose Microsoft. All other regions should choose their operator if one is listed.
If no group settings were created for this Microsoft Entra organization, you get an empty screen. In this case, you must first create the settings. Follow the steps in Microsoft Entra cmdlets for configuring group settings to create group settings for this Microsoft Entra organization.
Note
If the sensitivity label was enabled previously, you see EnableMIPLabels = True. In this case, you don't need to do anything. Also make sure that EnableGroupCreation = False if you don't want non-admin users to be able to create groups. See Template settings for details.
Apply the new settings.
PowerShell
$params = @{
Values = @(
@{
Name = "EnableMIPLabels"
Value = "True"
}
)
}
Update-MgBetaDirectorySetting -DirectorySettingId$grpUnifiedSetting.Id -BodyParameter$params
If you receive a Request_BadRequest error, it's because the settings already exist in the tenant. When you try to create a new property:value pair, the result is an error. In this case, follow these steps:
Issue a Get-MgBetaDirectorySetting | FL cmdlet and check the ID. If several ID values are present, use the one where you see the EnableMIPLabels property on the Values settings.
Issue the Update-MgBetaDirectorySetting cmdlet by using the ID that you retrieved.
If you are performing these Microsoft 365 operations from 21Vianet:
Register a Microsoft Entra ID application in Microsoft Entra ID.
Grant your application API permissions to access Microsoft Graph including Directory.ReadWriteAll and Group.ReadWriteAll, you may need to get tenant admin's explicit consent to grant the application access to Microsoft Graph.
Generate a client secret and copy it. You need the client secret to connect to MS Graph;
If no group settings were created for this Microsoft Entra organization, you get an empty screen. In this case, you must first create the settings. Follow the steps in Microsoft Entra cmdlets for configuring group settings to create group settings for this Microsoft Entra organization.
Note
If the sensitivity label was enabled previously, you see EnableMIPLabels = True. In this case, you don't need to do anything. Also make sure that EnableGroupCreation = False if you don't want non-admin users to be able to create groups. See Template settings for details.
Apply the new settings.
PowerShell
$params = @{
Values = @(
@{
Name = "EnableMIPLabels"
Value = "True"
}
)
}
Update-MgBetaDirectorySetting -DirectorySettingId$grpUnifiedSetting.Id -BodyParameter$params
If you receive a Request_BadRequest error, it's because the settings already exist in the tenant. When you try to create a new property:value pair, the result is an error. In this case, follow these steps:
Issue a Get-MgBetaDirectorySetting | FL cmdlet and check the ID. If several ID values are present, use the one where you see the EnableMIPLabels property on the Values settings.
Issue the Update-MgBetaDirectorySetting cmdlet by using the ID that you retrieved.
On the All groups page, select the group that you want to remove the label from.
On the Group page, select Properties.
Select Remove.
Select Save to apply your changes.
Use classic Microsoft Entra classifications
After you enable this feature, the "classic" classifications for groups appear only on existing groups and sites. You should use them for new groups only if you create groups in apps that don't support sensitivity labels. Your admin can convert them to sensitivity labels later, if needed. Classic classifications are the old classifications you set up by defining values for the ClassificationList setting in Azure AD PowerShell. When this feature is enabled, those classifications aren't applied to groups.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
Troubleshooting issues
This section offers troubleshooting tips for common issues.
Sensitivity labels aren't available for assignment on a group
The sensitivity label option appears for groups only when all the following conditions are met:
The organization has an active Microsoft Entra ID P1 license.
The feature is enabled and EnableMIPLabels is set to True in the Microsoft Graph PowerShell module.
The sensitivity labels are published in the Microsoft Purview portal or the Microsoft Purview compliance portal for this Microsoft Entra organization.
Labels are synchronized to Microsoft Entra ID with the Execute-AzureAdLabelSync cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Microsoft Entra ID.
Make sure all the preceding conditions are met to assign labels to a group.
The label you want to assign isn't in the list
If the label you're looking for isn't in the list:
The label might not be published in the Microsoft Purview portal or the Microsoft Purview compliance portal. Also, the label might no longer be published. Check with your administrator for more information.
The label might be published, but it isn't available to the user who is signed in. Check with your administrator for more information on how to get access to the label.
Change the label on a group
Labels can be swapped at any time by using the same steps as assigning a label to an existing group:
Select Groups > All groups, and then select the group that you want to label.
On the selected group's page, select Properties and select a new sensitivity label from the list.
Select Save.
Group setting changes to published labels aren't updated on the groups
When you make changes to group settings for a published label in the Microsoft Purview portal or the Microsoft Purview compliance portal, those policy changes aren't automatically applied on the labeled groups. After the sensitivity label is published and applied to groups, Microsoft recommends that you don't change the group settings for the label in the portal.
If you must make a change, use a PowerShell script to manually apply updates to the affected groups. This method makes sure that all existing groups enforce the new setting.
This module examines the process for implementing sensitivity labels, including applying proper administrative permissions, determining a deployment strategy, creating, configuring, and publishing labels, and removing and deleting labels.
A requirement for all Microsoft Purview Information Protection solutions: Create, configure, and publish sensitivity labels to classify and protect your organization's data.
