Manage M365 Groups with Sensitivity Labels
In Microsoft 365 (M365), sensitivity labels provide a powerful way to classify and protect sensitive information in your organization. They are essential for managing M365 Groups, ensuring data security, and controlling access, and should be part of every governance strategy.
This post will guide you through enabling sensitivity labels for M365 Groups using PowerShell, creating the labels, and exploring options for sharing and external users.
With the Teams Manager app, you can apply sensitivity labels to new groups or teams automatically and consistently. Take a look!
Enable Sensitivity Label Support in PowerShell
To apply published labels to groups, Microsoft Teams or SharePoint sites, you must first enable the feature in Microsoft Entra ID.
Here is your step-by-step guide on how to enable sensitivity labels.
1. Open the PowerShell app (in current Windows versions, it is installed by default).
2. Copy and paste the following PowerShell commands to install and connect the necessary module.
Install-Module AzureADPreviewImport-Module AzureADPreviewAzureADPreview\Connect-AzureAD3. Sign in to Microsoft Entra with your admin account at https://entra.microsoft.com/.
4. Use the following Powershell command to show the existing container settings.
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ)
$Setting = $grpUnifiedSetting
$grpUnifiedSetting.ValuesIf there is no result, there are no group settings for your tenant yet and you need to create them in the next 2 steps.
If you get a list of existing group settings, you do not need to create further group settings and can leave out steps 5 and 6 – instead continue with step 7 please.
5. With this command, select the settings template for “Group.Unified“:
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ6. Create new settings (a new settings object) with this command:
$Setting = $Template.CreateDirectorySetting()7. Now that there are group settings for your tenant, you can enable the sensitivity label feature with this command. EnableMIPLabels means MIP labels or “Microsoft Information Protection” labels.
$Setting[“EnableMIPLabels”] = “True”8. Depending on whether there were already existing group settings in your tenant, select one of the two following commands to save the changes:
- Save the changes for new group settings:
New-AzureADDirectorySetting -DirectorySetting $Setting- Save the changes for already existing group settings:
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting9. Check if the sensitivity label feature has been enabled correctly with this command. Proof that it worked is the value for EnableMIPLabels being set to “True”.
$Setting.ValuesAs a last step, you need to enable the synchronization of sensitivity labels to Entra (Azure AD) in order to use the labels for M365 groups, teams or SharePoint sites from Entra directly.
10. Install and connect the necessary Security & Compliance module with these commands:
Install-Module ExchangeOnlineManagementImport-Module ExchangeOnlineManagementConnect-IPPSSession11. Sign in to Entra with your admin account.
12. And finally, synchronize your sensitivity labels to Entra (Azure AD) with the following command:
Execute-AzureAdLabelSyncYou will now be able to create and use sensitivity labels for teams, Microsoft 365 groups and SharePoint sites in the Microsoft Compliance Center / Microsoft Purview:
Go to https://compliance.microsoft.com/ and click on „Information Protection“.
Here you will now find the option to create new labels.
In the process of creating new labels, you can apply the label to groups and sites. In the following process, you can also determine sharing options and external access for the M365 group.
Options for Sensitivity Labels
There are a lot of things that could be considered for several options when it comes to Sensitivity Labels.
The most important three are:
- Sharing very limited and only possible inside the organisation and not to guests.
- Sharing possible with guests inside of a M365 group
- Sharing possible with anyone with the link. – Attention! Please be careful with this setting: This should only be for M365 groups where data is shared that is open to everyone. – In most cases this option should not be made available at all.
For more information and tips for troubleshooting common issues, take a look at this article in Microsoft Learn:
Apply sensitivity labels automatically
If you want to apply sensitivity labels to teams, groups or sites automatically, Teams Manager is the tool for you. The M365 governance app allows you to create templates and automations to reduce your routine manual work.
Take a look at how Teams Manager can help you:
Head of Marketing & Sales at Solutions2Share – Florian Pflanz has 6 years of M365 experience and has been involved in numerous projects concerning Microsoft Teams governance. In over 200 workshops, he has collected extensive knowledge and best practices regarding Microsoft Teams and companies’ management requirements.
