Skip to main content
BlogMicrosoft 365Microsoft ComplianceSensitivity Labelling

Enabling Container Level Sensitivity Labelling for Teams, Groups & Sites v2

By August 11, 2021March 8th, 2024No Comments

Often when I am talking to customers regarding their Labelling needs, I repeatedly hear that they have tried to configure Container Level (Teams, Groups & Sites), Sensitivity Labelling only to discover that hitting the ‘Complete these Steps’ link, or in older tenants clicking on ‘Turn on Now’, does very little and in some cases nothing at all.

Once you have clicked on the option(s), you are then presented with the Microsoft Docs link where you are shown the following command to run: Execute-AzureAdLabelSync. Running this kicks-off the backend services and provides the change in configuration. However, frustratingly, I am still noticing that in some tenants not everything is completely configured, I am now into the third day of waiting. Consequently, after running the command, you head back to your tenant only to find nothing has changed – you still see the ‘Turn On, or Complete these Steps’ banner. Additionally, the option to configure Groups & Sites within the Label configuration is still greyed out. As displayed in further on in the article.

As mentioned, I have seen this now on many occasions over the past year or so and this is due to the fact you still need to run additional commands to enable this functionality. These additional steps are not well documented and as you would expect this causes a lot of confusion and, in most cases, customers will create support case or head to the forums seeking help believing they have an issue when in fact they do not, they are just missing a few steps.

Container Labelling Recap

Although, before we go into the configuration steps, let’s have a recap on what Container Level Sensitivity Labelling offers: –

Workload Locations: –

  • M365 Groups
  • Microsoft Teams
  • Yammer Communities
  • SharePoint Sites

Possible restrictions to configure via Labelling Configuration: –

  • Privacy Options
  • External User Access Controls
  • External Sharing Controls
  • Unmanaged Device Access *
  • Authentication Contexts (In Preview) *

* These options use Azure AD Conditional Access, of which, must be configured separately.

Ways to apply a Label to a SPO Site or Group: –

  • Azure Portal
  • SharePoint Set Up Wizard, or Admin Centre
  • Groups Set Up Wizard, or Admin Centre
  • Teams Set Up Wizard, or Admin Centre
  • PowerShell Commands (more used for bulk configurations)

Okay, with the recap out of the way, let’s look at the steps to configure.

As a result, I have decided to write this blog on how to enable this feature in your tenant to offer some assurance on getting this set up.

Example 1: Complete these steps

Enabling Container Level Sensitivity Labelling in M365

Example Two: Turn on Now

Extend Labelling to assets in azure microsoft365

Example Three: – Greyed out Options

Define the scope for label microsoft 365

Configuration - PowerShell

Firstly, we need to make sure we have the correct PowerShell Modules installed to run the commands required.

  1. Open PowerShell as Admin
    1. Then run the below commands
  2. AzureAD Preview (This will install the Azure AD Preview Module)
    1. Install-Module AzureADPreview
  3. SharePoint Online Management Shell needs to be version 16.0.19418.12000, or above
    1. To install the above version run the following
      1. Install-Module -Name Microsoft.Online.SharePoint.PowerShell -RequiredVersion 16.0.19418.12000
    2. Or, if you already have a SharePoint PowerShell Module installed and want to update the latest version, run the following
      1. Update-Module -Name Microsoft.Online.SharePoint.PowerShell

Then run

  • Connect to Azure AD by running the following command
    • Connect-AzureAD

Now run the following to create the object for Unified Groups

  • $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

If the command was successful skip to the: ‘And then’ step

If the command was not successful and returns the following: –

“Get-AzureADDirectorySetting : Cannot bind argument to parameter ‘Id’ because it is null”

run the below 5 steps to add in the MIP Directory Setting, thereafter, enabling MIP Labels.

Run the following to create the directory: –

  1. Get-AzureADDirectorySettingTemplate
  2. $TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
  3. $Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
  4. $Setting = $Template.CreateDirectorySetting()
  5. $Setting[“EnableMIPLabels”] = “True”
  6. New-AzureADDirectorySetting -DirectorySetting $Setting

Run again:

  • $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

And then,

  • $Setting.Values

This will now display the below information:

Name                                                 Value

—-                                                       —–

  • EnableMIPLabels                True
  • CustomBlockedWordsList
  • EnableMSStandardBlockedWords False
  • ClassificationDescriptions
  • DefaultClassification
  • PrefixSuffixNamingRequirement
  • AllowGuestsToBeGroupOwner False
  • AllowGuestsToAccessGroups True
  • GuestUsageGuidelinesUrl
  • GroupCreationAllowedGroupId
  • AllowToAddGuests True
  • UsageGuidelinesUrl
  • ClassificationList
  • EnableGroupCreation True

This has now enabled Container Level, Sensitivity Labelling for Teams, Groups & Sites.

Please note, that this can take up to 24 hours to apply and publish the configurations over to the applications.

Post Config Check In

If you now head back into Information Protection section in the Compliance Portal you will now see the option to ‘Turn on Now’, or ‘Complete these Settings’ has gone. You are left with the ‘Learn more about’ link.

Example Four: Configuration Complete

Information protection compliance portal microsoft365

The next step is to choose a label you want to configure for this location and go through the label setting until you now see the option to apply this label to Groups and Sites.

Example Five: Selecting Groups & Sites

Define scope for label groups sites microsoft 365

Additional Considerations

Yet, in addition to this, you will need to reconnect to the SharePoint Online Management Console and run the following commands if you do not see the option to apply labels in SPO.

  • Connect-SPOService

Run follow-up command:

  • Set-SPOTenant -EnableAIPIntegration $true.

A few important notes: –

  • If your organisation has Multi-Geo configuration enabled, you must run the “Set-SPOTenant -EnableAIPIntegration $true” command for each of the geographical areas.
  • Container Level Sensitivity Labelling does not apply encryption to the items in the container, nor does the container inherit the permissions of the label. This is a misinterpretation given when configured for File & Email it does. I often see people complaining about this thinking they have things set up incorrectly, or stating the solution is not doing what it is supposed to. Although, rumour has it, this is on the road map. Therefore, once more information on this is live, I will post on my site, so, keep an eye out if you are interested in this feature.

I would have expected Microsoft to fix this by now. I initially wrote this blog almost a year ago and the problem from what I have witnessed has not yet been resolved. Does anyone else still see this issue?

Anyhow, I really hope this helps.