cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to set up Sensitivity Labels for Microsoft Teams, Microsoft 365 Groups, and SharePoint Sites!

TomWechsler
MVP

‎Mar 21 2022 08:33 AM - edited ‎Mar 21 2022 09:36 AM

‎Mar 21 2022 08:33 AM - edited ‎Mar 21 2022 09:36 AM

How to set up Sensitivity Labels for Microsoft Teams, Microsoft 365 Groups, and SharePoint Sites!

 

Dear Microsoft 365 Friends,

 

Setting up the requirements for Sensitivity Labels in Microsoft Teams, Microsoft 365 Groups and SharePoint Sites is not that trivial from my point of view. But let's start from the beginning. When you log in to the portal https://compliance.microsoft.com and then to Information Protection, you will first find yourself in the overview. Click on Labels and you may see the following message.

 

Turn_on_Sensitivity_M365.JPG

 

If you see this message, there are now a number of steps that need to be completed. These steps may be done with PowerShell, as follows:

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE.

 

Set-Location C:\
Clear-Host

 

#We need the cmdlets
Install-Module AzureADPreview -AllowClobber -Verbose -Force

 

#Import the Module
Import-Module AzureADPreview

 

#Connect to Azure
Connect-AzureAD

 

#Retrieve the current group settings for your Azure AD organization
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | Where-Object -Property DisplayName -Value "Group.Unified" -EQ).id
<#
If no group settings have been created for your Azure AD organization, you will get an error that reads “Cannot bind argument to parameter ‘Id’ because it is null”. In this case, you’ll need to first create the settings. You can configure group settings using PowerShell

#>

 

If you do not get an error message, navigate down a bit in this document. A little further down, after the second image, it continues for you, otherwise follow the next steps.

 

#Create settings at the directory level
#Directory Settings cmdlets, you must specify the ID of the SettingsTemplate you want to use
Get-AzureADDirectorySettingTemplate

 

#To add a usage guideline URL, first you need to get the SettingsTemplate object that defines the usage guideline URL value; that is, the Group.Unified template
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id

$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ

 

#Next, create a new settings object based on that template
$Setting = $Template.CreateDirectorySetting()

 

#Then update the settings object with a new value
$Setting["UsageGuidelinesUrl"] = "https://guideline.tomrocks.ch"
$Setting["EnableMIPLabels"] = "True" ###This the most important setting###

 

#Then apply the setting
New-AzureADDirectorySetting -DirectorySetting $Setting

 

#You can read the values using
$Setting.Values

 

If you want to Update the directory level settings, follow the steps:

 

#Update settings at the directory level
$Setting = Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"}

 

#Check the current settings
$Setting.Values

 

#To remove the value of UsageGuideLinesUrl
$Setting["UsageGuidelinesUrl"] = ""

 

#Save update to the directory:
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

 

#Check the current settings
$Setting.Values

 

After these steps you can now select groups and sites in the labels.

Turn_on_Labels.jpg

 

####
#If you do not get an error message go through the following steps!
####

 

#Retrieve the current group settings for your Azure AD organization
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

 

#Check the current settings
$Setting.Values

 

#Enable the feature
$Setting["EnableMIPLabels"] = "True"

 

#Finally, save the changes and apply the settings
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting

 

#Check the current settings
$Setting.Values

 

#Synchronize your sensitivity labels to Azure Active Directory

 

#We need the cmdlets
Install-Module ExchangeOnlineManagement -Verbose -AllowClobber -Force

 

#Import the module
Import-Module ExchangeOnlineManagement

 

#Let's connect
Connect-IPPSSession

 

#Did it work?
Get-DlpSensitiveInformationType

 

#Next, run the following command to ensure your sensitivity labels can be used with Microsoft 365 groups
Execute-AzureAdLabelSync

 

#Disconnect the sessions
Disconnect-AzureAD
Disconnect-ExchangeOnline

 

If you haven't used Sensitivity Labels yet and you create a new one and provide it with a policy, it can take up to 24 hours for the label to be available!

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

Labels:
2,730 Views
1 Like
0 Replies
Reply
0 Replies