Moving Groups, Teams, and Sites from Classifications to Sensitivity Labels

Classifications and Sensitivity Labels

Microsoft introduced classifications for Office 365 Groups (and latterly, Teams and SharePoint sites) in 2016. Classifications are text-only visual markers to show users the importance of the information held in a group, team, or site. They are defined in the Azure Active Directory policy for Groups. Useful as it is to inform people about the importance of information, classifications don’t do anything else.

My article explains how settings in Office 365 sensitivity labels assigned to “containers” (groups, teams, and sites) control different aspects of their operation. For now, control is limited to privacy, guest access, and how unmanaged devices access content in SharePoint. Microsoft says that the number of settings available in labels will grow over time, notably to control external sharing from SharePoint. With an eye on the future, it makes sense to consider replacing classifications with labels. Microsoft is not deprecating classifications and you can continue using them, but their lack of functionality compared to an intelligent label makes me believe that classifications will soon be phased out.

Planning Needed to Switch to Labels

Some up-front planning is necessary before an Office 365 tenant can swap classifications with sensitivity labels. It would be nice if we had the foresight to create matching sets of classifications and labels, but that’s probably a pipe dream given that each set was likely created at different times for different purposes. Instead, it’s more likely that we need to figure out the best matches between the two sets and then make any necessary adjustments.

Retrieving Classifications Defined in the Azure Active Directory Groups Policy

The first step is to extract lists of classifications and labels. We can then figure out how the best matches. To generate a list of the classifications defined in the Azure Active Directory policy for Groups, connect to Azure Active Directory with PowerShell, and run the command:

$Settings = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}   
General Use,External Access,Internal Only,Confidential

We now know that four existing classifications exist to match against the Office 365 sensitivity labels published in the tenant.

Retrieving Details of Office 365 Sensitivity Labels

After creating some suitable sensitivity labels, you can generate a list of the available labels by connecting to the Compliance Center endpoint with PowerShell and running the Get-Label cmdlet:

Get-Label | Format-Table DisplayName, Guid -AutoSize  

DisplayName            Guid
-----------            ----
Public                 2fe7f66d-096a-469e-835f-595532b63560
Internal               27451a5b-5823-4853-bcd4-2204d03ab477
Confidential           1b070e6f-4b3c-4534-95c4-08335a5ca610
Secret                 81955691-b8e8-4a81-b7b4-ab32b130bff5
Ultra                  9ec4cb17-1374-4016-a356-25a7de5e411d
All Company            14e9e914-7a2b-4790-a1f2-843a9bd11e10

If we compare the plain-text classifications defined in the Azure Active Directory policy for Groups and the set of sensitivity labels, a reasonable set of matches might be:

  • General Use: Internal
  • External Access: Public
  • Internal Only: Secret
  • Confidential: Confidential

If good matches can’t be made, you might have to create some new sensitivity labels to match classifications already in use.

Switching Classifications for Labels

Applications won’t switch to using sensitivity labels until you update the Azure Active Directory policy for Groups. This is done by running some PowerShell to update the policy by adding the setting to enable sensitivity labels.

$Settings = Get-AzureADDirectorySetting | ? {$_.DisplayName -eq "Group.Unified"}
$Settings["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Settings.Id -DirectorySetting $Settings

Like any Office 365 policy, the update takes some time to trickle through to all applications. Microsoft’s instructions say that you should also use PowerShell to connect to the Compliance center endpoint and run the Execute-AzureAdLabelSync cmdlet to force a synchronization of labels. I believe that you only need to do this if you have never managed sensitivity labels through the Compliance Center before. In any case, the cmdlet does no harm.

Updating Groups with Labels

Next, we need to update the properties of Office 365 Groups to swap classifications for labels. You could edit each group and assign a label using one of the supported GUIs (OWA, Teams, SharePoint Admin Center, or the Azure Active Directory portal), but it’s easier to do the job with PowerShell. The code below uses a simple Switch statement to select the appropriate label to assign based an existing classification. After selecting the label, the script updates the group with that label. The classification for each group remains unchanged.

# Define Office 365 Sensitivity Labels we want to use. Use GUIDs for labels as reported by 
# the Get-Label cmdlet
$PublicLabel = "2fe7f66d-096a-469e-835f-595532b63560"
$InternalLabel = "27451a5b-5823-4853-bcd4-2204d03ab477"
$SecretLabel = "81955691-b8e8-4a81-b7b4-ab32b130bff5"
$ConfidentialLabel = "1b070e6f-4b3c-4534-95c4-08335a5ca610"
# Find groups in the tenant that haven't already been assigned a sensitivity label
$Groups = Get-UnifiedGroup -ResultSize Unlimited | ? {$_.SensitivityLabel -eq $Null}
If ($Groups.Count -eq 0) { Write-Host "Congratulations - you've switched over to sensitivity labels" }
  Else {
   ForEach ($Group in $Groups) {
    Switch ($Group.Classification)
      "General Use"     {$LabelToApply = $InternalLabel}
      "External Access" {$LabelToApply = $PublicLabel}
      "Internal Only"   {$LabelToApply = $SecretLabel}
      "Confidential"    {$LabelToApply = $ConfidentialLabel}
       Default          {$LabelToApply = $InternalLabel }
    Write-Host "Processing" $Group.DisplayName 
    Set-UnifiedGroup -Identity $Group.DistinguishedName -SensitivityLabelId $LabelToApply

As you can see, we define variables to hold the GUIDs for several sensitivity labels You can find the GUIDs for labels by running the Get-Label cmdlet

It takes a little while for the new label settings to synchronize from Exchange Online to SharePoint Online and Teams. To check that the right label is assigned to a site, you can run the Get-SPOSite cmdlet and examine the SensitivityLabel property. For example:

Get-SPOSite -Identity | Format-Table Title, SensitivityLabel
Title        SensitivityLabel
-----        ----------------
Banking Team f5b1ba01-59f5-4ba0-b73b-f60e348cdc6e

Easy Switch with Planning

Moving from text-based classifications to Office 365 sensitivity labels is straightforward. No rocket science is needed to assign sensitivity labels to groups and teams. All that’s needed is a little planning and a smidgen of PowerShell. It would be nice if all problems were solved so easily.