Way to assign a Sensitivity labels policy to all employees (no guests)

%3CLINGO-SUB%20id%3D%22lingo-sub-1163243%22%20slang%3D%22en-US%22%3EWay%20to%20assign%20a%20Sensitivity%20labels%20policy%20to%20all%20employees%20(no%20guests)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1163243%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20try%20and%20assign%20a%20sensitivity%20label%20policy%20to%20users%2Fgroups%20from%20the%20Compliance%20centre%20I%20am%20unable%20to%20select%20a%20security%20group.%20The%20text%20description%20explans%20I%20can%20select%20from%20users%2C%20office%20365%20groups%2C%20mail%20enable%20secuoty%20group%20or%20a%20distribution%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20already%20set%20up%20security%20groups%20in%20Azure%20AD%20to%20manage%20conditional%20access%20policies%20and%20had%20assume%20I%20could%20reuse%20groups.%20For%20example%20I%20already%20have%20'all%20employees%20-%20no%20guests'%20SG%20and%20a%20'guests%20only'%20SG.%20Why%20do%20I%20need%20to%20create%20mail%20enabled%20SG%20as%20I%20do%20not%20want%20to%20be%20able%20email%20these%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20do%20no%20have%20a%20Team%20or%20Office%20365%20group%20for%20all%20employee%20as%20the%20organization%20is%20too%20large.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20read%20through%20all%20the%20Microsoft%20docs%20but%20cant%20see%20to%20find%20anything%3C%2FP%3E%3CP%3EAny%20help%20appreciated%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1163243%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531787%22%20slang%3D%22en-US%22%3ERe%3A%20Way%20to%20assign%20a%20Sensitivity%20labels%20policy%20to%20all%20employees%20(no%20guests)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531787%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380093%22%20target%3D%22_blank%22%3E%40njc123%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EAIP%20policies%20requires%20a%20%E2%80%98mail-enabled%E2%80%99%20distribution%20group%3C%2FLI%3E%3CLI%3EYou%20cannot%20use%20a%20security%20group%20(dynamic%20or%20static)%20because%20this%20group%20type%20doesn't%20have%20an%20email%20address%3C%2FLI%3E%3CLI%3EYou%20also%20cannot%20use%20a%20dynamic%20distribution%20list%20from%20Exchange%20Online%20because%20this%20group%20isn't%20replicated%20to%20Azure%20AD%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

When I try and assign a sensitivity label policy to users/groups from the Compliance centre I am unable to select a security group. The text description explans I can select from users, office 365 groups, mail enable secuoty group or a distribution group.

 

I have already set up security groups in Azure AD to manage conditional access policies and had assume I could reuse groups. For example I already have 'all employees - no guests' SG and a 'guests only' SG. Why do I need to create mail enabled SG as I do not want to be able email these groups.

 

We do no have a Team or Office 365 group for all employee as the organization is too large.

 

I have read through all the Microsoft docs but cant see to find anything

Any help appreciated

 

 

 

 

1 Reply

@Deleted 

  1. AIP policies requires a ‘mail-enabled’ distribution group
  2. You cannot use a security group (dynamic or static) because this group type doesn't have an email address
  3. You also cannot use a dynamic distribution list from Exchange Online because this group isn't replicated to Azure AD