Often when I am talking to customers regarding their Labelling needs, I repeatedly hear that they have tried to configure Container Level (Teams, Groups & Sites), Sensitivity Labelling only to discover that hitting the ‘Complete these Steps’ link, or in older tenants clicking on ‘Turn on Now’, does very little and in some cases nothing at all.
Once you have clicked on the option(s), you are then presented with the Microsoft Docs link where you are shown the following command to run: Execute-AzureAdLabelSync. Running this kicks-off the backend services and provides the change in configuration. However, frustratingly, I am still noticing that in some tenants not everything is completely configured, I am now into the third day of waiting. Consequently, after running the command, you head back to your tenant only to find nothing has changed – you still see the ‘Turn On, or Complete these Steps’ banner. Additionally, the option to configure Groups & Sites within the Label configuration is still greyed out. As displayed in further on in the article.
As mentioned, I have seen this now on many occasions over the past year or so and this is due to the fact you still need to run additional commands to enable this functionality. These additional steps are not well documented and as you would expect this causes a lot of confusion and, in most cases, customers will create support case or head to the forums seeking help believing they have an issue when in fact they do not, they are just missing a few steps.
Container Labelling Recap
Although, before we go into the configuration steps, let’s have a recap on what Container Level Sensitivity Labelling offers: –
Workload Locations: –
- M365 Groups
- Microsoft Teams
- Yammer Communities
- SharePoint Sites
Possible restrictions to configure via Labelling Configuration: –
- Privacy Options
- External User Access Controls
- External Sharing Controls
- Unmanaged Device Access *
- Authentication Contexts (In Preview) *
* These options use Azure AD Conditional Access, of which, must be configured separately.
Ways to apply a Label to a SPO Site or Group: –
- Azure Portal
- SharePoint Set Up Wizard, or Admin Centre
- Groups Set Up Wizard, or Admin Centre
- Teams Set Up Wizard, or Admin Centre
- PowerShell Commands (more used for bulk configurations)
Okay, with the recap out of the way, let’s look at the steps to configure.
As a result, I have decided to write this blog on how to enable this feature in your tenant to offer some assurance on getting this set up.
Example 1: Complete these steps
Example Two: Turn on Now
Example Three: – Greyed out Options
Configuration - PowerShell
Firstly, we need to make sure we have the correct PowerShell Modules installed to run the commands required.
- Open PowerShell as Admin
- Then run the below commands
- AzureAD Preview (This will install the Azure AD Preview Module)
- Install-Module AzureADPreview
- SharePoint Online Management Shell needs to be version 16.0.19418.12000, or above
- To install the above version run the following
- Install-Module -Name Microsoft.Online.SharePoint.PowerShell -RequiredVersion 16.0.19418.12000
- Or, if you already have a SharePoint PowerShell Module installed and want to update the latest version, run the following
- Update-Module -Name Microsoft.Online.SharePoint.PowerShell
- To install the above version run the following
Then run
- Connect to Azure AD by running the following command
- Connect-AzureAD
Now run the following to create the object for Unified Groups
- $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id
If the command was successful skip to the: ‘And then’ step
If the command was not successful and returns the following: –
“Get-AzureADDirectorySetting : Cannot bind argument to parameter ‘Id’ because it is null”
run the below 5 steps to add in the MIP Directory Setting, thereafter, enabling MIP Labels.
Run the following to create the directory: –
- Get-AzureADDirectorySettingTemplate
- $TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
- $Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
- $Setting = $Template.CreateDirectorySetting()
- $Setting[“EnableMIPLabels”] = “True”
- New-AzureADDirectorySetting -DirectorySetting $Setting
Run again:
- $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id
And then,
- $Setting.Values
This will now display the below information:
Name Value
—- —–
- EnableMIPLabels True
- CustomBlockedWordsList
- EnableMSStandardBlockedWords False
- ClassificationDescriptions
- DefaultClassification
- PrefixSuffixNamingRequirement
- AllowGuestsToBeGroupOwner False
- AllowGuestsToAccessGroups True
- GuestUsageGuidelinesUrl
- GroupCreationAllowedGroupId
- AllowToAddGuests True
- UsageGuidelinesUrl
- ClassificationList
- EnableGroupCreation True
This has now enabled Container Level, Sensitivity Labelling for Teams, Groups & Sites.
Please note, that this can take up to 24 hours to apply and publish the configurations over to the applications.
Post Config Check In
If you now head back into Information Protection section in the Compliance Portal you will now see the option to ‘Turn on Now’, or ‘Complete these Settings’ has gone. You are left with the ‘Learn more about’ link.
Example Four: Configuration Complete
The next step is to choose a label you want to configure for this location and go through the label setting until you now see the option to apply this label to Groups and Sites.
Example Five: Selecting Groups & Sites
Additional Considerations
Yet, in addition to this, you will need to reconnect to the SharePoint Online Management Console and run the following commands if you do not see the option to apply labels in SPO.
- Connect-SPOService
Run follow-up command:
- Set-SPOTenant -EnableAIPIntegration $true.
A few important notes: –
- If your organisation has Multi-Geo configuration enabled, you must run the “Set-SPOTenant -EnableAIPIntegration $true” command for each of the geographical areas.
- Container Level Sensitivity Labelling does not apply encryption to the items in the container, nor does the container inherit the permissions of the label. This is a misinterpretation given when configured for File & Email it does. I often see people complaining about this thinking they have things set up incorrectly, or stating the solution is not doing what it is supposed to. Although, rumour has it, this is on the road map. Therefore, once more information on this is live, I will post on my site, so, keep an eye out if you are interested in this feature.
I would have expected Microsoft to fix this by now. I initially wrote this blog almost a year ago and the problem from what I have witnessed has not yet been resolved. Does anyone else still see this issue?
Anyhow, I really hope this helps.