Published: Apr 09, 2020
Microsoft introduced classifications for Office 365 Groups (and latterly, Teams and SharePoint sites) in 2016. Classifications are text-only visual markers to show users the importance of the information held in a group, team, or site. They are defined in the Azure Active Directory policy for Groups. Useful as it is to inform people about the importance of information, classifications don’t do anything else.
My article explains how settings in Office 365 sensitivity labels assigned to “containers” (groups, teams, and sites) control different aspects of their operation. For now, control is limited to privacy, guest access, and how unmanaged devices access content in SharePoint. Microsoft says that the number of settings available in labels will grow over time, notably to control external sharing from SharePoint. With an eye on the future, it makes sense to consider replacing classifications with labels. Microsoft is not deprecating classifications and you can continue using them, but their lack of functionality compared to an intelligent label makes me believe that classifications will soon be phased out.
Some up-front planning is necessary before an Office 365 tenant can swap classifications with sensitivity labels. It would be nice if we had the foresight to create matching sets of classifications and labels, but that’s probably a pipe dream given that each set was likely created at different times for different purposes. Instead, it’s more likely that we need to figure out the best matches between the two sets and then make any necessary adjustments.
The first step is to extract lists of classifications and labels. We can then figure out how the best matches. To generate a list of the classifications defined in the Azure Active Directory policy for Groups, connect to Azure Active Directory with PowerShell, and run the command:
$Settings = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"} $Settings["ClassificationList"] General Use,External Access,Internal Only,Confidential
We now know that four existing classifications exist to match against the Office 365 sensitivity labels published in the tenant.
After creating some suitable sensitivity labels, you can generate a list of the available labels by connecting to the Compliance Center endpoint with PowerShell and running the Get-Label cmdlet:
Get-Label | Format-Table DisplayName, Guid -AutoSize DisplayName Guid ----------- ---- Public 2fe7f66d-096a-469e-835f-595532b63560 Internal 27451a5b-5823-4853-bcd4-2204d03ab477 Confidential 1b070e6f-4b3c-4534-95c4-08335a5ca610 Secret 81955691-b8e8-4a81-b7b4-ab32b130bff5 Ultra 9ec4cb17-1374-4016-a356-25a7de5e411d All Company 14e9e914-7a2b-4790-a1f2-843a9bd11e10
If we compare the plain-text classifications defined in the Azure Active Directory policy for Groups and the set of sensitivity labels, a reasonable set of matches might be:
If good matches can’t be made, you might have to create some new sensitivity labels to match classifications already in use.
Applications won’t switch to using sensitivity labels until you update the Azure Active Directory policy for Groups. This is done by running some PowerShell to update the policy by adding the setting to enable sensitivity labels.
$Settings = Get-AzureADDirectorySetting | ? {$_.DisplayName -eq "Group.Unified"} $Settings["EnableMIPLabels"] = "True" Set-AzureADDirectorySetting -Id $Settings.Id -DirectorySetting $Settings
Like any Office 365 policy, the update takes some time to trickle through to all applications. Microsoft’s instructions say that you should also use PowerShell to connect to the Compliance center endpoint and run the Execute-AzureAdLabelSync cmdlet to force a synchronization of labels. I believe that you only need to do this if you have never managed sensitivity labels through the Compliance Center before. In any case, the cmdlet does no harm.
Next, we need to update the properties of Office 365 Groups to swap classifications for labels. You could edit each group and assign a label using one of the supported GUIs (OWA, Teams, SharePoint Admin Center, or the Azure Active Directory portal), but it’s easier to do the job with PowerShell. The code below uses a simple Switch statement to select the appropriate label to assign based an existing classification. After selecting the label, the script updates the group with that label. The classification for each group remains unchanged.
# Define Office 365 Sensitivity Labels we want to use. Use GUIDs for labels as reported by # the Get-Label cmdlet $PublicLabel = "2fe7f66d-096a-469e-835f-595532b63560" $InternalLabel = "27451a5b-5823-4853-bcd4-2204d03ab477" $SecretLabel = "81955691-b8e8-4a81-b7b4-ab32b130bff5" $ConfidentialLabel = "1b070e6f-4b3c-4534-95c4-08335a5ca610" # Find groups in the tenant that haven't already been assigned a sensitivity label $Groups = Get-UnifiedGroup -ResultSize Unlimited | ? {$_.SensitivityLabel -eq $Null} If ($Groups.Count -eq 0) { Write-Host "Congratulations - you've switched over to sensitivity labels" } Else { ForEach ($Group in $Groups) { Switch ($Group.Classification) { "General Use" {$LabelToApply = $InternalLabel} "External Access" {$LabelToApply = $PublicLabel} "Internal Only" {$LabelToApply = $SecretLabel} "Confidential" {$LabelToApply = $ConfidentialLabel} Default {$LabelToApply = $InternalLabel } } Write-Host "Processing" $Group.DisplayName Set-UnifiedGroup -Identity $Group.DistinguishedName -SensitivityLabelId $LabelToApply }}
As you can see, we define variables to hold the GUIDs for several sensitivity labels You can find the GUIDs for labels by running the Get-Label cmdlet
It takes a little while for the new label settings to synchronize from Exchange Online to SharePoint Online and Teams. To check that the right label is assigned to a site, you can run the Get-SPOSite cmdlet and examine the SensitivityLabel property. For example:
Get-SPOSite -Identity https://office365itpros.sharepoint.com/sites/BankingTeam | Format-Table Title, SensitivityLabel Title SensitivityLabel ----- ---------------- Banking Team f5b1ba01-59f5-4ba0-b73b-f60e348cdc6e
Moving from text-based classifications to Office 365 sensitivity labels is straightforward. No rocket science is needed to assign sensitivity labels to groups and teams. All that’s needed is a little planning and a smidgen of PowerShell. It would be nice if all problems were solved so easily.