Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory
Azure Active Directory (Azure AD) supports applying sensitivity labels published by the Microsoft 365 compliance center to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see Microsoft 365 support for sensitivity labels.
To configure this feature, there must be at least one active Azure Active Directory Premium P1 license in your Azure AD organization.
Enable sensitivity label support in PowerShell
To apply published labels to groups, you must first enable the feature. These steps enable the feature in Azure AD.
Open a Windows PowerShell window on your computer. You can open it without elevated privileges.
Run the following commands to prepare to run the cmdlets.
Import-Module AzureADPreview Connect-AzureAD
In the Sign in to your account page, enter your admin account and password to connect you to your service, and select Sign in.
Fetch the current group settings for the Azure AD organization.
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
If no group settings have been created for this Azure AD organization you will get an error in the above cmdlet that reads "Cannot bind argument to parameter 'Id' because it is null". In this case you must first create the settings. Follow the steps in Azure Active Directory cmdlets for configuring group settings to create group settings for this Azure AD organization.
Next, display the current group settings.
Then enable the feature:
$Setting["EnableMIPLabels"] = "True"
Then save the changes and apply the settings:
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
You will also need to synchronize your sensitivity labels to Azure AD. For instructions, see How to enable sensitivity labels for containers and synchronize labels.
Assign a label to a new group in Azure portal
Sign in to the Azure AD admin center.
Select Groups, and then select New group.
On the New Group page, select Office 365, and then fill out the required information for the new group and select a sensitivity label from the list.
Save your changes and select Create.
Your group is created and the site and group settings associated with the selected label are then automatically enforced.
Assign a label to an existing group in Azure portal
Sign in to the Azure AD admin center with a Groups admin account, or as a group owner.
From the All groups page, select the group that you want to label.
On the selected group's page, select Properties and select a sensitivity label from the list.
Select Save to save your changes.
Remove a label from an existing group in Azure portal
- Sign in to the Azure AD admin center with a Global admin or Groups admin account, or as a group owner.
- Select Groups.
- From the All groups page, select the group that you want to remove the label from.
- On the Group page, select Properties.
- Select Remove.
- Select Save to apply your changes.
Using classic Azure AD classifications
After you enable this feature, the “classic” classifications for groups will appear only existing groups and sites, and you should use them for new groups only if creating groups in apps that don’t support sensitivity labels. Your admin can convert them to sensitivity labels later if needed. Classic classifications are the old classifications you set up by defining values for the
ClassificationList setting in Azure AD PowerShell. When this feature is enabled, those classifications will not be applied to groups.
Sensitivity labels are not available for assignment on a group
The sensitivity label option is only displayed for groups when all the following conditions are met:
- Labels are published in the Microsoft 365 Compliance Center for this Azure AD organization.
- The feature is enabled, EnableMIPLabels is set to True in from the Azure AD PowerShell module.
- Lables are synchronized to Azure AD with the Execute-AzureAdLabelSync cmdlet in the Security & Compliance PowerShell module.
- The group is a Microsoft 365 group.
- The organization has an active Azure Active Directory Premium P1 license.
- The current signed-in user has sufficient privileges to assign labels. The user must be either a Global Administrator, Group Administrator, or the group owner.
Please make sure all the conditions are met in order to assign labels to a group.
The label I want to assign is not in the list
If the label you are looking for is not in the list, this could be the case for one of the following reasons:
- The label might not be published in the Microsoft 365 Compliance Center. This could also apply to labels that are no longer published. Please check with your administrator for more information.
- The label may be published, however, it is not available to the user that is signed-in. Please check with your administrator for more information on how to get access to the label.
How to change the label on a group
Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows:
- Sign in to the Azure AD admin center with a Global or Group administrator account or as group owner.
- Select Groups.
- From the All groups page, select the group that you want to label.
- On the selected group's page, select Properties and select a new sensitivity label from the list.
- Select Save.
Group setting changes to published labels are not updated on the groups
As a best practice, we don't recommend that you change group settings for a label after the label is applied to groups. When you make changes to group settings associated with published labels in Microsoft 365 compliance center, those policy changes aren't automatically applied on the impacted groups.
If you must make a change, use an Azure AD PowerShell script to manually apply updates to the impacted groups. This method makes sure that all existing groups enforce the new setting.