Skip to main content
BlogMicrosoft 365Microsoft ComplianceSensitivity Labelling

Enabling Container Level Sensitivity Labelling for Groups & Sites in Microsoft 365

By August 11, 2021September 16th, 2021No Comments

Often when I am talking to customers regarding their Labelling needs, I repeatedly hear that they have tried to configure Container Level (Teams, Groups & Sites), Sensitivity Labelling only to discover that hitting the ‘Complete these Steps’ link, or in older tenants clicking on ‘Turn on Now’, does very little and in some cases nothing at all.

Once you click on the options, you are then presented with the Microsoft Docs link where you are greeted with the following command: Execute-AzureAdLabelSync, running this sets off the backend services to do their thing, however, in some cases not everything is configured. Therefore, after running this, you head back to your tenant only to find nothing has changed – you still see the ‘Turn On, or Complete these steps’ and consequently, the option to apply Groups & Sites within the Label configuration is still greyed out. As displayed in the below examples.

I have seen this now on several occasions and this is due to the fact you need to run additional commands to enable this functionality. As you would expect this causes confusion and, in most cases, customers will create support case or head to the forums seeking help believing they have an issue when in fact they do not, they are just missing a few steps.

Although, before we go into the configuration steps, let’s have a recap on what Container Level Sensitivity Labelling offers: –

Workload Locations: –

  • M365 Groups
  • Microsoft Teams
  • Yammer Communities
  • SharePoint Sites

Possible restrictions to configure via Labelling Configuration: –

  • Privacy Options
  • External User Access Controls
  • External Sharing Controls
  • Unmanaged Device Access *
  • Authentication Contexts (In Preview) *

* These options use Azure AD Conditional Access, of which, must be configured separately.

Ways to apply a Label to a SPO Site or Group: –

  • Azure Portal
  • SharePoint Set Up Wizard, or Admin Centre
  • Groups Set Up Wizard, or Admin Centre
  • Teams Set Up Wizard, or Admin Centre
  • PowerShell Commands (more used for bulk configurations)

Okay, with the recap out of the way, let’s look at the steps to configure.

As a result, I have decided to write this blog on how to enable this feature in your tenant to offer some assurance on getting this set up.

Example 1: Complete these steps

Enabling Container Level Sensitivity Labelling in M365

Example Two: Turn on Now

Extend Labelling to assets in azure microsoft365

Example Three: – Greyed out Options

Define the scope for label microsoft 365

Firstly, we need to make sure we have the correct PowerShell Modules installed to run the commands required.

  1. Open PowerShell as Admin
    1. Then run the below commands
  2. AzureAD Preview (This will install the Azure AD Preview Module)
    1. Install-Module AzureADPreview
  3. SharePoint Online Management Shell needs to be version 16.0.19418.12000, or above
    1. To install the above version run the following
      1. Install-Module -Name Microsoft.Online.SharePoint.PowerShell -RequiredVersion 16.0.19418.12000
    2. Or, if you already have a SharePoint PowerShell Module installed and want to update the latest version, run the following
      1. Update-Module -Name Microsoft.Online.SharePoint.PowerShell

Then run

  • Connect to Azure AD by running the following command
    • Connect-AzureAD

Now run the following to create the object for Unified Groups

  • $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

If the command was successful skip to the: ‘And then’ step

If the command was not successful and returns the following: –

“Get-AzureADDirectorySetting : Cannot bind argument to parameter ‘Id’ because it is null”

run the below 5 steps to add in the MIP Directory Setting, thereafter, enabling MIP Labels.

Run the following to create the directory: –

  1. Get-AzureADDirectorySettingTemplate
  2. $TemplateId = (Get-AzureADDirectorySettingTemplate | where {$.DisplayName -eq “Group.Unified” }).Id
  3. $Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
  4. $Setting = $Template.CreateDirectorySetting()
  5. $Setting[“EnableMIPLabels”] = “True”
  6. New-AzureADDirectorySetting -DirectorySetting $Setting

Run again:

  • $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

And then,

  • $Setting.Values

This will now display the below information:

Name                                                 Value

—-                                                       —–

  • EnableMIPLabels                True
  • CustomBlockedWordsList
  • EnableMSStandardBlockedWords False
  • ClassificationDescriptions
  • DefaultClassification
  • PrefixSuffixNamingRequirement
  • AllowGuestsToBeGroupOwner False
  • AllowGuestsToAccessGroups True
  • GuestUsageGuidelinesUrl
  • GroupCreationAllowedGroupId
  • AllowToAddGuests True
  • UsageGuidelinesUrl
  • ClassificationList
  • EnableGroupCreation True

This has now enabled Container Level, Sensitivity Labelling for Teams, Groups & Sites.

Please note, this can take up to 24 hours to apply and publish the configurations over to the applications.

If you now head back into Information Protection section in the Compliance Portal you will now see the option to ‘Turn on Now’, or ‘Complete these Settings’ has gone. You are left with the ‘Learn more about’ link.

Example Four: Configuration Complete

Information protection compliance portal microsoft365

The next step is to choose a label you want to configure for this location and go through the label setting until you now see the option to apply this label to Groups and Sites.

Example Five: Selecting Groups & Sites

Define scope for label groups sites microsoft 365

Yet, in addition to this, you will need to reconnect to the SharePoint Online Management Console and run the following commands if you do not see the option to apply labels in SPO.

  • Connect-SPOService

Run follow-up command:

  • Set-SPOTenant -EnableAIPIntegration $true.

A few important notes: –

  • If your organisation has Multi-Geo configuration enabled, you must run the “Set-SPOTenant -EnableAIPIntegration $true” command for each of the geographical areas.
  • Container Level Sensitivity Labelling does not apply encryption to the items in the container, nor does the container inherit the permissions of the label. This is a misinterpretation given when configured for File & Email it does. I often see people complaining about this thinking they have things set up incorrectly, or stating the solution is not doing what it is supposed to. Although, rumour has it, this is on the road map. Therefore, once more information on this is live, I will post on my site, so, keep an eye out if you are interested in this feature.

I really hope this helps.

My next blog will be about setting up Sensitivity Labels from your organizational Classification/Labels Taxonomy documentation.

Obviously, where advice is given always check the Microsoft official documentation and links of which may or may not be provided. As a result, be sure all information is up to date at the time of reading.