Microsoft announced end of June 2020 the “General Availability” of the Microsoft Information Protection integration for Group labeling. Unified labeling is now available für all Microsoft 365 Groups (Teams, SharePoint, …).
Microsoft Information Protection is a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. Microsoft Information Protection provides a unified set of capabilities to know your data, protect your data, and prevent data loss across Microsoft 365 apps (e.g. Word, PowerPoint, Excel, Outlook) and services (e.g. Teams, SharePoint, and Exchange).
The feature is currently an opt-in solution. The previous Azure AD based group classification is still available and supported. If you want to switch to the new solution to apply sensitivity labels to your groups you need to run some lines of PowerShell. This is the Microsoft documentation:
The feature is configured with the same commands as the AAD based classification. You have to set the value for “EnableMIPLabels“ to true.The documentation is expecting that you already have Azure AD directory settings for the template “Group.Unified“. If this is not the case you can also follow the instructions on the Azure AD directory settings for Groups:
To make it easier for my customers and for you, I’ve created a PowerShell that will help and work in any configuration. Check out the latest version of my script in this GitHub repository:
$tenantdetail = $null;
$tenantdetail = Get-AzureADTenantDetail -ErrorAction SilentlyContinue;
if ($null -eq $tenantdetail)
{
#connect as gloabl admin
Connect-AzureAD
$tenantdetail = Get-AzureADTenantDetail -ErrorAction SilentlyContinue;
}
if ($null -eq $tenantdetail)
{
Write-Host "Error connecting to tenant" -ForegroundColor Red;
Exit
}
$settingIsNew = $false;
$setting = Get-AzureADDirectorySetting | Where-Object { $_.DisplayName -eq "Group.Unified"};
if ($null -eq $setting){
Write-Host "Not directory settings for Group.Unified found. Create new!" -ForegroundColor Green;
$settingIsNew = $true;
$aaddirtempid = (Get-AzureADDirectorySettingTemplate | Where-Object { $_.DisplayName -eq "Group.Unified" }).Id;
$template = Get-AzureADDirectorySettingTemplate -Id $aaddirtempid;
$setting = $template.CreateDirectorySetting();
}
else{
Write-Host "Directory settings for Group.Unified found. Current value for EnableMIPLabels:" -ForegroundColor Green;
Write-Host $setting["EnableMIPLabels"];
}
$setting["EnableMIPLabels"] = "true";
if (-not $settingIsNew){
#Reset AAD based classsification?
#$setting["ClassificationList"] = "";
#$setting["DefaultClassification"] = "";
#$setting["ClassificationDescriptions"] = "";
}
if ($settingIsNew){
New-AzureADDirectorySetting -DirectorySetting $setting;
Write-Host "New directory settings for Group.Unified applied." -ForegroundColor Green;
$setting = Get-AzureADDirectorySetting | Where-Object { $_.DisplayName -eq "Group.Unified"};
}
else{
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting;
Write-Host "Updated directory settings for Group.Unified." -ForegroundColor Green;
$setting = Get-AzureADDirectorySetting | Where-Object { $_.DisplayName -eq "Group.Unified"};
}
$setting.Values;