Data Classification M365 SharePoint Online Teams

Enable Sensitivity Labels for M365 Groups and SPO Sites

Nikolay Marinov

When we have a tenant, where AIP and Data Labels have not yet been configured and you wand to create a new Data Sensitivity Label in the https://compliance.microsoft.com Admin Console and define the scope you will see that the option “Group and Sites” is greyed-out:

In order to activate it, open a PowerShell as an Administrator and start the following cmdlets

Install-Module AzureADPreview

Note: Since the AzureADPreview Module has some conflicting cmdlets with the module AzureAD, which you most probably (and rightly so) have already installed on your client, you can open a Windows Sandbox App on your client.

to do this go to the Windows Features, and activate the “Windows Sandbox” Feature:

Then Reboot the client and Start the Sandbox:

You can now start your PowerShell session inside as an admin and install the Module

Then type: 

Import-Module AzureADPreview

Connect-AzureAD

#You'd need to Authenticate as a Global Admin here

$setting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)

$template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b

$setting = $template.CreateDirectorySetting()

#Display the current group Settings

$Setting.Values

Note that the Option “EnableMIPLabels” has a Value of “False”

Then type: 

$Setting["EnableMIPLabels"] = "True"

New-AzureADDirectorySetting -DirectorySetting $setting

Type again $Setting.Values and note that the value has changed now:

If you’re receiving a Request_BadRequest error, it’s because the settings already exist in the tenant, so when you try to create a new property:value pair, the result is an error. In this case execute in PowerShell the following code: 

$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ) 

$Setting = $grpUnifiedSetting 

$grpUnifiedSetting.Values

$Setting["EnableMIPLabels"] = "True"

$Setting.Values

Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting

You should be now able to activate the option when creating a new Sensitivity Label

After the Change is done, you need to sync the labels, so that they are visible in SPO and M365

In PowerShell execute the following:

Install-Module ExchangeOnlineManagement

Connect-IPPSSession -UserPrincipalName <Your Global Admin Account>

Execute-AzureAdLabelSync

Leave a Reply

Your email address will not be published. Required fields are marked *