Moving Groups, Teams, and Sites from Classifications to Sensitivity Labels

Classifications and Sensitivity Labels

Microsoft introduced classifications for Office 365 Groups (and latterly, Teams and SharePoint sites) in 2016. Classifications are text-only visual markers to show users the importance of the information held in a group, team, or site. They are defined in the Azure Active Directory policy for Groups. Useful as it is to inform people about the importance of information, classifications don’t do anything else.

My article explains how settings in Office 365 sensitivity labels assigned to “containers” (groups, teams, and sites) control different aspects of their operation. For now, control is limited to privacy, guest access, and how unmanaged devices access content in SharePoint. Microsoft says that the number of settings available in labels will grow over time, notably to control external sharing from SharePoint. With an eye on the future, it makes sense to consider replacing classifications with labels. Microsoft is not deprecating classifications and you can continue using them, but their lack of functionality compared to an intelligent label makes me believe that classifications will soon be phased out.

Planning Needed to Switch to Labels

Some up-front planning is necessary before an Office 365 tenant can swap classifications with sensitivity labels. It would be nice if we had the foresight to create matching sets of classifications and labels, but that’s probably a pipe dream given that each set was likely created at different times for different purposes. Instead, it’s more likely that we need to figure out the best matches between the two sets and then make any necessary adjustments.

Retrieving Classifications Defined in the Azure Active Directory Groups Policy

The first step is to extract lists of classifications and labels. We can then figure out how the best matches. To generate a list of the classifications defined in the Azure Active Directory policy for Groups, connect to Azure Active Directory with PowerShell, and run the command:

We now know that four existing classifications exist to match against the Office 365 sensitivity labels published in the tenant.

Retrieving Details of Office 365 Sensitivity Labels

After creating some suitable sensitivity labels, you can generate a list of the available labels by connecting to the Compliance Center endpoint with PowerShell and running the Get-Label cmdlet:

If we compare the plain-text classifications defined in the Azure Active Directory policy for Groups and the set of sensitivity labels, a reasonable set of matches might be:

  • General Use: Internal
  • External Access: Public
  • Internal Only: Secret
  • Confidential: Confidential

If good matches can’t be made, you might have to create some new sensitivity labels to match classifications already in use.

Switching Classifications for Labels

Applications won’t switch to using sensitivity labels until you update the Azure Active Directory policy for Groups. This is done by running some PowerShell to update the policy by adding the setting to enable sensitivity labels.

Like any Office 365 policy, the update takes some time to trickle through to all applications. Microsoft’s instructions say that you should also use PowerShell to connect to the Compliance center endpoint and run the Execute-AzureAdLabelSync cmdlet to force a synchronization of labels. I believe that you only need to do this if you have never managed sensitivity labels through the Compliance Center before. In any case, the cmdlet does no harm.

Updating Groups with Labels

Next, we need to update the properties of Office 365 Groups to swap classifications for labels. You could edit each group and assign a label using one of the supported GUIs (OWA, Teams, SharePoint Admin Center, or the Azure Active Directory portal), but it’s easier to do the job with PowerShell. The code below uses a simple Switch statement to select the appropriate label to assign based an existing classification. After selecting the label, the script updates the group with that label. The classification for each group remains unchanged.

As you can see, we define variables to hold the GUIDs for several sensitivity labels You can find the GUIDs for labels by running the Get-Label cmdlet

It takes a little while for the new label settings to synchronize from Exchange Online to SharePoint Online and Teams. To check that the right label is assigned to a site, you can run the Get-SPOSite cmdlet and examine the SensitivityLabel property. For example:

Easy Switch with Planning

Moving from text-based classifications to Office 365 sensitivity labels is straightforward. No rocket science is needed to assign sensitivity labels to groups and teams. All that’s needed is a little planning and a smidgen of PowerShell. It would be nice if all problems were solved so easily.







Don't have a login but want to join the conversation? Sign up for a Petri Account

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook.