Way to assign a Sensitivity labels policy to all employees (no guests)

Not applicable

When I try and assign a sensitivity label policy to users/groups from the Compliance centre I am unable to select a security group. The text description explans I can select from users, office 365 groups, mail enable secuoty group or a distribution group.


I have already set up security groups in Azure AD to manage conditional access policies and had assume I could reuse groups. For example I already have 'all employees - no guests' SG and a 'guests only' SG. Why do I need to create mail enabled SG as I do not want to be able email these groups.


We do no have a Team or Office 365 group for all employee as the organization is too large.


I have read through all the Microsoft docs but cant see to find anything

Any help appreciated





1 Reply


  1. AIP policies requires a ‘mail-enabled’ distribution group
  2. You cannot use a security group (dynamic or static) because this group type doesn't have an email address
  3. You also cannot use a dynamic distribution list from Exchange Online because this group isn't replicated to Azure AD