Sensitivity Labels for Microsoft 365 Groups

Many organizations are required to comply with information protection standards whether mandated by law, executive order, or their own policies. To address this demand, Microsoft has developed Sensitivity Labels located within the Microsoft 365 Compliance Center.

This guide will assist administrators configuring an M365 tenant to enable Sensitivity Labels within Microsoft 365 groups (aka Modern Groups, M365 Groups, O365 Groups, Unified Groups).

Note: To leverage Sensitivity Labels for M365 Groups, an Azure Active Directory Premium P1 license must be present within the tenant. It does not have to be assigned to a specific user.

Validate Sensitivity Labels for M365 Groups are Enabled

We must first ensure that sensitivity labels are enabled within the tenant. If this setting has not been enabled, then when attempting to create an M365 group within Azure AD, the screen will appear as follows:

To verify or enable sensitivity labels for M365 groups, connect to the tenant’s Azure AD instance via PowerShell. Use the following commands to first establish a connection to the tenant:

Set-ExecutionPolicy RemoteSigned

Install-Module AzureADPreview -Force

Import-Module AzureADPreview

Connect-AzureAD

Next, obtain the current group settings for the Azure AD organization:

$setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

$setting.values

Graphical user interface, application

Description automatically generated

Note: If this setting has not been previously configured, an error may appear:

If this error is encountered, you must first configure group settings for Azure AD Tenant. See Appendix A for instructions on how to perform this task.

If the object EnableMIPLabels has a value of False, then Sensitivity Labels are not enabled. To enable sensitivity labels for M365 groups, execute the following commands:

$Setting[“EnableMIPLabels”] = “True”

Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

Note: Sensitivity labels must be scoped to protect Groups. This is accomplished within the Microsoft 365 Compliance Center. To view how to scope sensitivity label protection for groups see Appendix B.

Conclusion

Now that Sensitivity Labels have been enabled for M365 Groups, the option to apply a Sensitivity Label will appear. This is true both within Azure AD and the Microsoft 365 Admin Center. See below:

Microsoft Azure AD Admin Center:

Microsoft 365 Admin Center:

Appendix A – Configure Group Settings for Azure AD Tenant

Ensure that an established connection has been made to the Azure AD instance for the tenant:

Set-ExecutionPolicy RemoteSigned

Install-Module AzureADPreview -Force

Import-Module AzureADPreview

Connect-AzureAD

Next, obtain the template settings and create a new settings object based on the correct template:

$TemplateId = (Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq “Group.Unified”}).Id

$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ

$Setting = $Template.CreateDirectorySetting()

To view the current configuration of the template by outputting the value of the $Template variable to Format-List:

$Template | FL

A screenshot of a computer

Description automatically generated with medium confidence

Having now created the settings object, we are now able to update values within the object. Of specific importance are the following objects:

  • UsageGuidelinesUrl: This should point to the URL which outlines the appropriate usage of the M365 Groups.
  • EnableMIPLables: This is the object setting which enables Sensitivity Labels.

Run the following commands to configure the specific object values:

$Setting[“UsageGuidelinesUrl”] = “https://guideline.lab5.int”

$Setting[“EnableMIPLabels”] = “True”

Finally, update the template settings for the Group.Unified template:

New-AzureADDirectorySetting -DirectorySetting $Setting

To view the now configured settings for the tenant, run the following commands:

$Setting = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq “Group.Unified”}

$Setting.Values

Graphical user interface, application

Description automatically generated

Appendix B – Scope Sensitivity Labels for Groups

Sensitivity labels must be scoped to protect Groups. This is accomplished within the Microsoft 365 Compliance Center. Upon accessing the Compliance center, expand Solutions, then select Information Protection.

At this point, creating or modifying a sensitivity label will both work. For the purpose of this demonstration, an existing group will be modified.

On the Scope options page, ensure to enable Groups & sites.

On the Define protection settings for groups and sites,

Selecting the Privacy and external user access settings will provide the following options:

Graphical user interface, text, application, email

Description automatically generated

Selecting the Define external sharing and device access settings will provide the following options:

Graphical user interface, text, application

Description automatically generated

References

Reference 1: Enable Sensitivity Label Support

Reference 2: Configure Group Settings for Azure AD Tenant

Reference 3: Group Template Settings

Reference 4: NIST SP 800-171 Rev. 2