Quick Guides, Microsoft Purview March 28, 2023 13

Quick Guide: Enabling Sensitivity Labels for SharePoint sites and MS Teams

This is a quick little guide on how to enable Sensitivity Labels for containers such as Microsoft 365 groups, SharePoint sites and Microsoft Teams. I hope that these steps can provide clearer guidance then what is provided in the Microsoft documentation.

  1. Start the PowerShell or PowerShell ISE application.
  2. Use the following cmdlets to install, import and connect to the AzureADPreview module.
Install-Module AzureADPreview
Import-Module AzureADPreview
AzureADPreview\Connect-AzureAD
  1. Sign in to your admin account.
  2. Use the following cmdlet to display the current container settings.
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ)
$Setting = $grpUnifiedSetting
$grpUnifiedSetting.Values

If the output lists the current group settings (like pictured below), you can skip step 5 and 6 and move on to step 7.

If the output is empty, it means that group settings have not been created for the tenant yet.

  1. Use the following cmdlet to select the “Group.Unified” settings template.
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
  1. Use the following cmdlet to create a new settings object.
$Setting = $Template.CreateDirectorySetting()
  1. Use the following cmdlet to enable the feature.
$Setting[“EnableMIPLabels”] = “True”
  1. (A) Use the following cmdlet if the group settings were not created previously and you want to save the changes.
New-AzureADDirectorySetting -DirectorySetting $Setting
  1. (B) Use the following cmdlet if the group settings were created previously and you want to save the changes.
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting
  1. Use the following cmdlet to verify if the feature has been enabled, the EnableMIPLabels value must be set to True.
$Setting.Values

Now to finish of this guide we’ll synchronize the Sensitivity Labels to AzureAD, so we are able to use them with Microsoft 365 Groups from Azure Active Directory (or Microsoft Entra).

  1. Use the following cmdlets to install and import the required module and connect to the Security & Compliance module.
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-IPPSSession
  1. Sign-in to your admin account.
  2. Use the following cmdlet to synchronize the Sensitivity Labels to AzureAD.
Execute-AzureAdLabelSync

If you have completed this guide, congratulations you are now able to create Sensitivity Labels meant for Microsoft 365 Groups, SharePoint sites and Microsoft Teams.

 

How to enable Sensitivity Labels for Microsoft 365 groups, SharePoint sites and Microsoft Teams

,

About the author

Myron Helgering:

13 Comments

  1. Claire Brown

    March 30, 2023
    Reply

    Great post! Thanks for breaking down the steps to enable Sensitivity Labels in containers. It can be confusing to navigate through Microsoft's documentation sometimes, so this guide is definitely helpful. Do you have any other tips for managing container settings in Microsoft 365?

    • Myron Helgering

      March 30, 2023
      Reply

      Thank you Claire, I am glad that these steps were helpful.
      Since most of these container settings can be changed from the admin portals themselves, there is not much use for them in my opinion.
      The only two settings that I regularly had to change are; "EnableMIPLabels" and "EnableGroupCreation".
      I guess if you have specific needs you could scope these container settings to specific groups, which Microsoft explains pretty well here.

  2. Kyle

    March 22, 2024
    Reply

    Great post - this was exactly what was missing for me. I had things setup to allow files and emails and this has helped me get labels working for teams and sites in sharepoint!

  3. h

    April 23, 2024
    Reply

    What permissions are needed to update the MIP Label setting?
    I have tried using the above method and MS Graph but I get Insufficient privileges to complete the operation both ways.

    Any insight would be great.

    Thanks.

    • Myron Helgering

      April 24, 2024
      Reply

      Sadly this is one of the rare occasions where a global administrator is needed to update the directory setting.
      Using the MS Graph is recommended though, I am not sure for how long this method will still work.

  4. Ericson Almeida

    May 1, 2024
    Reply

    "Hello, congratulations for this tutorial, it helped me a lot. I don't know it easy to use PowerShell, and Microsoft's official documentation isn't very helpful (it's not objective).
    Thank you very much, and may God bless you."

  5. zak

    July 3, 2024
    Reply

    wonderful guide, it helped me :) thanks alot.

  6. Pascal

    August 29, 2024
    Reply

    Thank you very much. This worked perfectly for me. It had taken me weeks

  7. Trevor

    September 16, 2024
    Reply

    Thanks for the detailed steps it all worked, the MS documentation was not working.

    One issue is the double quote marks in your code samples has been changed to the open/close style not the original double quotes so when you paste the text into the command window it deletes them and the command fails.

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply